I'm sorry, but why do you feel you should post if you can't be bothered to read TFA? And why do you then go on to say it's not as scary as the headline suggests when you dont know what the article is about?
From TFA:
"He then created a cloned card, and with help from another technology expert, changed all the data on the new card. This included the physical details of the bearer, name, fingerprints and other information.
He then rewrote data on the card, reversing the bearer's status from "not entitled to benefits" to "entitled to benefits".
He then added fresh content that would be visible to any police officer or security official who scanned the card, saying, "I am a terrorist - shoot on sight.""
Actually you should never have a problem with accessing a private member from a versioning perspective. It will still be there provided installation is done the correct way. This is because.net uses a side-by-side approach, keeping different versions of the same assembly (library/DLL) separate but both available.
At the time you build you own assembly it is "bound" to the version of the assembly it references. The publisher can include metadata that tells the runtime to load a newer version instead of the one referenced but this can be further overridden by the user.
Re:This just smacks of "Active Desktop"
on
Eyes on Karamba
·
· Score: 2, Informative
C'mon, it's just a web page, you can put anything you want on your desktop using Active Desktop, it you can't find it you can always write your own stuff.
Want the latest slashdot headlines? Use ECMAScript and MSXML do pull down any RSS feed and render it (I've been doing this for 2 years).
Want useless stats about your computer (diskspace, cpu usage, memory) use scripting (FileSystemObject etc) or use COM to read from Perfmon, using COM in script is insanely easy.
Wanna check your POP/IMAP mail? Again use COM from scripting
Since it's a webpage you can embed any content you like in ways of graphics and text, even Java applets or Flash. And you can use any scripting language that the browser supports (granted it's a little limited by default).
The only bad thing about Active Desktop is that it was launched and promoted as something far less than it is.
This does have further implications than simply breaking encyption though, concider that much of PKI relies on the same problem (the difficulty of factoring large numbers).
I did a quick check and atleast Amazon, Ebay and Yahoo all use 1024 bit RSA certificates, by turning my machine to crack those I could impersonate any of those. I also checked the root certificate of Verisign installed in my browser and found it was also a 1024 bit RSA certificate (well 1000 bits actually). Meaning I could be printing valid certificates for anyone, looking like they came from the real deal.
There is a lot hanging on the difficulty of factoring large numbers.
For Windows there is an excellent GUI called TortoiseCVS. It integrates with Explorer by overlaying icons on the files in the sandbox with own small icons indicating modified files, files with a conflict etc. You can perform all the important functions by simple context-menu commands on the directory, single- or multiple files.
This program is really the reason I started using CVS, it removed all the unnecessary cruft that is in WinCVS for example.
There is a move to make a TCVS like client for Subversion but I dont know at what stage it is at the moment
Still, as far as I know Trillian does nothing to prevent a man-in-the-middle attack (no certificates, no way of knowing 'who' you're talking to.
The attack is especially easily performed in this situation when your employer has complete control of all gateways through which all your packages has to pass. (Assuming it is external clients you would be devulging their secrets to)
I see from their site that they are working on "More features and greater security enhancements" to come "soon", but at this moment I wouldn't trust the security of SecureIM too much
Why does the people who wrote the interactive map applet on the site think that they need Full Permissions on my JVM? What file IO can they possibly need to do for example. Is it really that difficult to write the manifest to only request the permissions you really need?
And why is it broadcasting UDP packets to 255.255.255.255 according to Tiny Personal Firewall? Is there something I don't realise about this or is the applet just doing funny stuff?
The impracticality of it comes simply from the fact that you have to store your pads somewhere.
Assuming that we have a face to face meeting where agents can exchange any amount of information they need, in the one-time pad case maybe it is 6 months worth of pads on a disk (or a wad of papers, it really doesnt matter), in the other case its probably agreeing on an algorithm and a password/passphrase. Practicality is the size of the information that you need to protect. Lets also assume that information is mostly coming to you and not as much from you ('attack such and such at dawn', 'Abdul is an FBI spy do not trust him','meet with agent at such and such for explosives'... ), lets also assume they are smart enough to keep communication at a minimum, thus they use no chatty "I'm still here" protocols.
The FBI comes through the plumbing in your bathtub while you are having a bath. They search your house and soon enough they find your pads and know you're up to something. They now read all your mail/email etc and are able to read the information coming in. If you agreed to physical drops or some other ciphertext carrier your future communication would still be safe, however it would also be that in the other case so on that front it's a possible draw.
Now had you chosen the algorithmic method they would find nothing even suggesting that you were engaged in secret communication since you can keep all of it in your head ("RC4", "thisisthetopsecretpassphrasethatihavetorememberto communicate"). You can't memorise 6 months of one-time pads, you have to store them somewhere.
Benfeits come from the fact that there is less information to manage. The benefit of locking things in safes is that you dont have to carry all of it around, just the key.
Imagine for example that you only thought the FBI was at the door and you already ate the 6 month supply of pads, now what do you do? You can't suddenly go to Afghanistan to meet at the cameldung fire again, what would you tell your boss at airport security? Unless you were hit by a car and suffered total long term memory loss you could still communicate if you were using an algorithm approach.
As for relative security of various algorithms, lets take my favourite in this situation, RC4. It was invented in 1987 and has been around since, there are still (almost 15 years later) no published successful attacks against it (sure there might possibly be unpublished such but I doubt it). It is so incredibly simple you can not only memorise the algorithm with little trouble but if you really wanted to you could run it with pen and paper too. Now RC4 works with key sizes up to 256bits (256bit keys are, to quote Bruce Schneier, "[...] brute-force attacks against 256bit keys will be infeasible until computers are build from something else than matter and occupy something else than space"). This leaves us with attacks against the algorithm which is quite possible however, stream cipher analysis is comparatively straightforward and yet nothing has shown that it is vunerable. I would certainly think that your 6 month supply of pads is the easier target of the two.
... in the late 40's. Point is that it was a practical technique in a real-world situation then, and remains so today.
You have still not convinced me on this point. Sure it was a practical technique for governments and highlevel military then. But it is hardly practical in the field, neither now or then.
There's a higher risk for the agent in OTP, but less risk for the data, so it just comes down to relative value
Exactly how is there a higher risk for the data? If you choose a commonly accepted secure algorithm and a long enough random key your data is safe, except from quantum computers (which still remains theoretical for all practical purpouses). Infact I previously explained how the data was more secure.
Excuse me? My mother was a code clerk for DoS. One-time pads were used daily, and quite effectively, thank you very much.
You don't mention how long this "was" was but I'm assuming it was not during the time when you could go into any consumer electronics store and buy a graphical calculator (quite innocent if you're studiying for a pilots certificate) for $50 that will happily do both symmetric and public-key crypto in a jiffy.
If a terrorist's belongings are searched in detail, he's already blown, so write him off and move on.
This is not neccessarily so if he doesn't have a notepad of one-time pads and scribblings of an encoding in progress laying around in his appartment. And as we've seen modern terrorists dont have to stock up on explosives and weapons to do great damage.
An equipped terrorist would simply need to memorize his password and keep an implementation of a simple but secure symmetric algorithm in his calculator (which could be wiped by removing the batteries for a second), or if he was really paranoid simply memorise the algorihm (something like RC4 is extremely simple, yet secure against all attacks thrown against it so far) after each use. There would be nothing on his person or in his surroundings giving signs that he is involved in secret communication.
I do agree with you though that a one-time pad is by far the simplest pen-and-paper algorithm around and offers complete security of communication. But point still remains that it is inconvenient in a situation where you dont have stable secure facilities (like those of government agencies etc.), where the endpoints of communication need to be secured just as much as you need to secure the communication. Also we are not really dealing with illiterate farmboys here either so there is really no need to keep the encryption on a level that a fouryearold could handle.
Imagine for example the situation where a terrorist has been caught (or killed) but the sender does not yet know this. If the receiver has been using one-time pads and these are left behind, all subsequent communication is open to the anti-terrorists. Especially if there is no proper protocol of confirmation and authentication, an agent could pose as the terrorist to glean more information out of the sender without this realizing anything. Now had the terrorists used short memorizable passwords instead he would either have taken it to his grave or would simply refuse to give the password when interrogated (assuming now that the NSA really doesn't use torture or something similair) and the link would have been closed there.
I realise you might be a troll, but incase that is not so:
A one-time pad is only applicable in an extremely narrow range of situations. If you have a secure channel to transfer the one-time pad why bother with encryption in the first place? If you transfer the the pad in advance, before you need to send a message, you practically end up with a codebook situation. That pad must to somehow be secured like a codebook or it is useless.
One-time pads is a wonderful theoretical idea but one that is useless in most real world applications.
Before I start, I do not condone terrorism in anyway or form. I am deeply sorry for what happened in NY and Washington, and think it is an outrage that people have so little apparent regard for human life.
Actually I think CNBC (european version) reported that Raytheon had headquarters at the top of WTC1.
As for the most of your other points, you are being seriously superficial in your thinking. I don't blame you for this though, but the sensationalist commercial news reporting that you've been subjected to all your life. Media that is so frightened of being boring it's idea of an indepth report is 15 minutes with two three minute breaks for commercials.
The Israeli-Palestinian conflict is far deeper than terrorist bombings. Israel invaded great parts of it neighbouring countries in wars, forcing hundreds of thousands to seek refuge in neighbouring countries. How do you condone the Israeli policy of killing alledged terrorists by destroying their homes (killing not only them but their families and who else happens to be there at the time), without trial or due process? One would think that what you hold selfevident (according to your constitution) in your own country you should hold so in others too.
Saddam is a psychotic despot, as long as there is food on his table, and medicin in his bathroom he is not going to care a dime about the sanctions. It is Saddam who is responsible for the peoples suffering not the people themselves. They should not be punished for something a leader who rules by terror does.
There are usually two sides to every story, and always two sides to every conflict. Try to see them both eventhough it is hard at times
Man-in-the-middle safe?
on
Secure IRC?
·
· Score: 1
[- ]Secure key exchange and authentication protocol. SILC Key Exchange (SKE) protocol provides key material used in the SILC sessions in secure manner. The protocol is immune for example to man-in-the-middle attacks and is based on the Diffie-Hellman key exchange algorithm.
I wonder how they made Diffie-Hellman KEA safe from a man-in-the-middle attack, as I understand it this is extremely difficult and D-H doesn't help you a bit.
Whee, another relaying scheme. No seriously, I don't see why anyone would host potentially (more like probably) illegal connections for someone else. In the end someone has to pass the request to the destination server.
And the argument that - "If suspected of originating these requests, simply explain that you were participating in a crowd (regardless of whether you were or not!)" is hardly going to make any difference in a court, or against an ISPs terms of service agreement.
The internet is already ruled by a few big companies that sell connectivity to smaller providers. And unfortunately they have already showed their willingness to censor and govern who publishes what according to what ever whim they feel like at the moment.
Just look at what UUNet/Worldcom and KPNQwest did to Flashback.se (Slashdot's coverage, founder Jan Axelssons coverage) and that was only because a Swedish politician made a few phonecalls. I can imagine the RIAA has a few more and nastier tricks up their sleeves.
Apache good as it may be, was hardly the first web server. Unix, as far as I can remember inherits frequently from other, proprietary OS:es. As for Mosaic see the previous discussion on it in this thread.
Sure you can destroy and create elements, shoot a couple of neutrons into uranium and eventually it will split into two lighter ones. Also, uranium and other yummy stuff is made all the time in stars.
I guess is that you're thinking about energy which really cant be created or destroyed, but that is another story completely.
What the hell kind of a unit is 'one-page emails per second' anyway? who cares, tell us in TV channels or something we can grasp thank-you-very-much-indeed.
Then again, I for one don't type massive amounts of text on my laptop, thus to me the slowness of handwriting is not a problem (just as long as the recognition software can keep up with my writing). The thought of getting rid of the silly clamshell design on laptops is very appealing though.
Speech recognition laptops - now there's an idea I wouldn't want corporate people to know about. Imagine spending 6 hours on a plane where every suit is talking to his laptop - at once - thorugh out the flight?
Come on! Humans have always affected their environment, and so have the poor, nearly extinct, african elephants. Nor we or anyone else could live if we didn't affect and change our (and all other cretures) environment.
Conservation will get nowhere if we start plugging the safetyvalve.
- Right now there just isn't very much random WAP content available, so there is no point in a "goto URL" feature.
How can there be random content when there's simply no way of accessing it?
Personally I'd love to be able to do a script hack and try it out but I can't, not on a phone anyway.
WAP would benefit massively from a way for the average man to try out new ideas and solutions. In the time it takes phone operators to come up with one decent application, the public would have come up with a hundred, each more suited to their needs than the operatrs could ever think up.
Of course then they'd loose the leverage - such a shame.
Slashdot Mirror
From TFA:
Actually you should never have a problem with accessing a private member from a versioning perspective. It will still be there provided installation is done the correct way. This is because .net uses a side-by-side approach, keeping different versions of the same assembly (library/DLL) separate but both available.
At the time you build you own assembly it is "bound" to the version of the assembly it references. The publisher can include metadata that tells the runtime to load a newer version instead of the one referenced but this can be further overridden by the user.
C'mon, it's just a web page, you can put anything you want on your desktop using Active Desktop, it you can't find it you can always write your own stuff.
Since it's a webpage you can embed any content you like in ways of graphics and text, even Java applets or Flash. And you can use any scripting language that the browser supports (granted it's a little limited by default).
The only bad thing about Active Desktop is that it was launched and promoted as something far less than it is.
Hum, look at the references section
6. http://www.kb.cert.org/vuls/id/192995
7. file://localhost/XDR.html#vendors
8. http://www.kb.cert.org/vuls/id/516825
localhost!? They're obviously already using the vulnerability to put files on my computer.
This does have further implications than simply breaking encyption though, concider that much of PKI relies on the same problem (the difficulty of factoring large numbers).
I did a quick check and atleast Amazon, Ebay and Yahoo all use 1024 bit RSA certificates, by turning my machine to crack those I could impersonate any of those. I also checked the root certificate of Verisign installed in my browser and found it was also a 1024 bit RSA certificate (well 1000 bits actually). Meaning I could be printing valid certificates for anyone, looking like they came from the real deal.
There is a lot hanging on the difficulty of factoring large numbers.
For Windows there is an excellent GUI called TortoiseCVS. It integrates with Explorer by overlaying icons on the files in the sandbox with own small icons indicating modified files, files with a conflict etc. You can perform all the important functions by simple context-menu commands on the directory, single- or multiple files.
This program is really the reason I started using CVS, it removed all the unnecessary cruft that is in WinCVS for example.
There is a move to make a TCVS like client for Subversion but I dont know at what stage it is at the moment
Still, as far as I know Trillian does nothing to prevent a man-in-the-middle attack (no certificates, no way of knowing 'who' you're talking to.
The attack is especially easily performed in this situation when your employer has complete control of all gateways through which all your packages has to pass. (Assuming it is external clients you would be devulging their secrets to)
I see from their site that they are working on "More features and greater security enhancements" to come "soon", but at this moment I wouldn't trust the security of SecureIM too much
Why does the people who wrote the interactive map applet on the site think that they need Full Permissions on my JVM? What file IO can they possibly need to do for example. Is it really that difficult to write the manifest to only request the permissions you really need?
And why is it broadcasting UDP packets to 255.255.255.255 according to Tiny Personal Firewall? Is there something I don't realise about this or is the applet just doing funny stuff?
The impracticality of it comes simply from the fact that you have to store your pads somewhere.
Assuming that we have a face to face meeting where agents can exchange any amount of information they need, in the one-time pad case maybe it is 6 months worth of pads on a disk (or a wad of papers, it really doesnt matter), in the other case its probably agreeing on an algorithm and a password/passphrase. Practicality is the size of the information that you need to protect. Lets also assume that information is mostly coming to you and not as much from you ('attack such and such at dawn', 'Abdul is an FBI spy do not trust him','meet with agent at such and such for explosives' ... ), lets also assume they are smart enough to keep communication at a minimum, thus they use no chatty "I'm still here" protocols.
The FBI comes through the plumbing in your bathtub while you are having a bath. They search your house and soon enough they find your pads and know you're up to something. They now read all your mail/email etc and are able to read the information coming in. If you agreed to physical drops or some other ciphertext carrier your future communication would still be safe, however it would also be that in the other case so on that front it's a possible draw.
Now had you chosen the algorithmic method they would find nothing even suggesting that you were engaged in secret communication since you can keep all of it in your head ("RC4", "thisisthetopsecretpassphrasethatihavetorememberto communicate"). You can't memorise 6 months of one-time pads, you have to store them somewhere.
Benfeits come from the fact that there is less information to manage. The benefit of locking things in safes is that you dont have to carry all of it around, just the key.
Imagine for example that you only thought the FBI was at the door and you already ate the 6 month supply of pads, now what do you do? You can't suddenly go to Afghanistan to meet at the cameldung fire again, what would you tell your boss at airport security? Unless you were hit by a car and suffered total long term memory loss you could still communicate if you were using an algorithm approach.
As for relative security of various algorithms, lets take my favourite in this situation, RC4. It was invented in 1987 and has been around since, there are still (almost 15 years later) no published successful attacks against it (sure there might possibly be unpublished such but I doubt it). It is so incredibly simple you can not only memorise the algorithm with little trouble but if you really wanted to you could run it with pen and paper too. Now RC4 works with key sizes up to 256bits (256bit keys are, to quote Bruce Schneier, "[...] brute-force attacks against 256bit keys will be infeasible until computers are build from something else than matter and occupy something else than space"). This leaves us with attacks against the algorithm which is quite possible however, stream cipher analysis is comparatively straightforward and yet nothing has shown that it is vunerable. I would certainly think that your 6 month supply of pads is the easier target of the two.
You have still not convinced me on this point. Sure it was a practical technique for governments and highlevel military then. But it is hardly practical in the field, neither now or then.
There's a higher risk for the agent in OTP, but less risk for the data, so it just comes down to relative valueExactly how is there a higher risk for the data? If you choose a commonly accepted secure algorithm and a long enough random key your data is safe, except from quantum computers (which still remains theoretical for all practical purpouses). Infact I previously explained how the data was more secure.
You don't mention how long this "was" was but I'm assuming it was not during the time when you could go into any consumer electronics store and buy a graphical calculator (quite innocent if you're studiying for a pilots certificate) for $50 that will happily do both symmetric and public-key crypto in a jiffy.
If a terrorist's belongings are searched in detail, he's already blown, so write him off and move on.This is not neccessarily so if he doesn't have a notepad of one-time pads and scribblings of an encoding in progress laying around in his appartment. And as we've seen modern terrorists dont have to stock up on explosives and weapons to do great damage.
An equipped terrorist would simply need to memorize his password and keep an implementation of a simple but secure symmetric algorithm in his calculator (which could be wiped by removing the batteries for a second), or if he was really paranoid simply memorise the algorihm (something like RC4 is extremely simple, yet secure against all attacks thrown against it so far) after each use. There would be nothing on his person or in his surroundings giving signs that he is involved in secret communication.
I do agree with you though that a one-time pad is by far the simplest pen-and-paper algorithm around and offers complete security of communication. But point still remains that it is inconvenient in a situation where you dont have stable secure facilities (like those of government agencies etc.), where the endpoints of communication need to be secured just as much as you need to secure the communication. Also we are not really dealing with illiterate farmboys here either so there is really no need to keep the encryption on a level that a fouryearold could handle.
Imagine for example the situation where a terrorist has been caught (or killed) but the sender does not yet know this. If the receiver has been using one-time pads and these are left behind, all subsequent communication is open to the anti-terrorists. Especially if there is no proper protocol of confirmation and authentication, an agent could pose as the terrorist to glean more information out of the sender without this realizing anything. Now had the terrorists used short memorizable passwords instead he would either have taken it to his grave or would simply refuse to give the password when interrogated (assuming now that the NSA really doesn't use torture or something similair) and the link would have been closed there.
I realise you might be a troll, but incase that is not so:
A one-time pad is only applicable in an extremely narrow range of situations. If you have a secure channel to transfer the one-time pad why bother with encryption in the first place? If you transfer the the pad in advance, before you need to send a message, you practically end up with a codebook situation. That pad must to somehow be secured like a codebook or it is useless.
One-time pads is a wonderful theoretical idea but one that is useless in most real world applications.
Before I start, I do not condone terrorism in anyway or form. I am deeply sorry for what happened in NY and Washington, and think it is an outrage that people have so little apparent regard for human life.
Actually I think CNBC (european version) reported that Raytheon had headquarters at the top of WTC1.
As for the most of your other points, you are being seriously superficial in your thinking. I don't blame you for this though, but the sensationalist commercial news reporting that you've been subjected to all your life. Media that is so frightened of being boring it's idea of an indepth report is 15 minutes with two three minute breaks for commercials.
The Israeli-Palestinian conflict is far deeper than terrorist bombings. Israel invaded great parts of it neighbouring countries in wars, forcing hundreds of thousands to seek refuge in neighbouring countries. How do you condone the Israeli policy of killing alledged terrorists by destroying their homes (killing not only them but their families and who else happens to be there at the time), without trial or due process? One would think that what you hold selfevident (according to your constitution) in your own country you should hold so in others too.
Saddam is a psychotic despot, as long as there is food on his table, and medicin in his bathroom he is not going to care a dime about the sanctions. It is Saddam who is responsible for the peoples suffering not the people themselves. They should not be punished for something a leader who rules by terror does.
There are usually two sides to every story, and always two sides to every conflict. Try to see them both eventhough it is hard at times
[- ]Secure key exchange and authentication protocol. SILC Key Exchange (SKE) protocol provides key material used in the SILC sessions in secure manner. The protocol is immune for example to man-in-the-middle attacks and is based on the Diffie-Hellman key exchange algorithm.
I wonder how they made Diffie-Hellman KEA safe from a man-in-the-middle attack, as I understand it this is extremely difficult and D-H doesn't help you a bit.
Then isnt this a measure more of the sysadmin than of the software or infrastructure? Mean time between failing to fend off scriptkiddies.
Whee, another relaying scheme. No seriously, I don't see why anyone would host potentially (more like probably) illegal connections for someone else. In the end someone has to pass the request to the destination server.
And the argument that - "If suspected of originating these requests, simply explain that you were participating in a crowd (regardless of whether you were or not!)" is hardly going to make any difference in a court, or against an ISPs terms of service agreement.
Oh come on there was nothing in his post saying he has a solution, even less the solution.
The whole "can't complain unless you have a better idea" reasoning is just silly.
If only things were that good
The internet is already ruled by a few big companies that sell connectivity to smaller providers. And unfortunately they have already showed their willingness to censor and govern who publishes what according to what ever whim they feel like at the moment.
Just look at what UUNet/Worldcom and KPNQwest did to Flashback.se (Slashdot's coverage, founder Jan Axelssons coverage) and that was only because a Swedish politician made a few phonecalls. I can imagine the RIAA has a few more and nastier tricks up their sleeves.
Apache good as it may be, was hardly the first web server. Unix, as far as I can remember inherits frequently from other, proprietary OS:es. As for Mosaic see the previous discussion on it in this thread.
We're talking innovation not improvement here.
Sure you can destroy and create elements, shoot a couple of neutrons into uranium and eventually it will split into two lighter ones. Also, uranium and other yummy stuff is made all the time in stars.
I guess is that you're thinking about energy which really cant be created or destroyed, but that is another story completely.
This is a little useless sentence to keep the clowns out.
What the hell kind of a unit is 'one-page emails per second' anyway? who cares, tell us in TV channels or something we can grasp thank-you-very-much-indeed.
Then again, I for one don't type massive amounts of text on my laptop, thus to me the slowness of handwriting is not a problem (just as long as the recognition software can keep up with my writing). The thought of getting rid of the silly clamshell design on laptops is very appealing though.
Speech recognition laptops - now there's an idea I wouldn't want corporate people to know about. Imagine spending 6 hours on a plane where every suit is talking to his laptop - at once - thorugh out the flight?
Come on! Humans have always affected their environment, and so have the poor, nearly extinct, african elephants. Nor we or anyone else could live if we didn't affect and change our (and all other cretures) environment.
Conservation will get nowhere if we start plugging the safetyvalve.
How can there be random content when there's simply no way of accessing it?
Personally I'd love to be able to do a script hack and try it out but I can't, not on a phone anyway.
WAP would benefit massively from a way for the average man to try out new ideas and solutions. In the time it takes phone operators to come up with one decent application, the public would have come up with a hundred, each more suited to their needs than the operatrs could ever think up.
Of course then they'd loose the leverage - such a shame.