Re:Social Firewalls and knowing the enemy
on
Database Nation
·
· Score: 1
Naturally. Actually, I ended up with three and onyl swiped for one, at the Compaq booth, and also lied terribly. They did get my real name and email, unfortunately.
But I learned this time. Next time, it'll be under some nym.
Social Firewalls and knowing the enemy
on
Database Nation
·
· Score: 4
How do we maintain our privacy? It's a bitch. Some of it is impossible. But you can help.
First, be cognizant of what information is available how. In Texas, anyone with your driver's license number and city can find out if you have warrants out for your arrest, your full legal name including middle initial or name, and your true birthdate. True story--call up the local muni court and go through the phone system.
Anyone with a bit of money can get the full scoop on you via credit reports. Many academic institutions have access to LExis-Nexis, which has a huge wealth of data on tax and property records, all digitized and searchable.
Oh, but it gets more fun. Ever ordered pizza? Hell, what was the first thing you did when you moved into your new apartment? Did they ask you for your phone number? Guess what, that's recorded not only in their database, but a nationwide database used for direct mail marketing and keeping a updated record on where you live (better than your local white pages, I might point out)
So, what do you do?
As much as you can, fight against these. Don't give out information like your SSN (by law, no one can force you to use your SSN as an identifier!!), DL number, birthdate, phone number, etc.
Online, set up social firewalls between the real you and the rest of the world. Use pseudonyms. Use fully developed alternate personae to packet-drop spam (what else is hotmail good for??) Explore sites as one of your throwaway personae, check their privacy policies, check (not that it means anything anymore) on their Truste stamp if they have one. Check with the BBB online. After you're OK with them, then go in and use a real persona.
At RSA, there was a great speech by Stewart Baker, a lawyer at Steptoe & Johnson. He asked the crowd if they valued their privacy, of course, we repsonded, yes!. He asked how/much/ did we value our privacy, we gave varying answers, "a lot!" , etc. (Zero-Knowledge's Ian Goldberg was in the audience, as a side note). He then held up a bouncy-ball with LEDs that flashed when it hit something (THE toy to have from the expo) And asked how many of us had one of these (most of the audience raised their hands). He pointed out that our privacy was worth less to us than these flashing balls, because we'd all of course swiped our ID cards to get 'em.
Be aware--that's your best bet. Know what pieces of data are important and key to finding out more, and be miserly with them.
There are a few companies offering various solutions; a handful escrow the private key for decryption centrally and rent it out for people wishing to read it, and then (claim to) hard-delete it after x amount of time.
I'd presume the keys are backed up, however...
Then there's a few that offer one-shot sends (can't reply to these) that delete all traces of the message from their servers.... just not from the recipient's machine...
The best solution is to take the advice of the article. Use harshly separated accounts, do what you can to (hard)delete files regularly, etc.
I'd recommend setting up an alternate personality or three that you access only via anonymous proxy(s) that offer encryption (hushmail, ynnmail, the various anonymous remailers). Use the PGP plugin's secureviewer if you're truley paranoid to defend against Tempest attacks... and for chrissakes, clear out your cookies, temporary internet files, and temp dirs regularly and do a 11-time rewrite of the emptied space.
Does anyone else remember when libraries were the only place in town with an Internet connection? When the The fount of enlightenment and information.
And now we're going to blanket-install filtering software and have AOL-level fiascoes, filtering breast cancer support groups and who knows what else??
What about a two-tier system compromise; filtered computers for minors, full-access for everyone else, with the ability to get full access for everyone with a permission slip or somesuch.
Upon reading the posts on the binary part of the crypto component, I believe (IANAL!!) that Mozilla still does the same thing, send a link to the source to the BXA, and provided that whatever binary they're calling has been approved for export, all is well in the world.
heh. The defcon (www.defcon.org) mailing list is having a day where everyone encrypts their mail today. Some of the listmembers are including a perl implementation of RSA and cc:ing to BXA just like you describe.
Well, that's not strictly true. No export to the T-7 (the 7 state supportors of terrorism; Iran, Iraq, etc.), and the code has to be fwd'd to BXA:
(B) For post-export reports and certification letters, you may submit them electronically to crypt@bxa.doc.gov (suggested file formats include spreadsheets, tabular text or structured text), or to the Department of Commerce, Bureau of Export Administration, Office of Strategic Trade and Foreign Policy Controls, 14th Street and Pennsylvania Avenue, N.W., Room 2705, Washington, DC 20230, Attn: Encryption Reports. A copy must also be mailed to Attn: ENC Encryption Request Coordinator, 9800 Savage Road, Suite 6131, Ft. Meade, MD 20755-6000.
Despite their lacking business model, and the problems of creating a Linux frontend that anyone's Mom (excepting Dilbert's) could use without maybe interpreting Windows-keypresses as pipe functions, they get points in my book. On their front page, they say they're hiring hackers. And the mean CODE-hackers, not security experts, not white-hats, but honest-to-god, code-monkey hacks. What a concept.
If $$$ and InternetStartupdom is your #1 priority, then the 60hrs.week is part of that. If not, resist it. I started at a startup last May, and soon was getting pulled into the 'need to finish things up over the weekend' / could you do this VPN'ed in at home tonight?' etc.
My quality of work took a nose dive. The CEO recognized this immediately, and we talked about it. I work 40-42 hours a week.
My strength comes from my doing other things with the other hours of my life, whether it be getting Linux talking to the VooDoo card, going out swing or salsa dancing, jamming on the jews harp, etc. etc. etc.. If I don't have time for these activities, Bad Things happen.
I know my priorities in life. My CEO knows my priorities in life. And I still get raises. Don't be afraid to stand up for your free time and time that is disconnected from the office. If you are afraid, well, it's a good job market out there...
CmdrTaco : Every winter, he emerges and looks in his inbox, and if he sees harassing "give us the slash code" messages, he returns to his hole and does not release the slash code for another 6 weeks
Hemos : A hamster
JonKatz : Producer of social commentary and rant. See Signal/Noise ratio.
Karma : black magic performed by the slash code that follows the rule what goes up must come down.
Troll : A vile creature that lives in the depths of -1 moderation
...to put the 'secret message' in the HTML source? Was this for marketing, or just because it seemed like a nifty idea? Did you copy or were copied by Transmeta.com?
...that the DDoS tools that exist have makefiles for two OSes, and two OSes only. That's right, Solaris and Linux.
Though according to this in-depth review (http://staff.washington.edu/dittrich/misc/stachel draht.analysis), the linux version is not reliable, and stacheldaht has only been found in the wild on Solaris.
Does this mean that winxx machines are not vulnerable? no, just not used in this case. Just wait until some non-kiddie ports this into windows and watch UUNet go/all/ the way down with the addition of all the windows boxen.
The tools for detection, and your explanations of the clients are great, but could the community get a chance to see some of the logfiles of the floods? You want this fixed real fast, post a few of those and let the brainpower of all the whitehat hackers loose on the problem.
Um. There was no community before yahoo? What? Yahoo made the web synonymous with the Internet? well, for the folks who weren't around before. Most of my best net acquaintances and experiences happened outside of the Web; they happened in old telnet and dialin BBSes, MUDs/MOOs/etc., IRC, or just people talk and ytalk ing on the local unix machines. Communities exist in USENet, listservs, and all other more interactive areas.
Great,so the web made connectivity popular and faster. Fine. wonderful. Yahoo was instrumental. Fine. Wonderful. They have a nice, no-frills interface compared to most other portal sites. (which is why I rarely use portals, but hey)
But Yahoo did NOT begin communities online. Maybe you haven't bee around long enough to know what a shell account is, or to remember what connecting from home was like without your very own TCP/IP stack. Maybe you were never good friends of Veronica, Archie, or Eric.
That the Internet is so handy and ubiquitous is a great thing. But the original point of the poster was that the Internet is still, despite pressure against it, a place where all soapboxes can be equal.
That being said, I'd rather this newfound dDoSes be used for good rather than hitting high-profile sites (whatever happened to hactivism?), but even this will possibly spawn increased security awareness. L0pht claimed they could take the 'net down in 30 minutes. Most of us believed 'em, now maybe the rest of the world will figure out that this is indeed possible and not limited to the exclusive knowledge of the l0pht crew.
We should bring both the Obfuscated Code and the Perl Poetry contests up in the DVD CCA cases as proof that coding is a form of expression of skill (obfuscated code) and of thoughts, much like language (perl poetry).
it's value as an entertainment 'device' increases. Just wait until www.goodvibes.com cobrands a version. Or maybe the owner of the patent to force-sensitive, sound-pplaying condoms will integrate this technology into his next patent...
...because this technology isn't confied to Russian citizens. If your email bounces through a russian ISP on its way to Japan or China or whatnot, guess what happens to it?
I think it's time to add some Russian to my X-Jam-Echelon email header...
On a side note, my 4096 public key is in the/. server. Use It.
As I understand it, beam-it reads your cd and sends an A-ok message to my.mp3.com saying that you have the ability and fair-use right to listen to said CD.
Now, unless they're doing some good encryption inside the client, couldn't one just sniff one's local cablemodem neighborhood for connections going to the beam-it IP range and capture those packets, then send them out from your machine after a bit of modification and get rights to any CD your neighbors have rights to?
Now, don't get me wrong--I'm all for a very powerful interpretation of what is fair use and what isn't; but MP3.com should take reasonable precautions.
Side-note. What if, for every collection of unlicensed MP3s you downloaded by a particular artist, you send that artist a check for $10 directly, not through the record company.
"Are you beginning to see the possibilities?" (Strange Days)
Code most certainly IS a form of expression, as evidenced by both the existance of perl poetry and the infamous Obfuscated C Code Contest! If it's not a form of expression, then why are people expressing their artistic (or simple masochstics) sides using it? Not to mention the terms in use like 'elegant' code...
Do we get the super-powerful keyword-to-marketing engine that AV runs with our favorite doubleclick? Or is it a plug-in? Can we plug in the slash ad code (when it gets released?;)
Seriously, tho, I'll believe this has happened when I have code in hand running on my intranet, without co-branding or marketing.
Slashdot Mirror
Naturally. Actually, I ended up with three and onyl swiped for one, at the Compaq booth, and also lied terribly. They did get my real name and email, unfortunately.
But I learned this time. Next time, it'll be under some nym.
How do we maintain our privacy? It's a bitch. Some of it is impossible. But you can help.
/much/ did we value our privacy, we gave varying answers, "a lot!" , etc. (Zero-Knowledge's Ian Goldberg was in the audience, as a side note). He then held up a bouncy-ball with LEDs that flashed when it hit something (THE toy to have from the expo) And asked how many of us had one of these (most of the audience raised their hands). He pointed out that our privacy was worth less to us than these flashing balls, because we'd all of course swiped our ID cards to get 'em.
First, be cognizant of what information is available how. In Texas, anyone with your driver's license number and city can find out if you have warrants out for your arrest, your full legal name including middle initial or name, and your true birthdate. True story--call up the local muni court and go through the phone system.
Anyone with a bit of money can get the full scoop on you via credit reports. Many academic institutions have access to LExis-Nexis, which has a huge wealth of data on tax and property records, all digitized and searchable.
Oh, but it gets more fun. Ever ordered pizza? Hell, what was the first thing you did when you moved into your new apartment? Did they ask you for your phone number? Guess what, that's recorded not only in their database, but a nationwide database used for direct mail marketing and keeping a updated record on where you live (better than your local white pages, I might point out)
So, what do you do?
As much as you can, fight against these. Don't give out information like your SSN (by law, no one can force you to use your SSN as an identifier!!), DL number, birthdate, phone number, etc.
Online, set up social firewalls between the real you and the rest of the world. Use pseudonyms. Use fully developed alternate personae to packet-drop spam (what else is hotmail good for??) Explore sites as one of your throwaway personae, check their privacy policies, check (not that it means anything anymore) on their Truste stamp if they have one. Check with the BBB online. After you're OK with them, then go in and use a real persona.
At RSA, there was a great speech by Stewart Baker, a lawyer at Steptoe & Johnson. He asked the crowd if they valued their privacy, of course, we repsonded, yes!. He asked how
Be aware--that's your best bet. Know what pieces of data are important and key to finding out more, and be miserly with them.
There are a few companies offering various solutions; a handful escrow the private key for decryption centrally and rent it out for people wishing to read it, and then (claim to) hard-delete it after x amount of time.
I'd presume the keys are backed up, however...
Then there's a few that offer one-shot sends (can't reply to these) that delete all traces of the message from their servers.... just not from the recipient's machine...
The best solution is to take the advice of the article. Use harshly separated accounts, do what you can to (hard)delete files regularly, etc.
I'd recommend setting up an alternate personality or three that you access only via anonymous proxy(s) that offer encryption (hushmail, ynnmail, the various anonymous remailers). Use the PGP plugin's secureviewer if you're truley paranoid to defend against Tempest attacks... and for chrissakes, clear out your cookies, temporary internet files, and temp dirs regularly and do a 11-time rewrite of the emptied space.
Does anyone else remember when libraries were the only place in town with an Internet connection? When the The fount of enlightenment and information.
And now we're going to blanket-install filtering software and have AOL-level fiascoes, filtering breast cancer support groups and who knows what else??
What about a two-tier system compromise; filtered computers for minors, full-access for everyone else, with the ability to get full access for everyone with a permission slip or somesuch.
Upon reading the posts on the binary part of the crypto component, I believe (IANAL!!) that Mozilla still does the same thing, send a link to the source to the BXA, and provided that whatever binary they're calling has been approved for export, all is well in the world.
heh.
The defcon (www.defcon.org) mailing list is having a day where everyone encrypts their mail today. Some of the listmembers are including a perl implementation of RSA and cc:ing to BXA just like you describe.
http://www.bxa.doc.gov/Encryption/licchart.htm
Product
Previous Licensing Mechanism
Update99 Licensing Mechanism
Technical Review
Reporting
Source Code (publicly available, unrestricted)
IL/ELA
TSU
No3,4
No
Source Code (publicly available with restrictions)
IL/ELA
ENC
No3,4
Yes
Notes:
3. No review of foreign products(s)
4. BXA Notification at time of export is required
X-Files has become a parody of itself. Hadn't you noticed? The COPS episode was hilarious. The FPS episode likewise. They're comedy episodes. Deal.
check out www.defcon.org, it's a computer underground conference held yearly in Las Vegas.
http://www.sarahandcasey.com/decss/cssstory.txt
Is the entire css auth code in, well, story form. It's hilarious.
Despite their lacking business model, and the problems of creating a Linux frontend that anyone's Mom (excepting Dilbert's) could use without maybe interpreting Windows-keypresses as pipe functions, they get points in my book. On their front page, they say they're hiring hackers. And the mean CODE-hackers, not security experts, not white-hats, but honest-to-god, code-monkey hacks. What a concept.
If $$$ and InternetStartupdom is your #1 priority, then the 60hrs.week is part of that. If not, resist it. I started at a startup last May, and soon was getting pulled into the 'need to finish things up over the weekend' / could you do this VPN'ed in at home tonight?' etc.
My quality of work took a nose dive. The CEO recognized this immediately, and we talked about it. I work 40-42 hours a week.
My strength comes from my doing other things with the other hours of my life, whether it be getting Linux talking to the VooDoo card, going out swing or salsa dancing, jamming on the jews harp, etc. etc. etc.. If I don't have time for these activities, Bad Things happen.
I know my priorities in life. My CEO knows my priorities in life. And I still get raises. Don't be afraid to stand up for your free time and time that is disconnected from the office. If you are afraid, well, it's a good job market out there...
CmdrTaco : Every winter, he emerges and looks in his inbox, and if he sees harassing "give us the slash code" messages, he returns to his hole and does not release the slash code for another 6 weeks
Hemos : A hamster
JonKatz : Producer of social commentary and rant. See Signal/Noise ratio.
Karma : black magic performed by the slash code that follows the rule what goes up must come down.
Troll : A vile creature that lives in the depths of -1 moderation
Natalie Portman : Favorite topic of trolls.
...to put the 'secret message' in the HTML source? Was this for marketing, or just because it seemed like a nifty idea? Did you copy or were copied by Transmeta.com?
...that the DDoS tools that exist have makefiles for two OSes, and two OSes only. That's right, Solaris and Linux.
l draht.analysis), the linux version is not reliable, and stacheldaht has only been found in the wild on Solaris.
/all/ the way down with the addition of all the windows boxen.
Though according to this in-depth review (http://staff.washington.edu/dittrich/misc/stache
Does this mean that winxx machines are not vulnerable? no, just not used in this case. Just wait until some non-kiddie ports this into windows and watch UUNet go
The tools for detection, and your explanations of the clients are great, but could the community get a chance to see some of the logfiles of the floods? You want this fixed real fast, post a few of those and let the brainpower of all the whitehat hackers loose on the problem.
Check out http://www.avr.org/teams/unitboy/ for further information on how these guys pulled it off.
Um. There was no community before yahoo? What? Yahoo made the web synonymous with the Internet? well, for the folks who weren't around before. Most of my best net acquaintances and experiences happened outside of the Web; they happened in old telnet and dialin BBSes, MUDs/MOOs/etc., IRC, or just people talk and ytalk ing on the local unix machines. Communities exist in USENet, listservs, and all other more interactive areas.
Great,so the web made connectivity popular and faster. Fine. wonderful. Yahoo was instrumental. Fine. Wonderful. They have a nice, no-frills interface compared to most other portal sites. (which is why I rarely use portals, but hey)
But Yahoo did NOT begin communities online. Maybe you haven't bee around long enough to know what a shell account is, or to remember what connecting from home was like without your very own TCP/IP stack. Maybe you were never good friends of Veronica, Archie, or Eric.
That the Internet is so handy and ubiquitous is a great thing. But the original point of the poster was that the Internet is still, despite pressure against it, a place where all soapboxes can be equal.
That being said, I'd rather this newfound dDoSes be used for good rather than hitting high-profile sites (whatever happened to hactivism?), but even this will possibly spawn increased security awareness. L0pht claimed they could take the 'net down in 30 minutes. Most of us believed 'em, now maybe the rest of the world will figure out that this is indeed possible and not limited to the exclusive knowledge of the l0pht crew.
We should bring both the Obfuscated Code and the Perl Poetry contests up in the DVD CCA cases as proof that coding is a form of expression of skill (obfuscated code) and of thoughts, much like language (perl poetry).
it's value as an entertainment 'device' increases. Just wait until www.goodvibes.com cobrands a version. Or maybe the owner of the patent to force-sensitive, sound-pplaying condoms will integrate this technology into his next patent...
...because this technology isn't confied to Russian citizens. If your email bounces through a russian ISP on its way to Japan or China or whatnot, guess what happens to it?
/. server. Use It.
I think it's time to add some Russian to my X-Jam-Echelon email header...
On a side note, my 4096 public key is in the
As I understand it, beam-it reads your cd and sends an A-ok message to my.mp3.com saying that you have the ability and fair-use right to listen to said CD.
Now, unless they're doing some good encryption inside the client, couldn't one just sniff one's local cablemodem neighborhood for connections going to the beam-it IP range and capture those packets, then send them out from your machine after a bit of modification and get rights to any CD your neighbors have rights to?
Now, don't get me wrong--I'm all for a very powerful interpretation of what is fair use and what isn't; but MP3.com should take reasonable precautions.
Side-note. What if, for every collection of unlicensed MP3s you downloaded by a particular artist, you send that artist a check for $10 directly, not through the record company.
"Are you beginning to see the possibilities?" (Strange Days)
Code most certainly IS a form of expression, as evidenced by both the existance of perl poetry and the infamous Obfuscated C Code Contest! If it's not a form of expression, then why are people expressing their artistic (or simple masochstics) sides using it? Not to mention the terms in use like 'elegant' code...
I was working hard last year to find some of these style bots, as I was writing my thesis on communication over the Internet and also a hyperfiction in which all the characters are essentially bots.
Oh, and a hilariously funny link from that research is MGonz which not only fooled a human, but made the human confess some wonderful things.
Do we get the super-powerful keyword-to-marketing engine that AV runs with our favorite doubleclick? Or is it a plug-in? Can we plug in the slash ad code (when it gets released? ;)
Seriously, tho, I'll believe this has happened when I have code in hand running on my intranet, without co-branding or marketing.