Bluetooth v2.1 security is likely more than adequate for your requirements.
The risk of key interception occurs only once, during pairing, and you can mitigate that by pairing the devices in a Faraday cage or in a remote field, and never pairing them again without taking similar precautions. The E0 algorithm used as the stream cipher to carry the data has a couple of published weaknesses, all of which require substantially more data than is allowed in a single Bluetooth session, so decryption is still not possible.
And all of this desire for security is based on your suspicion that an eavesdropper could glean information that would harm you from just your mouse movements, with no other context like what screens or windows you might be clicking on. Part of building a secure system is to look at the whole threat picture rationally. Who would perform such surveillance? What could they gain? What could you lose?
In this case, the most likely information an attacker would be able to gather is traffic analysis - your mouse is communicating, therefore you must be physically present and using your computer. And they would get that info from any wireless mouse, regardless of how strong the cryptography is. So the rational question is Boolean: should you own a wireless device that transmits when you are physically using your computer? Leave crypto out of that decision. If the answer is yes then Bluetooth meets your other requirements.
It may not be destroying the planet, but if you look deeper, the Internet is responsible for the domestication of the civet. I certainly never would have heard of civet shit coffee if it hadn't been for the Internet, and the same is true for about 5 billion other people. Yet now thanks to the interwebs, we have all heard of it.
And let's say that 10% of people who hear about it want to try it, and 10% of those can afford to. That's 50 million new customers trying to consume a product that's produced slowly on a few acres of jungle. The internet also enables all those customers to order instantly, flooding this little patch of jungle with money. The locals are doing the only sane thing: trying to squeeze more beans out of this boon, while opportunity seekers flock to the new wealth. That means trapping, domestication, poaching, anything to grab a piece of the pie before their neighbor takes it all. It's just another Gold Rush, only faster.
I was thinking along somewhat related lines, but I think the mechanisms might be more simple than "seedling roulette."
We see a pattern in orchids like dendrobiums, which are native to habitats where they undergo very dry winters. The prolonged drought of winter causes dormancy, which creates stress in the plants. The first taste of water after the drought triggers rapid growth and blooming flowers - in nature this immediately follows the arrival of the spring rains. We also know that if the spring water is inadequate, the plant will produce a few flowers and then die. It is often explained as "stress creates some kind of last-chance-to-propagate mechanism", but I believe it's simply another manifestation of the spring trigger conditions occurring in the dying plant.
It is also not uncommon for an orchid grown in a stressful artificial environment, such as one where it doesn't get the correct water or light, to produce a few meager flowers just before it dies. It certainly wouldn't surprise me that being exposed to a toxin like HS would create similar stresses in the plants, which could trigger the same mechanisms.
Random exposure to toxins would probably kill most of the plants. But I suspect controlled exposure could be exploited to produce flowers on a schedule, such as roses for Valentine's Day.
Physical media has plenty of problems. It has a finite (but often not well understood) lifetime, it requires bulky and sometimes temperature controlled storage, it's susceptible to contamination, it's difficult to copy losslessly, it still specifies an encoding, and it requires expensive equipment that is slowly vanishing from the landscape. Whether or not they are still readable 20 years from now is a gamble.
At least you can safely archive digital bits, and copy them all over the place. I'd recommend ripping them to a lossless digital format while you still have a turntable and tape deck available. Keep the media, for sure, but don't place too much faith in it.
Yes-yes. That doesn't mean you shouldn't check them out. Some of what others call worthless shit might have great value to others (not in terms of money).
I think you're missing the whole concept of "value" here. Value is exactly the amount of money someone is willing to pay for a thing (including yourself if you lost the thing and wanted a replacement.) As a seller of such things, you want to seek out the buyer who would place the greatest value on the thing, and give you the most money for it. But until the money is in your pocket, the value is just an assumption.
The demand for most of that stuff is finite. Billy Bob may pay $69.00 for a certain Beatles record that he remembers fondly, but the local used record store is only going to give you $1.00 per disc. What's the value to you? Depends on who paid you for it.
When my grandmother passed, the whole family gathered to clean out her house prior to listing it. We had conversations about who would keep which things. Then there were things like "collectible" plates that people might assume have some value. We offered those to anybody who wanted to take them, "check them out", and sell them. They ended up in the dumpster because they didn't offer the promise of enough value to be worth the effort to carry them away.
We no doubt did someone else a favor by driving up scarcity. Didn't change our value of the stuff from zero, however.
Do you care about the security of your wireless mouse?
Did you ever solve your mousey dilemma? If not, Bluetooth v2.1 solves it by default (if you're careful about avoiding interception during the pairing process.) The bigger question is how you determine which version of Bluetooth stack a vendor's mouse supports?
but plain and simple, we are allowed to do many things in the car legally we should not be doing, shaving, putting on makeup, hell even reading a map or newspaper!
Actually, no, you're not allowed to do any of those things while driving, and you've never been allowed to do any of those things. A cop can cite you for distracted driving, or even careless driving if you did something extra-stupid while distracted.
One of the problems with a smart phone is that it can do many things, including being a navigation aide, but a cop isn't in the car with you and can't tell what you're doing. To him, and to the law, it doesn't matter: it's a thing in your hand that's distracting you.
The "no cell phone" and "no texting" laws were passed to raise awareness of specific dangers, but people mistakenly think that it means "anything that isn't a call or texting must be OK." But it's not legal, and it's never been legal, it's just not explicitly listed as illegal. Otherwise, the books would be filled with out of date and nonsense laws like "No Angry Birds while driving. No Angry Birds Rio while driving. No Angry Birds HD while driving."
That was the beauty of Paget's hack. He used one of the non-domestic cell frequency bands to attack quad-band cell phones (using the ISM band at 900MHz.) Because the phone decided it was roaming, and didn't care about the network ID being set to zero, the phone believed whatever the fake tower told it. The other thing he needed was to send a tower signal that claimed it was getting perfect reception from the subscriber device, so the phone would prefer it above the real towers. No PRL change needed. He also told the phones that the network did not support encryption, so the traffic was sent in the clear, and not only could he intercept it, he could retransmit it over VOIP, acting as a man in the middle.
Got it, thanks. I missed equating the change to his card as "planting a tracking device", which makes total sense, at least to me. So now, it's up to the court to decide if the law sees those as equivalent activities, requiring equivalent oversight.
Oh well. Better to let 100 scoundrels roam free than to wrongly imprison one man.
Nobody is disputing the facts of the case. The questions are if the legal protections were adequate in this case, or if the FBI should have done something more.
And the card wasn't "reprogrammed", at least not in the sense of sending an actual new program to it. An artificial list of cell tower IDs was sent to it, prominently featuring the fake tower ID as top priority. This duped his card into always trying to connect to the FBI's Stingray.
It was "reprogrammed" in the same sense that your grandmother equates "data entry" with "programming".
A warrant has to be issued, it has to be specific in what is to be taken, and specific in the place, time, and person of interest investigated.
That's the interesting thing about this case. It's not just a thing to be taken, but they performed active malicious operation of the suspect's own data card. And it's hard to exactly name an identity thief, when his true identity was one of the facts they were trying to ascertain.
I suspect the ruling will be narrowly focused on some detail of this specific case and won't answer the broad question of whether or not all Stingray use needs a warrant.
Clarification: in this case they had a "court order signed by a magistrate". I don't know how that differs from a "warrant", but it does sound like an appropriate level of judicial oversight, and that this was not just a rogue agent fishing for tax evaders.
That's one of the issues in this case. A Stingray is not discriminating and could impact other cellular devices. The FBI also claims they "throw away" all data that is not pertinent to their investigation, meaning there is no way to determine what they did or did not see regarding other people's communications. (Kind of a damned if you do, damned if you don't situation.)
There is also the difference between wiretaps and pen trace registers. Wiretaps require a warrant, but pen traces don't. The Stingray doesn't record the call or data contents, so it could be claimed to be more like a pen trace. But a Stingray is actively pinging the target's machine to generate data to be used against the owner, which is a completely different use (abuse?) of the technology.
Anything like this would be perfectly legal with a warrant. The real question is if this is legal without one.
I'm just thinking of the examples of a truck or bus getting blown over on the interstate due to high cross winds. Sure, a train is far more massive than a truck or bus, but a bullet train is also traveling three times faster, meaning a small change could have a much bigger effect.
Yes, the climate changes over time naturally. There have been cyclic ice ages and warmings.
But now the amount of change over time is increasing more than the historical records show occurred naturally in the past.
Instead of looking just at your beach thermometer (which is only one set of data points on a very large globe), try reading up on paleoclimatology, and see how the history of planetary weather has been preserved in ice, rocks, and plants, and how researchers use the different forms of evidence to cross check their measurements. There is a lot of evidence out there if you know where to look.
Shilling is not a bad existence. You get paid by your masters to argue in favor of their position, and you can ignore whatever other facts may make that position seem harmful over the long term, because you are able to spend their money today.
He doesn't have to be directly in their pockets, of course. Perhaps he believes that by shilling for the Koch Brothers that he'll get cheaper gas or lower taxes. Maybe he prefers their flavor of John Birch racism. Whatever the reason, for him it's "profitable" in the short term, and he truly doesn't care about the long term. So he's not going anywhere. Best tactic is to ignore him.
I never said anything about Flash or Silverlight. The requirement for an HTPC isn't "must run Flash" or "must run Silverlight", because those are just one type of means to an end, and they drive you towards a specific implementation of the solution. If you start out by thinking "Silverlight", the only obvious solution is "Big Windows machine", so you'll miss other potential solutions like adding a Roku box under remote control.
The real requirements are high level user stories like "My spouse wants to watch Hulu Plus", "The kids want to watch YouTube", "We all want to watch DVDs and BluRays" and "To be user friendly, the remote must have a button that switches input to Hulu" and "As a viewer, I want the guide button to default to launching the program guide for whatever video source is currently selected", or "As a parent, I want the option to lock out video during homework time".
Makes sense for business, but we are talking home use here.
Don't limit that statement by applying the extra constraints. Starting from the ideal requirements is the right approach. The economics might change things, but let them change it after you decide what the best solution is. Starting from the position of "this would be great", then you can say "oh, but I have to save some money, so let's see what I can trim from the budget" or "I want Linux in here, so if I swap this for that, I still end up with everything I want." You stay focused on the end goal, and work towards it.
Starting from "I'm a home user with a limited budget and a desire to use Linux, let's see what I can build that displays on my TV set" may not produce the HTPC of your dreams, because the dreams are lacking from the initial goals.
Slashdot Mirror
Bluetooth v2.1 security is likely more than adequate for your requirements.
The risk of key interception occurs only once, during pairing, and you can mitigate that by pairing the devices in a Faraday cage or in a remote field, and never pairing them again without taking similar precautions. The E0 algorithm used as the stream cipher to carry the data has a couple of published weaknesses, all of which require substantially more data than is allowed in a single Bluetooth session, so decryption is still not possible.
And all of this desire for security is based on your suspicion that an eavesdropper could glean information that would harm you from just your mouse movements, with no other context like what screens or windows you might be clicking on. Part of building a secure system is to look at the whole threat picture rationally. Who would perform such surveillance? What could they gain? What could you lose?
In this case, the most likely information an attacker would be able to gather is traffic analysis - your mouse is communicating, therefore you must be physically present and using your computer. And they would get that info from any wireless mouse, regardless of how strong the cryptography is. So the rational question is Boolean: should you own a wireless device that transmits when you are physically using your computer? Leave crypto out of that decision. If the answer is yes then Bluetooth meets your other requirements.
It may not be destroying the planet, but if you look deeper, the Internet is responsible for the domestication of the civet. I certainly never would have heard of civet shit coffee if it hadn't been for the Internet, and the same is true for about 5 billion other people. Yet now thanks to the interwebs, we have all heard of it.
And let's say that 10% of people who hear about it want to try it, and 10% of those can afford to. That's 50 million new customers trying to consume a product that's produced slowly on a few acres of jungle. The internet also enables all those customers to order instantly, flooding this little patch of jungle with money. The locals are doing the only sane thing: trying to squeeze more beans out of this boon, while opportunity seekers flock to the new wealth. That means trapping, domestication, poaching, anything to grab a piece of the pie before their neighbor takes it all. It's just another Gold Rush, only faster.
Really, nothing else could have happened.
I was thinking along somewhat related lines, but I think the mechanisms might be more simple than "seedling roulette."
We see a pattern in orchids like dendrobiums, which are native to habitats where they undergo very dry winters. The prolonged drought of winter causes dormancy, which creates stress in the plants. The first taste of water after the drought triggers rapid growth and blooming flowers - in nature this immediately follows the arrival of the spring rains. We also know that if the spring water is inadequate, the plant will produce a few flowers and then die. It is often explained as "stress creates some kind of last-chance-to-propagate mechanism", but I believe it's simply another manifestation of the spring trigger conditions occurring in the dying plant.
It is also not uncommon for an orchid grown in a stressful artificial environment, such as one where it doesn't get the correct water or light, to produce a few meager flowers just before it dies. It certainly wouldn't surprise me that being exposed to a toxin like HS would create similar stresses in the plants, which could trigger the same mechanisms.
Random exposure to toxins would probably kill most of the plants. But I suspect controlled exposure could be exploited to produce flowers on a schedule, such as roses for Valentine's Day.
Physical media has plenty of problems. It has a finite (but often not well understood) lifetime, it requires bulky and sometimes temperature controlled storage, it's susceptible to contamination, it's difficult to copy losslessly, it still specifies an encoding, and it requires expensive equipment that is slowly vanishing from the landscape. Whether or not they are still readable 20 years from now is a gamble.
At least you can safely archive digital bits, and copy them all over the place. I'd recommend ripping them to a lossless digital format while you still have a turntable and tape deck available. Keep the media, for sure, but don't place too much faith in it.
Yes-yes. That doesn't mean you shouldn't check them out. Some of what others call worthless shit might have great value to others (not in terms of money).
I think you're missing the whole concept of "value" here. Value is exactly the amount of money someone is willing to pay for a thing (including yourself if you lost the thing and wanted a replacement.) As a seller of such things, you want to seek out the buyer who would place the greatest value on the thing, and give you the most money for it. But until the money is in your pocket, the value is just an assumption.
The demand for most of that stuff is finite. Billy Bob may pay $69.00 for a certain Beatles record that he remembers fondly, but the local used record store is only going to give you $1.00 per disc. What's the value to you? Depends on who paid you for it.
When my grandmother passed, the whole family gathered to clean out her house prior to listing it. We had conversations about who would keep which things. Then there were things like "collectible" plates that people might assume have some value. We offered those to anybody who wanted to take them, "check them out", and sell them. They ended up in the dumpster because they didn't offer the promise of enough value to be worth the effort to carry them away.
We no doubt did someone else a favor by driving up scarcity. Didn't change our value of the stuff from zero, however.
No, his name was "Bob".
I thought D&D was always in english.
No, the original was written in Elvish :-)
Completely off-topic question regarding your sig:
Do you care about the security of your wireless mouse?
Did you ever solve your mousey dilemma? If not, Bluetooth v2.1 solves it by default (if you're careful about avoiding interception during the pairing process.) The bigger question is how you determine which version of Bluetooth stack a vendor's mouse supports?
You'll never guess where I've been!
Your mom.
but plain and simple, we are allowed to do many things in the car legally we should not be doing, shaving, putting on makeup, hell even reading a map or newspaper!
Actually, no, you're not allowed to do any of those things while driving, and you've never been allowed to do any of those things. A cop can cite you for distracted driving, or even careless driving if you did something extra-stupid while distracted.
One of the problems with a smart phone is that it can do many things, including being a navigation aide, but a cop isn't in the car with you and can't tell what you're doing. To him, and to the law, it doesn't matter: it's a thing in your hand that's distracting you.
The "no cell phone" and "no texting" laws were passed to raise awareness of specific dangers, but people mistakenly think that it means "anything that isn't a call or texting must be OK." But it's not legal, and it's never been legal, it's just not explicitly listed as illegal. Otherwise, the books would be filled with out of date and nonsense laws like "No Angry Birds while driving. No Angry Birds Rio while driving. No Angry Birds HD while driving."
That was the beauty of Paget's hack. He used one of the non-domestic cell frequency bands to attack quad-band cell phones (using the ISM band at 900MHz.) Because the phone decided it was roaming, and didn't care about the network ID being set to zero, the phone believed whatever the fake tower told it. The other thing he needed was to send a tower signal that claimed it was getting perfect reception from the subscriber device, so the phone would prefer it above the real towers. No PRL change needed. He also told the phones that the network did not support encryption, so the traffic was sent in the clear, and not only could he intercept it, he could retransmit it over VOIP, acting as a man in the middle.
That was an amazing hack.
Got it, thanks. I missed equating the change to his card as "planting a tracking device", which makes total sense, at least to me. So now, it's up to the court to decide if the law sees those as equivalent activities, requiring equivalent oversight.
Oh well. Better to let 100 scoundrels roam free than to wrongly imprison one man.
Nobody is disputing the facts of the case. The questions are if the legal protections were adequate in this case, or if the FBI should have done something more.
And the card wasn't "reprogrammed", at least not in the sense of sending an actual new program to it. An artificial list of cell tower IDs was sent to it, prominently featuring the fake tower ID as top priority. This duped his card into always trying to connect to the FBI's Stingray.
It was "reprogrammed" in the same sense that your grandmother equates "data entry" with "programming".
A warrant has to be issued, it has to be specific in what is to be taken, and specific in the place, time, and person of interest investigated.
That's the interesting thing about this case. It's not just a thing to be taken, but they performed active malicious operation of the suspect's own data card. And it's hard to exactly name an identity thief, when his true identity was one of the facts they were trying to ascertain.
I suspect the ruling will be narrowly focused on some detail of this specific case and won't answer the broad question of whether or not all Stingray use needs a warrant.
Clarification: in this case they had a "court order signed by a magistrate". I don't know how that differs from a "warrant", but it does sound like an appropriate level of judicial oversight, and that this was not just a rogue agent fishing for tax evaders.
That's one of the issues in this case. A Stingray is not discriminating and could impact other cellular devices. The FBI also claims they "throw away" all data that is not pertinent to their investigation, meaning there is no way to determine what they did or did not see regarding other people's communications. (Kind of a damned if you do, damned if you don't situation.)
There is also the difference between wiretaps and pen trace registers. Wiretaps require a warrant, but pen traces don't. The Stingray doesn't record the call or data contents, so it could be claimed to be more like a pen trace. But a Stingray is actively pinging the target's machine to generate data to be used against the owner, which is a completely different use (abuse?) of the technology.
Anything like this would be perfectly legal with a warrant. The real question is if this is legal without one.
I'm just thinking of the examples of a truck or bus getting blown over on the interstate due to high cross winds. Sure, a train is far more massive than a truck or bus, but a bullet train is also traveling three times faster, meaning a small change could have a much bigger effect.
Chris Paget was able to demo similar behavior at DEFCON 18, and he sure didn't need Verizon's help to do so.
Pretty sure the FCC wanted to bust him on stage, actually.
Yes, the climate changes over time naturally. There have been cyclic ice ages and warmings.
But now the amount of change over time is increasing more than the historical records show occurred naturally in the past.
Instead of looking just at your beach thermometer (which is only one set of data points on a very large globe), try reading up on paleoclimatology, and see how the history of planetary weather has been preserved in ice, rocks, and plants, and how researchers use the different forms of evidence to cross check their measurements. There is a lot of evidence out there if you know where to look.
At those speeds, aerodynamics are important to the train, right? Can surface winds cause turbulence-like effects?
Shilling is not a bad existence. You get paid by your masters to argue in favor of their position, and you can ignore whatever other facts may make that position seem harmful over the long term, because you are able to spend their money today.
He doesn't have to be directly in their pockets, of course. Perhaps he believes that by shilling for the Koch Brothers that he'll get cheaper gas or lower taxes. Maybe he prefers their flavor of John Birch racism. Whatever the reason, for him it's "profitable" in the short term, and he truly doesn't care about the long term. So he's not going anywhere. Best tactic is to ignore him.
In the blink of an eye all that old Geocities goodness will be wiped away from the eyes of the unsuspecting.
How? They're not adding a <tasteful> tag.
I never said anything about Flash or Silverlight. The requirement for an HTPC isn't "must run Flash" or "must run Silverlight", because those are just one type of means to an end, and they drive you towards a specific implementation of the solution. If you start out by thinking "Silverlight", the only obvious solution is "Big Windows machine", so you'll miss other potential solutions like adding a Roku box under remote control.
The real requirements are high level user stories like "My spouse wants to watch Hulu Plus", "The kids want to watch YouTube", "We all want to watch DVDs and BluRays" and "To be user friendly, the remote must have a button that switches input to Hulu" and "As a viewer, I want the guide button to default to launching the program guide for whatever video source is currently selected", or "As a parent, I want the option to lock out video during homework time".
Four.
Makes sense for business, but we are talking home use here.
Don't limit that statement by applying the extra constraints. Starting from the ideal requirements is the right approach. The economics might change things, but let them change it after you decide what the best solution is. Starting from the position of "this would be great", then you can say "oh, but I have to save some money, so let's see what I can trim from the budget" or "I want Linux in here, so if I swap this for that, I still end up with everything I want." You stay focused on the end goal, and work towards it.
Starting from "I'm a home user with a limited budget and a desire to use Linux, let's see what I can build that displays on my TV set" may not produce the HTPC of your dreams, because the dreams are lacking from the initial goals.