Storing the key encrypted in a keyring and unlocking it with a passphrase is more common in public key cryptography, where the key must have certain properties (and is typically generated for you by a piece of software.)
For private key cryptography based on a block cypher, where absolutlely any set of 256 bits will serve as a valid key, it's more common to simply hash a passphrase and directly use that hashed value as the key itself. You can even use the block cypher mechanism itself as the hashing mechanism by encrypting your key as plaintext using a static well-known key, then XORing the resultant cypher blocks. The secrecy of the output is still dependent on the secrecy of the key. However, to be secure, the software must always treat the hashed key exactly as securely as it would treat the raw pass phrase itself.
If the authors of the software felt it necessary to tell the user when they entered a wrong passphrase, then the more secure way to do that would have been to encrypt a block of fixed text when the passphrase was entered, and save that encrypted data (and not the same fixed text as the passphrase hash fixed text!) Then, when the user enters their pass phrase, it would attempt to decrypt that block to arrive at the original fixed data. Yes, it's a perfect "crib" for cryptographers (a known plaintext attack is orders of magnitude easier than an unknown plaintext attack,) but at least it doesn't immediately reveal the key -- it only confirms when you've guessed the correct one.
Long ago, it was commonly used in news groups to mask dirty, racist, or otherwise offensive jokes, or to hide the answer to a riddle or something. The idea was that if it was nasty, you could give the person fair warning not to "decrypt" the message because they might not like the contents. The news readers I used to use had ROT-13 en/decryption built right in -- hit X and it ROT-13'd the message revealing the joke, and hit it again and it rotated it right back to the original text.
I also vaguely remember binding a ksh alias to rot13 that looked something like this:
rot13=tr A-MN-Za-mn-z N-ZA-Mn-za-m
so I could translate things from a shell, but that was a long time ago. I may have gotten it wrong.
I spent a little while analyzing the "CruzerLock" software that came with my Cruzer Mini USB drive. It appears to be using a 64 bit block cypher (perhaps DES) which pretty much rules out any of the more modern encryption algorithms.
Its biggest readily apparent weakness is that the encryption algorithm is running in ECB mode. If you have a file containing AAAAAAAAAAAAAAAAAAAAAAAA
it will encrypt to an 8-byte repeating block on the drive, like this: 123456781234567812345678
When I changed that to AAAAAAAAbbbbbbbbAAAAAAAA I saw the following encoding: 12345678abcdefgh12345678. That indicates Electronic Code Book. If I learn what your first block means, I know the third block means exactly the same data. (Please note that these are just example values with nice visual properties, and not the exact values I saw!)
Also, the encryption is the same from file to file. AAAAAAAA encoded in one file produces exactly the same results as AAAAAAAA encoded in another. So the IV for the encryption routine is fixed as well.
At least XORing blocks of encrypted binary nulls with two different keys didn't quickly reveal any obvious common bits, nor did encrypting two successive blocks that differed only by a single bit of plaintext. That means it's at least more than a plain old 8-byte XOR cypher using a folded password.
I figure if I can find all those holes in an hour of poking around with a hex tool, I know they didn't actually hire any cryptographers to produce the software. All the alarm bells have already gone off, and I never even stepped into it with a debugger to learn how they fold your password into a key, or what the IV was, or what the encryption algorithm itself was.
I can find no reference to license requirements for these devices, and since they're operating in the 900 MHz band, I'm assuming they're unlicensed.
This makes me wonder about these, and things like the WiFi shootouts. Are there or are there not FCC regulations regarding these antennas and transmitter power? Obviously there are, but what are those limits? 1 watt? 4 watts? 50 watts? And what about encryption, even on good old 802.11? The FCC has always frowned upon encryption (old Uncle Charlie wants to know what you're saying) yet the entire commercial wireless access point industry would go up in a puff of greasy black smoke if WEP encryption were outlawed.
I guess I need to read up on my FCC rules, because I don't understand it.
First, you are just plain incorrect about what the term "hacker" means. A hacker is simply someone who hacks. The term hacker itself does not imply "good" or "evil". It does not mean specifically someone who breaks into systems, although many of us have done so at some point. It means someone who knows systems well enough that they can get the system to perform unintended tasks. What they do with that knowledge is what separates a "white hat" from a "black hat".
The spammers have hired hackers to infest PCs. Yes, hackers. You may whine and pick nits that "they're just skript kiddiez handing out trojan horses" but look at the means by which they're accomplishing their tasks: they are planting "back doors" giving themselves access to these systems. They are adding code to have these zombies connect to an IRC server somewhere. They are then commanding these zombies to send email on their masters' behalf. Those are hacker behaviors. Whether they used the Virus Creation Labs toolkit or wrote the assembler code themseleves is really immaterial, because they had to know these systems in order to control them. The level at which they developed or modified the tools may change their designation from "skript kiddie" to "wizard", but they're still hackers.
I know some people are trying to linguistically push for the terms "hacker == good" and "cracker == bad", but honestly, trying to change other peoples minds about the meaning of language is just spitting in the ocean.
I have been a hacker for over 30 years now. At age 12 I was core dumping user-level programs and examining the octal dumps looking for reallocated system-level memory that still contained username/password logons for our school computers. So, I feel fairly qualified to use the term hacker however I damn well please. And while I like to think that my hat is pretty white these days, there certainly is still a tinge of grey (or maybe that's just age...)
Since I'm guessing you haven't done this much, I'll consider this a learning experience for you. Next time you should try phrasing your arguments without the ad hominem attacks, in the long run you will get more positive responses. Also, you should try some of the nice allowed HTML tags, it will make your argument look pretty and make it easier to understand (assuming you're not trying to talk to an arrogant pig.)
No, even enforcing fully traceable spam and passing draconian laws won't stop it.
Most spam today comes from zombie PCs, not from giant spam servers. Spammers have hackers infest thousands of PCs with worms, and use those to spew forth their vendors' get rich quick schemes.
OK, you made spam traceable. So now what? Are the feds going to bust in on Aunt Millie just because she didn't install Service Pack 2, hot fix KB123456789, and so allowed spammers to use her name to send their crap?
It might mean Comcast shuts down Aunt Millie's PC from sending email. Or not -- maybe the zombie operator uses Aunt Millie's PC to generate a new Hotmail or gmail account, and sends forth the bilge from there? Extra steps that get Aunt Millie in hotter water, but do nothing to the spammers or their hacking minions.
Technological answers only stop them one zombie at a time. Sure, you can disinfect Aunt Millie's box, but by the time it's patched, both Uncle Fred and Grandma Anna's PCs have been wormed. Spam laws be damned, you're not going to be a popular government for jailing Millie, Fred and Anna for what amounts to a "failure to understand and apply Windows XP Service Pack 2's cumulative security patch for the week ending 9/18."
It's like any other crypto or security problem. Security is a perimeter defense, and it will always be attacked at the weakest point. Cryptologically hardened email will simply mean we spend more CPU cycles verifying that this spam did indeed come from Aunt Millie. ( And, the converse should indicate that the spammers have a weak point too -- I believe it's somewhere south of their pelvises, and north of their thighs. Apply the appropriate amount of pressure and see how much spam shows up tomorrow...:-)
Mostly, the idiots are the vendors who hire the spammers. They buy the spamming service for $60.00 for 10000 emails. The spammers invest $200 in "fake" purchases from the vendor. The vendor is so excited he forks over $1000 for 200,000 emails. The spammer sends them out, and pockets the $860, not caring if the vendor makes another sale or not. If he thinks the fish is really gullible, he might string him along with another investment of $100-200, in hopes of landing another $2000 or so.
Spammers are thieves, they lie, cheat and hack their way into our inboxes. What makes you think they treat their paying customers any better?
This is a parody of a famous troll here on Slashdot.
If you start browsing Slashdot stories at -1, you'll see a troll that says something like: "Netcraft confirms: BSD is dying". This post appears to be a word-for-word copy of that troll, with the word "BSD" crossed out and hastily replaced with the word "Internet".
Sometimes it's literally tears-in-the-eyes funny to read some of these trolls. It's worth doing it maybe once a year; but for the most part, it's mostly wading through pointless offensive slurs. But at least you'll get the jokes when you see them.
Paint is far and away your best answer to deal with the smoke discolorations if the existing cases are to be saved. Empty the case of all electronics. Rinse it with tap water first, then wash it with a detergent, then rinse it a couple of times. Higher pressure rinsing and washing will be more effective, if possible. Use a tiny amount of rinse aid in the last rinse (Jet-Dry for your dishwasher is the stuff.) Air dry it thoroughly (you can accellerate the time by using an oven no hotter than about 125 degrees F, unless you somehow know the plastics can tolerate more heat.) The surface is now ready for painting.
There are several spray paints on the market suitable for plastics.
Another good approach would be to replace the cases completely. A new mid-tower case can be had for about $35.00 US. Unless you're already set up to do some painting, or have many cases to take care of, your labor costs to paint will greatly exceed $35.00.
Oh, if you're also thinking of cleaning and painting a monitor case too, be extremely careful -- the picture tube is a giant capacitor filled to the brim with many, many columbs of nasty electrons just waiting to zap a careless guy with a wet rag.
I guess I hadn't really thought enough about the methods of attack, but I figure they must exist. Here's one I just came up with:
The phishers mail you a new card with a hacked URL they put on it, and when you pop it into your home computer to do your banking, this hacked card's URL will direct you to their phishing web site. (Or, maybe the same day that your phake card hits your mailbox, they DNS spoof your segment of Comcast to redirect FirstAmericanBank.com to 111.112.113.114, the (mythical) address of PhirstNationalBankOfPhishing.) By whatever means, they direct you to a phishing site which will collect your real pass phrase; then, they'll politely ask the victim to reinsert their old card to "deactivate it" while they run some hacked program that uses the combination of your valid card and newly discovered pass phrase to transfer all your money to FrontBankOfCorruption.ru.
Yes, it's harder than today's phishing scams, but it's certainly much easier than breaking the RSA algorithm. And it would only take a few well-chosen attacks on some very wealthy people to steal a lot of money.
For that matter, the attack would work without the phake card. Infest the victim's computer with a trojan (20,000 zombie PC's have got to be good for something) and when they go to their own banking site with their real smart card inserted in their machine, the phishing site instead collects their pass phrase and misuses it to redirect money in the same manner I described above.
As I said, I understand that the public key encryption isn't going to be broken. But it doesn't have to be broken. The human's trust is always going to be the easiest thing to hack, no matter how strong the encryption routines are. And the PC is not a secure device, it can be made to act as a "man-in-the-middle", sometimes dealing with the real bank, but sometimes dealing with the crooks.
Stephen King did that, and any movie he's made where he was personally in control of the screenplay kinda sucked (at least in my opinion.) The Shining, The Running Man, The Shawshank Redemption, all directed by other people were big Hollywood hits. The movies where he was more involved (in order to be more true to his books,) such as The Langoliers and The Stand, just weren't as gripping as far as movies go. I mean I liked them, just not as well as the ones that had another person's vision putting them on the screen.
An author obviously has his or her ideas for screenplays as far as the story goes, and what a vision of it may be, but that doesn't necessarily mean that authors have the "eye" required to make a great movie.
Not that we could, but I'd really like to see a Phillip K. Dick movie made by his own hand. Any of his stories would do. I'd love to know what went on in that brain of his. But that doesn't mean it would be a commercially successful movie. Now, compare that to some of Hollywood's best science fiction movies that were adaptations of his novels: Bladerunner, Minority Report, etc. Hugely successful, incredibly entertaining, but not necessarily true to every word he wrote.
Obviously, Larry can afford to take a chance and make his own movie. But that doesn't mean it's going to be a great film. Yes, Hollywood filmmakers can screw up a good story, but some of them can also spin a great movie from a good story.
Oh, I'm not disagreeing that a smart card (or USB dongle or other hardened form of personal private key storage/signing device) isn't secure against duplication. The math is very strong, the hardware can be made almost hack proof (although check out what the satellite TV hackers have done for examples of extracting information from a hardened smart card), the mathematical proofs that the merchant can't get your approval, it's all based on solid logic.
What I'm saying is that there will be other attacks that aren't necessarily crypto based. Perhaps the bad guys will send "replacement" smart cards via U.S. Postal mail, with instructions to "dial 1-800-PHI-SHING to activate your new card", and get PIN information that way. Or maybe a corrupt insider at Verisign will sell his soul for a couple of million dollars and give up the master signing key for Visa International. Or any one of a dozen attacks I can't even imagine today.
That's what I meant by 'you can't raise the bar so high that the bad guys can't go around it.' I wasn't trying to shoot down the crypto portions, but rather point out that crypto is only a fraction of the defense. The human factors will remain the weakest links.
And all that security is still shot to hell because Heather Hall thought she was at the Bank of America website, while in reality she was being reeled in by phishers. What's to prevent the phishers from handing her a new public key for the Phake Bank of Amerika, or getting her to compromise her private key in some other way? As you pointed out, there are many ways of hacking the system.
Regardless of how heavily you armor plate the bank, or the merchant devices, or the internet or the home users' PCs, it always comes down to a matter of trust. At some point, the user is required to trust that the entity they're dealing with is legitimate, and the retailer and the banks are required to trust the user they're dealing with is legitimate. Those points of trust are the weak points the attackers will always aim for, and they're the precise targets of the phishers.
I believe that's why we haven't seen the adoption of a system like you mentioned. Visa could mandate such a setup, but that would cost them billions of dollars (educated guess.) If they did it, and the bad guys continued to fool the Heather Halls of the world via phishing scams, then Visa will have wasted those billions. I imagine Visa knows exactly how much they lose in fraud, and how much it would cost them to implement a secure system, but I'm not sure they know how effective such a system would be against all the varieties of spoofing attacks. I do know that if the payback were there now Visa would start rolling it out tomorrow.
Public key cryptography certainly raises the difficulty bar for committing fraud, but nothing will raise it so high that bad guys won't still figure out a way to run around the side.
Well, I'm really glad to see the spark of imagination still burns brightly in some kids. Congrats, it sounds like you've got a great kid! And I hope he invents warp engines some day!
I think Star Trek isn't special anymore because the times have changed.
Back in the 1960s, in the days of Commies and Sputnik and the Space Race, a show about astronauts warping around space with a dashing captain punching the Evil Empire in the nose was exactly the right formula to grab America's attention. Surround him with beautiful but deadly women, tear his shirt off in a fight over them every so often, and it captured the interest of teens and young men and women all over the country. And since there were three whole networks of TV channels to choose from, competition for attention was scarce.
But now, there are hundreds of channels with thousands of shows. The internet is high speed and in the kids' bedrooms. Soccer moms spend every waking minute taking their kids from activity to activity. Kids just aren't interested in Star Trek. It's now just a show for their dads and moms to watch; there is no excitement for kids, nothing new in these movies and series. There's no evil villain that they could show that these kids haven't already virtually shot a thousand times in their Nintendos.
Star Trek won't die as long as we adults keep hanging on to our memories of Captain Kirk. But we can't expect our kids to hold him in the same "reverence." And no matter how "special" the stories might be to us, they're just another level in a video game to the current generation.
Did anyone else find the layout of the article amusing? This quote, '[Leonard Nimoy] likens the current situation to the period after the first "Star Trek" feature film, when "I felt that 'Star Trek' was like a beached whale," he said.' was right next to the picture of a 400+ pound 'John Harper, of Tulsa., Okla., in Starbase 21, his booth of memorabilia at the "Star Trek" convention in Los Angeles.'
Right. Only someone who modifies their Segway scooter to follow a RED ball is making progress. Following pink balls is frivolous.
Come on, the guy is hacking for the joy of it. So he comes up with a cool toy. What if in his hacking he comes up with an idea that can be turned into a prosthetic arm control for the handicapped? Or a bomb-disposal robot, or a street sweeper, or perhaps even a Roomba with enough suction to actually clean a part of the house instead of rearranging the dust?
And you even admit it would be funny to watch. Cut him some slack, he's not hurting anyone, and it's his time to spend how he wants.
Hacking is cool when it serves some greater purpose
What do you define as a "greater purpose?" Can't someone hack a Big Mouth Billy Bob Bass Singing Fish just for fun? Do you not appreciate hacking for the sheer joy of it?
Consider some of the shows that are popular on TV these days. Shows like Orange County Choppers, This Old House or Curb Appeal. (OK, popular may be a strong term, but they do have a following.) Even Trading Spaces is about people modifying everyday objects for artistic or even frivolous reasons. Although though none of those shows are about "computer" hackers, they're all about hacking everyday objects into new and interesting forms. I'd say hardware hacking has gone mainstream, even though most people might not call it that.
I personally consider this form of hacking to be an art form. It may not be "art" in the "hang-on-the-wall-in-a-gallery" sense, but art has always been defined by the artist (and to a lesser degree the patron) and not necessarily by Webster. I think there's already plenty of greater purpose here, and I don't think this is as off-putting to as many people as you might think.
She had me "fix" her computer because it was so slow. It was virtually unbootable because of all the spyware crap she had on it. ("But I never installed anything!") I told her "tell me what you need me to save because I'm reformatting the hard drive", and she did, and I did.
I then spent the next two nights rebuilding that stupid machine for her.
Poison would have been faster, and if I went to prison, I wouldn't have to look at Windows again for another 15-30 years. Maybe next time...
They're not that useful, although I recently stuck one in a PC I was working on because I thought I needed it. (I was trying to reinstall Windows ME for my sister-in-law.) Turns out I didn't even need the floppy, the problem was the CD-ROM drive was toasted, so I booted it and installed it off the CD once I replaced that drive anyway.
All the BIOSes I've used in the last few years have allowed me to boot from "other" devices (USB keys and hard drives,) and booting from CD-ROM has been available for much longer. I haven't used a floppy now in a year or so, and I don't even bother sticking them in the machines I build anymore. It's just $10.00 I don't need to add to the cost.
If the thief bought $150 or more, the cashier would keep the expended card. If it were forged, that would be leaving evidence behind.
If the thief bought only $149, the card would still have a balance, and the cashier would return the card to the thief, leaving no evidence behind.
Fortunately, most thieves are really, really stupid, and leave behind plenty of evidence for investigators to find. Of course, I don't know what kind of thieves they're suffering from, but they seem at least moderately clever.
For private key cryptography based on a block cypher, where absolutlely any set of 256 bits will serve as a valid key, it's more common to simply hash a passphrase and directly use that hashed value as the key itself. You can even use the block cypher mechanism itself as the hashing mechanism by encrypting your key as plaintext using a static well-known key, then XORing the resultant cypher blocks. The secrecy of the output is still dependent on the secrecy of the key. However, to be secure, the software must always treat the hashed key exactly as securely as it would treat the raw pass phrase itself.
If the authors of the software felt it necessary to tell the user when they entered a wrong passphrase, then the more secure way to do that would have been to encrypt a block of fixed text when the passphrase was entered, and save that encrypted data (and not the same fixed text as the passphrase hash fixed text!) Then, when the user enters their pass phrase, it would attempt to decrypt that block to arrive at the original fixed data. Yes, it's a perfect "crib" for cryptographers (a known plaintext attack is orders of magnitude easier than an unknown plaintext attack,) but at least it doesn't immediately reveal the key -- it only confirms when you've guessed the correct one.
Long ago, it was commonly used in news groups to mask dirty, racist, or otherwise offensive jokes, or to hide the answer to a riddle or something. The idea was that if it was nasty, you could give the person fair warning not to "decrypt" the message because they might not like the contents. The news readers I used to use had ROT-13 en/decryption built right in -- hit X and it ROT-13'd the message revealing the joke, and hit it again and it rotated it right back to the original text.
I also vaguely remember binding a ksh alias to rot13 that looked something like this:
rot13=tr A-MN-Za-mn-z N-ZA-Mn-za-m
so I could translate things from a shell, but that was a long time ago. I may have gotten it wrong.
I spent a little while analyzing the "CruzerLock" software that came with my Cruzer Mini USB drive. It appears to be using a 64 bit block cypher (perhaps DES) which pretty much rules out any of the more modern encryption algorithms.
Its biggest readily apparent weakness is that the encryption algorithm is running in ECB mode. If you have a file containing AAAAAAAAAAAAAAAAAAAAAAAA it will encrypt to an 8-byte repeating block on the drive, like this: 123456781234567812345678 When I changed that to AAAAAAAAbbbbbbbbAAAAAAAA I saw the following encoding: 12345678abcdefgh12345678. That indicates Electronic Code Book. If I learn what your first block means, I know the third block means exactly the same data. (Please note that these are just example values with nice visual properties, and not the exact values I saw!)
Also, the encryption is the same from file to file. AAAAAAAA encoded in one file produces exactly the same results as AAAAAAAA encoded in another. So the IV for the encryption routine is fixed as well.
At least XORing blocks of encrypted binary nulls with two different keys didn't quickly reveal any obvious common bits, nor did encrypting two successive blocks that differed only by a single bit of plaintext. That means it's at least more than a plain old 8-byte XOR cypher using a folded password.
I figure if I can find all those holes in an hour of poking around with a hex tool, I know they didn't actually hire any cryptographers to produce the software. All the alarm bells have already gone off, and I never even stepped into it with a debugger to learn how they fold your password into a key, or what the IV was, or what the encryption algorithm itself was.
As long as you didn't leave the ROT-13 routine as the default in your shipped product. (Man, that was embarassing...)
But only with a license.
I can find no reference to license requirements for these devices, and since they're operating in the 900 MHz band, I'm assuming they're unlicensed.
This makes me wonder about these, and things like the WiFi shootouts. Are there or are there not FCC regulations regarding these antennas and transmitter power? Obviously there are, but what are those limits? 1 watt? 4 watts? 50 watts? And what about encryption, even on good old 802.11? The FCC has always frowned upon encryption (old Uncle Charlie wants to know what you're saying) yet the entire commercial wireless access point industry would go up in a puff of greasy black smoke if WEP encryption were outlawed.
I guess I need to read up on my FCC rules, because I don't understand it.
I can hear Fry now: "The fools! If only they had encrypted it with two-hundred and fifty SEVEN bits! When will they learn?"
Yikes! Where to begin ... ?
First, you are just plain incorrect about what the term "hacker" means. A hacker is simply someone who hacks. The term hacker itself does not imply "good" or "evil". It does not mean specifically someone who breaks into systems, although many of us have done so at some point. It means someone who knows systems well enough that they can get the system to perform unintended tasks. What they do with that knowledge is what separates a "white hat" from a "black hat".
The spammers have hired hackers to infest PCs. Yes, hackers. You may whine and pick nits that "they're just skript kiddiez handing out trojan horses" but look at the means by which they're accomplishing their tasks: they are planting "back doors" giving themselves access to these systems. They are adding code to have these zombies connect to an IRC server somewhere. They are then commanding these zombies to send email on their masters' behalf. Those are hacker behaviors. Whether they used the Virus Creation Labs toolkit or wrote the assembler code themseleves is really immaterial, because they had to know these systems in order to control them. The level at which they developed or modified the tools may change their designation from "skript kiddie" to "wizard", but they're still hackers.
I know some people are trying to linguistically push for the terms "hacker == good" and "cracker == bad", but honestly, trying to change other peoples minds about the meaning of language is just spitting in the ocean.
I have been a hacker for over 30 years now. At age 12 I was core dumping user-level programs and examining the octal dumps looking for reallocated system-level memory that still contained username/password logons for our school computers. So, I feel fairly qualified to use the term hacker however I damn well please. And while I like to think that my hat is pretty white these days, there certainly is still a tinge of grey (or maybe that's just age...)
Since I'm guessing you haven't done this much, I'll consider this a learning experience for you. Next time you should try phrasing your arguments without the ad hominem attacks, in the long run you will get more positive responses. Also, you should try some of the nice allowed HTML tags, it will make your argument look pretty and make it easier to understand (assuming you're not trying to talk to an arrogant pig.)
Most spam today comes from zombie PCs, not from giant spam servers. Spammers have hackers infest thousands of PCs with worms, and use those to spew forth their vendors' get rich quick schemes.
OK, you made spam traceable. So now what? Are the feds going to bust in on Aunt Millie just because she didn't install Service Pack 2, hot fix KB123456789, and so allowed spammers to use her name to send their crap?
It might mean Comcast shuts down Aunt Millie's PC from sending email. Or not -- maybe the zombie operator uses Aunt Millie's PC to generate a new Hotmail or gmail account, and sends forth the bilge from there? Extra steps that get Aunt Millie in hotter water, but do nothing to the spammers or their hacking minions.
Technological answers only stop them one zombie at a time. Sure, you can disinfect Aunt Millie's box, but by the time it's patched, both Uncle Fred and Grandma Anna's PCs have been wormed. Spam laws be damned, you're not going to be a popular government for jailing Millie, Fred and Anna for what amounts to a "failure to understand and apply Windows XP Service Pack 2's cumulative security patch for the week ending 9/18."
It's like any other crypto or security problem. Security is a perimeter defense, and it will always be attacked at the weakest point. Cryptologically hardened email will simply mean we spend more CPU cycles verifying that this spam did indeed come from Aunt Millie. ( And, the converse should indicate that the spammers have a weak point too -- I believe it's somewhere south of their pelvises, and north of their thighs. Apply the appropriate amount of pressure and see how much spam shows up tomorrow ... :-)
Mostly, the idiots are the vendors who hire the spammers. They buy the spamming service for $60.00 for 10000 emails. The spammers invest $200 in "fake" purchases from the vendor. The vendor is so excited he forks over $1000 for 200,000 emails. The spammer sends them out, and pockets the $860, not caring if the vendor makes another sale or not. If he thinks the fish is really gullible, he might string him along with another investment of $100-200, in hopes of landing another $2000 or so.
Spammers are thieves, they lie, cheat and hack their way into our inboxes. What makes you think they treat their paying customers any better?
If you start browsing Slashdot stories at -1, you'll see a troll that says something like: "Netcraft confirms: BSD is dying". This post appears to be a word-for-word copy of that troll, with the word "BSD" crossed out and hastily replaced with the word "Internet".
Sometimes it's literally tears-in-the-eyes funny to read some of these trolls. It's worth doing it maybe once a year; but for the most part, it's mostly wading through pointless offensive slurs. But at least you'll get the jokes when you see them.
Welcome to Slashdot.
Google found this page for me.
There are several spray paints on the market suitable for plastics.
Another good approach would be to replace the cases completely. A new mid-tower case can be had for about $35.00 US. Unless you're already set up to do some painting, or have many cases to take care of, your labor costs to paint will greatly exceed $35.00.
Oh, if you're also thinking of cleaning and painting a monitor case too, be extremely careful -- the picture tube is a giant capacitor filled to the brim with many, many columbs of nasty electrons just waiting to zap a careless guy with a wet rag.
The phishers mail you a new card with a hacked URL they put on it, and when you pop it into your home computer to do your banking, this hacked card's URL will direct you to their phishing web site. (Or, maybe the same day that your phake card hits your mailbox, they DNS spoof your segment of Comcast to redirect FirstAmericanBank.com to 111.112.113.114, the (mythical) address of PhirstNationalBankOfPhishing.) By whatever means, they direct you to a phishing site which will collect your real pass phrase; then, they'll politely ask the victim to reinsert their old card to "deactivate it" while they run some hacked program that uses the combination of your valid card and newly discovered pass phrase to transfer all your money to FrontBankOfCorruption.ru.
Yes, it's harder than today's phishing scams, but it's certainly much easier than breaking the RSA algorithm. And it would only take a few well-chosen attacks on some very wealthy people to steal a lot of money.
For that matter, the attack would work without the phake card. Infest the victim's computer with a trojan (20,000 zombie PC's have got to be good for something) and when they go to their own banking site with their real smart card inserted in their machine, the phishing site instead collects their pass phrase and misuses it to redirect money in the same manner I described above.
As I said, I understand that the public key encryption isn't going to be broken. But it doesn't have to be broken. The human's trust is always going to be the easiest thing to hack, no matter how strong the encryption routines are. And the PC is not a secure device, it can be made to act as a "man-in-the-middle", sometimes dealing with the real bank, but sometimes dealing with the crooks.
Stephen King did that, and any movie he's made where he was personally in control of the screenplay kinda sucked (at least in my opinion.) The Shining, The Running Man, The Shawshank Redemption, all directed by other people were big Hollywood hits. The movies where he was more involved (in order to be more true to his books,) such as The Langoliers and The Stand, just weren't as gripping as far as movies go. I mean I liked them, just not as well as the ones that had another person's vision putting them on the screen.
An author obviously has his or her ideas for screenplays as far as the story goes, and what a vision of it may be, but that doesn't necessarily mean that authors have the "eye" required to make a great movie.
Not that we could, but I'd really like to see a Phillip K. Dick movie made by his own hand. Any of his stories would do. I'd love to know what went on in that brain of his. But that doesn't mean it would be a commercially successful movie. Now, compare that to some of Hollywood's best science fiction movies that were adaptations of his novels: Bladerunner, Minority Report, etc. Hugely successful, incredibly entertaining, but not necessarily true to every word he wrote.
Obviously, Larry can afford to take a chance and make his own movie. But that doesn't mean it's going to be a great film. Yes, Hollywood filmmakers can screw up a good story, but some of them can also spin a great movie from a good story.
What I'm saying is that there will be other attacks that aren't necessarily crypto based. Perhaps the bad guys will send "replacement" smart cards via U.S. Postal mail, with instructions to "dial 1-800-PHI-SHING to activate your new card", and get PIN information that way. Or maybe a corrupt insider at Verisign will sell his soul for a couple of million dollars and give up the master signing key for Visa International. Or any one of a dozen attacks I can't even imagine today.
That's what I meant by 'you can't raise the bar so high that the bad guys can't go around it.' I wasn't trying to shoot down the crypto portions, but rather point out that crypto is only a fraction of the defense. The human factors will remain the weakest links.
Regardless of how heavily you armor plate the bank, or the merchant devices, or the internet or the home users' PCs, it always comes down to a matter of trust. At some point, the user is required to trust that the entity they're dealing with is legitimate, and the retailer and the banks are required to trust the user they're dealing with is legitimate. Those points of trust are the weak points the attackers will always aim for, and they're the precise targets of the phishers.
I believe that's why we haven't seen the adoption of a system like you mentioned. Visa could mandate such a setup, but that would cost them billions of dollars (educated guess.) If they did it, and the bad guys continued to fool the Heather Halls of the world via phishing scams, then Visa will have wasted those billions. I imagine Visa knows exactly how much they lose in fraud, and how much it would cost them to implement a secure system, but I'm not sure they know how effective such a system would be against all the varieties of spoofing attacks. I do know that if the payback were there now Visa would start rolling it out tomorrow.
Public key cryptography certainly raises the difficulty bar for committing fraud, but nothing will raise it so high that bad guys won't still figure out a way to run around the side.
A GIRL robot...
It was the best prom ever.
Well, I'm really glad to see the spark of imagination still burns brightly in some kids. Congrats, it sounds like you've got a great kid! And I hope he invents warp engines some day!
Back in the 1960s, in the days of Commies and Sputnik and the Space Race, a show about astronauts warping around space with a dashing captain punching the Evil Empire in the nose was exactly the right formula to grab America's attention. Surround him with beautiful but deadly women, tear his shirt off in a fight over them every so often, and it captured the interest of teens and young men and women all over the country. And since there were three whole networks of TV channels to choose from, competition for attention was scarce.
But now, there are hundreds of channels with thousands of shows. The internet is high speed and in the kids' bedrooms. Soccer moms spend every waking minute taking their kids from activity to activity. Kids just aren't interested in Star Trek. It's now just a show for their dads and moms to watch; there is no excitement for kids, nothing new in these movies and series. There's no evil villain that they could show that these kids haven't already virtually shot a thousand times in their Nintendos.
Star Trek won't die as long as we adults keep hanging on to our memories of Captain Kirk. But we can't expect our kids to hold him in the same "reverence." And no matter how "special" the stories might be to us, they're just another level in a video game to the current generation.
Sorry this is so cruel, but it made me laugh.
Come on, the guy is hacking for the joy of it. So he comes up with a cool toy. What if in his hacking he comes up with an idea that can be turned into a prosthetic arm control for the handicapped? Or a bomb-disposal robot, or a street sweeper, or perhaps even a Roomba with enough suction to actually clean a part of the house instead of rearranging the dust?
And you even admit it would be funny to watch. Cut him some slack, he's not hurting anyone, and it's his time to spend how he wants.
What do you define as a "greater purpose?" Can't someone hack a Big Mouth Billy Bob Bass Singing Fish just for fun? Do you not appreciate hacking for the sheer joy of it?
Consider some of the shows that are popular on TV these days. Shows like Orange County Choppers, This Old House or Curb Appeal. (OK, popular may be a strong term, but they do have a following.) Even Trading Spaces is about people modifying everyday objects for artistic or even frivolous reasons. Although though none of those shows are about "computer" hackers, they're all about hacking everyday objects into new and interesting forms. I'd say hardware hacking has gone mainstream, even though most people might not call it that.
I personally consider this form of hacking to be an art form. It may not be "art" in the "hang-on-the-wall-in-a-gallery" sense, but art has always been defined by the artist (and to a lesser degree the patron) and not necessarily by Webster. I think there's already plenty of greater purpose here, and I don't think this is as off-putting to as many people as you might think.
She had me "fix" her computer because it was so slow. It was virtually unbootable because of all the spyware crap she had on it. ("But I never installed anything!") I told her "tell me what you need me to save because I'm reformatting the hard drive", and she did, and I did.
I then spent the next two nights rebuilding that stupid machine for her.
Poison would have been faster, and if I went to prison, I wouldn't have to look at Windows again for another 15-30 years. Maybe next time ...
All the BIOSes I've used in the last few years have allowed me to boot from "other" devices (USB keys and hard drives,) and booting from CD-ROM has been available for much longer. I haven't used a floppy now in a year or so, and I don't even bother sticking them in the machines I build anymore. It's just $10.00 I don't need to add to the cost.
If the thief bought only $149, the card would still have a balance, and the cashier would return the card to the thief, leaving no evidence behind.
Fortunately, most thieves are really, really stupid, and leave behind plenty of evidence for investigators to find. Of course, I don't know what kind of thieves they're suffering from, but they seem at least moderately clever.