Let's say Liechtenstein controls a CA that is trusted by your browser. They can issue a fake cert for mail.google.com and happily MITM all your GMail connections provided they can rig your hosts file or own your router.
As we all know, there is very little you can do about the Liechtensteiner government.
as long as these sites rely on third party advertisers that are more concerned with eyeball collection than system security, we have a stalemate. If sites want me to see their ads, they have the burden of making sure the ads are safe (less annoying, would also be good). If I lower my guard out of "friendship" for a site, only to get a drive by download as a reward, I'm going to take it as a major breech of trust.
Bingo. If your site relies on ad revenue to survive, maybe you should be the one serving the ads so that you have control over what's appearing next to your precious content.
Because here's the thing: ad blockers do not block server-included ads. Right? They block 3rd-party ads that are placed using client-side includes.
If you (as a content provider) trust your advertisers enough to serve the ads from your own site (and take responsibility for redistributing any malware they hand you, yes?) then I won't try to block your ads. It would be like blocking the photos embedded in your stories, or the graphics of your ui. It just wouldn't make sense.
The problem is that most sites are apparently so desperate for money that they will allow *anyone* to put *anything* on their pages. They may not intend for that to be the case, but that's the nature of client-side includes. When you use them, you have no control over what some other site is going to decide to do.
The problem is that the difference is both a moving target and a matter of resources. What takes 30,000 hours on a laptop today might take 7000 hours in 2016. But what takes 30,000 hours on a laptop today would only take an hour or two using massive parallelism in a computing cloud, should the attacker be willing to pay for it.
Aside from effective key length, which makes even techies' eyes glaze over, there is no reliable index or baseline that we can use to compare different schemes against both time and available resources.
Even if you use effective strength as a yardstick, it still provides no justification for using one strength over another, because it depends on context. Keeping your brother out of your diary vs authorizing million-dollar wire transfers.... which should be protected by a longer password? It kinda depends on what's in the diary.
If "users should write passwords down and keep the written-down password in a convenient, easy to access location" is part of your security plan, frequent resets and complicated password rules should do it.
Good, that's what I want. A strong password, written on a card that the user keeps in their wallet or pocketbook along with their other valuables. Theft happens, but at least the user will know right away if their wallet was stolen.
People aren't afraid of strong passwords, they're afraid of having to memorize and recall strong passwords.
Of course, as others have pointed out, TFA is wrong on the reason why changing passwords is important.
So it was still a good question.
What's especially interesting is that the disconnect between the policy (change passwords every 90 days) and the reasoning behind it (so that brute force attacks can't be completed within the password validity window) exists in the author's mind as well.
Get a gun. Then, make an appointment with the landlord. Explain your fears and phobias (about microwave radiation) to the landlord. Wave the gun back and forth while you are talking.
You have obviously never dealt in Manhattan real estate.
Before Tivo existed, every time one of the shows I liked was canceled I wished that the TV network was tracking MY viewing habits instead of the unwashed masses who appear to like reality TV. Ever since I've had Tivo I always record all the shows I like and I'm happy that Tivo is collecting that information. Sometimes I even record and play back reruns (with the TV off) to positively affect the data for the shows I like.
You are assuming that your profile is valuable to advertisers. Who knows, you might be *harming* the chances of your favorite show getting renewed, because they look up your Tivo profile and say, "Nah, we already catch enough of those eyeballs with Sports Center. We're only interested in paying for a show that reaches urban 25-35 Ivy League grads."
You wouldn't feel that way if you were an outlier. What if you inherited a few billion dollars from a rich uncle you never thought you had? It would be pretty unlikely for your VERY valuable data to remain hidden in the cloud of us plebes.
Ditto if you catch a rare disease, or say something offensive to the wrong person. Just because you are one in 4 billion doesn't mean you're not exactly the one they are looking for.
Untold billions of hours have been spent trying to keep SSNs secret in millions of databases and networks, when the whole problem could be solved by requiring valid photo-ID instead of SSN for access to privacy-protecting systems.
It's not a secret. It's not a password. There's no picture on the card. It should be against the law to use SSN as proof of anything.
It's not *cheating*. It's just life. The only reason my iPhone has a jailbreak is so that I can use it with a T-Mobile SIM. Aside from patching the baseband so that the phone isn't locked to AT&T (and this is long after my two-year commitment to that provider has expired) I don't install any software from outside of the iTunes ecosystem.
So what possible reason could Apple have for forcing me to use unpatched firmware on my own, well-out-of-contract device?
None. And there's a large enough class of other iPhone owners in a similar situation to ensure that if they ever do, their lawyers will be pretty busy for a while.
Man, I really wish I was a kid now, so that I'd have more time to hack around on the iPhone.
Unlike the Apple//e, where you had to learn assembly language or consult peek/poke charts to do anything cool, Apple has a beautiful, free SDK for the iPhone. And if learning a little Objective-C and finding your way around XCode is too advanced, you can still build great cross-platform apps using HTML and javascript.
The barrier to installing your own software on your own device is still pretty low, and possibly lower (because of XCode and javascript) than it ever has been.
There IS a big barrier to putting your software on *other people's* devices, hence the whole jailbreak routine. But come on, you can still put whatever you want on your own device. So what's the real problem? It's not free, open source software? Ok, then say that! That's valid. But your freedom to tinker isn't being limited.
Yeah, fuggit, I'll pay for a NY Times subscription. I live in the city, I read the site daily. I understand that they have to pay their reporters and photographers and editors and whatnot.
BUT THERE BETTER BE NO ADS.
I mean it. I think they need to make a choice between ad-supported and subscriber-supported. For two reasons:
1) Fire the ad management machinery and you get rid of a LOT of overhead that doesn't have anything to do with your core business, which is creating great news and content that people will willing to subscribe to.
2) Stop depending on advertising and you remove all kinds of messy editorial conflicts. You no longer have pressure from advertisers to soften or pull a story that is critical of them or their industry, you don't have ads competing with content on the page, and we don't have ads sucking cpu cycles on our readers.
I don't think we have a prayer in this regard, but they really could change the face and motives of journalism in America by switching to a subscriber-supported model.
Look, if it's that easy to detect the heat coming off of a grow-op, then the growers should be out there detecting and stopping the leaks before the police do.
I'm all in favor of privacy and civil liberties. But I also notice that the police routinely use things like helicopters and phone taps that the average citizen doesn't have access to. So it seems like maybe it was a bogus, or overly optimistic, ruling.
I think that the police should be required to be open and above-board about their methods. They should publicize the fact that they are using thermal imaging devices to scan for suspicious heat in the community. But banning their use outright is silly.
Yes, patronage is exactly the solution, as it has been for most (all?) of human history.
Music, stories, and other cultural expressions scratch societal itches, from aesthetics to diversion to immortality. People with resources will gladly support artists that help them scratch their particular itch. In doing so they also tend to benefit humanity, because cultural expression is something that it is both easy and satisfying to share with others.
It is only in the last hundred years or so that cultural expression has been created for the exclusive purpose of making a lot of money for investor-distributors.
I don't necessarily want to rely on Bill Gates' or George Soros' taste in entertainment to be entertained, but as you point out, patronage can be a co-op where each member puts a small amount toward the budget for producing a new "professional" work.
The hacks in Flash are often social engineering tricks to get at files, camera, microphone... though I think the most growth will be enabled by the excellent support for socket communication in today's actionscript. In other words, good old-fashioned cross-site-scripting.
Hey, why not? We all paid $34 for QuickTime Pro, some of us multiple freeking times.
Mac users don't expect to get everything for free. You can call that "having more money than sense" or you can call it "not being a programmer, so willing to pay programmers." Either way, plenty of people would pay for VLC.
But I'm afraid that if they start taking money for it, they will also have to start obeying the dmca and patent laws, and then it will be just as shitty as QuickTime player, but without the ability to edit video.
So how is a website supposed to track whether you gave it permission to use cookies, anyway? I mean, normally you'd store that kind of preference in a cookie, or in a session record identified by a cookie.
So what if the user says "No, I don't want you to send me cookies"? You can't store their no-cookie preference anywhere for use on subsequent requests.
Well, if all else fails, we can make this thing sound so horrible that any politician that touches it would be publicly shamed. They can't prove us wrong unless they publicize the details of the treaty......
A reliable source told me that the Anti-Counterfeiting Trade Agreement will make it illegal to read the bible online.
Kindle books are riddled with typos, presumably caused when print editions are scanned to make e-books. (Why don't they get electronic gallies from the publisher? Who knows?)
So either they have been causing them on purpose to track redistribution, or this is a fine example of making patented lemonade from the technological lemons produced by their scanners
I love my kindle, but I hate Amazon more and more each day.
CAPTCHAs don't work. The technology implies an arms race (better obfuscation vs. better pattern recognition), but the whole thing is trivially easy to subvert through social engineering / outsourcing. You don't need to pay for better algorithms, just give a kid $20 and challenge him to create more Google accounts today than he did yesterday.
Meanwhile, they annoy the shit out of honest users.
Google knows how to detect and filter spam. Hell, any engineer could figure out that the same message cross-posted to more than 5 unrelated groups is a good candidate for automatic filtering. Others have mentioned honeypots. Others have mentioned SPF. Others have mentioned tracking known SMTP relay routes. All of those things make more sense than hoping that stronger captchas will fix anything.
Bingo. They need a moratorium on new products for 3 years while they chain the engineers to big, burly product managers and get all of their offerings on the same page.
Of course, that's (more or less) what happened at Yahoo!, and Google took the opportunity to fly right past them.
Slashdot Mirror
Let's say Liechtenstein controls a CA that is trusted by your browser. They can issue a fake cert for mail.google.com and happily MITM all your GMail connections provided they can rig your hosts file or own your router.
As we all know, there is very little you can do about the Liechtensteiner government.
as long as these sites rely on third party advertisers that are more concerned with eyeball collection than system security, we have a stalemate. If sites want me to see their ads, they have the burden of making sure the ads are safe (less annoying, would also be good). If I lower my guard out of "friendship" for a site, only to get a drive by download as a reward, I'm going to take it as a major breech of trust.
Bingo. If your site relies on ad revenue to survive, maybe you should be the one serving the ads so that you have control over what's appearing next to your precious content.
Because here's the thing: ad blockers do not block server-included ads. Right? They block 3rd-party ads that are placed using client-side includes.
If you (as a content provider) trust your advertisers enough to serve the ads from your own site (and take responsibility for redistributing any malware they hand you, yes?) then I won't try to block your ads. It would be like blocking the photos embedded in your stories, or the graphics of your ui. It just wouldn't make sense.
The problem is that most sites are apparently so desperate for money that they will allow *anyone* to put *anything* on their pages. They may not intend for that to be the case, but that's the nature of client-side includes. When you use them, you have no control over what some other site is going to decide to do.
The problem is that the difference is both a moving target and a matter of resources. What takes 30,000 hours on a laptop today might take 7000 hours in 2016. But what takes 30,000 hours on a laptop today would only take an hour or two using massive parallelism in a computing cloud, should the attacker be willing to pay for it.
Aside from effective key length, which makes even techies' eyes glaze over, there is no reliable index or baseline that we can use to compare different schemes against both time and available resources.
Even if you use effective strength as a yardstick, it still provides no justification for using one strength over another, because it depends on context. Keeping your brother out of your diary vs authorizing million-dollar wire transfers.... which should be protected by a longer password? It kinda depends on what's in the diary.
If "users should write passwords down and keep the written-down password in a convenient, easy to access location" is part of your security plan, frequent resets and complicated password rules should do it.
Good, that's what I want. A strong password, written on a card that the user keeps in their wallet or pocketbook along with their other valuables. Theft happens, but at least the user will know right away if their wallet was stolen.
People aren't afraid of strong passwords, they're afraid of having to memorize and recall strong passwords.
Of course, as others have pointed out, TFA is wrong on the reason why changing passwords is important.
So it was still a good question.
What's especially interesting is that the disconnect between the policy (change passwords every 90 days) and the reasoning behind it (so that brute force attacks can't be completed within the password validity window) exists in the author's mind as well.
Get a gun. Then, make an appointment with the landlord. Explain your fears and phobias (about microwave radiation) to the landlord. Wave the gun back and forth while you are talking.
You have obviously never dealt in Manhattan real estate.
Guns are nothing to these people.
Before Tivo existed, every time one of the shows I liked was canceled I wished that the TV network was tracking MY viewing habits instead of the unwashed masses who appear to like reality TV. Ever since I've had Tivo I always record all the shows I like and I'm happy that Tivo is collecting that information. Sometimes I even record and play back reruns (with the TV off) to positively affect the data for the shows I like.
You are assuming that your profile is valuable to advertisers. Who knows, you might be *harming* the chances of your favorite show getting renewed, because they look up your Tivo profile and say, "Nah, we already catch enough of those eyeballs with Sports Center. We're only interested in paying for a show that reaches urban 25-35 Ivy League grads."
You wouldn't feel that way if you were an outlier. What if you inherited a few billion dollars from a rich uncle you never thought you had? It would be pretty unlikely for your VERY valuable data to remain hidden in the cloud of us plebes.
Ditto if you catch a rare disease, or say something offensive to the wrong person. Just because you are one in 4 billion doesn't mean you're not exactly the one they are looking for.
Untold billions of hours have been spent trying to keep SSNs secret in millions of databases and networks, when the whole problem could be solved by requiring valid photo-ID instead of SSN for access to privacy-protecting systems.
It's not a secret. It's not a password. There's no picture on the card. It should be against the law to use SSN as proof of anything.
It's not *cheating*. It's just life. The only reason my iPhone has a jailbreak is so that I can use it with a T-Mobile SIM. Aside from patching the baseband so that the phone isn't locked to AT&T (and this is long after my two-year commitment to that provider has expired) I don't install any software from outside of the iTunes ecosystem.
So what possible reason could Apple have for forcing me to use unpatched firmware on my own, well-out-of-contract device?
None. And there's a large enough class of other iPhone owners in a similar situation to ensure that if they ever do, their lawyers will be pretty busy for a while.
Man, I really wish I was a kid now, so that I'd have more time to hack around on the iPhone.
Unlike the Apple //e, where you had to learn assembly language or consult peek/poke charts to do anything cool, Apple has a beautiful, free SDK for the iPhone. And if learning a little Objective-C and finding your way around XCode is too advanced, you can still build great cross-platform apps using HTML and javascript.
The barrier to installing your own software on your own device is still pretty low, and possibly lower (because of XCode and javascript) than it ever has been.
There IS a big barrier to putting your software on *other people's* devices, hence the whole jailbreak routine. But come on, you can still put whatever you want on your own device. So what's the real problem? It's not free, open source software? Ok, then say that! That's valid. But your freedom to tinker isn't being limited.
Yeah, fuggit, I'll pay for a NY Times subscription. I live in the city, I read the site daily. I understand that they have to pay their reporters and photographers and editors and whatnot.
BUT THERE BETTER BE NO ADS.
I mean it. I think they need to make a choice between ad-supported and subscriber-supported. For two reasons:
1) Fire the ad management machinery and you get rid of a LOT of overhead that doesn't have anything to do with your core business, which is creating great news and content that people will willing to subscribe to.
2) Stop depending on advertising and you remove all kinds of messy editorial conflicts. You no longer have pressure from advertisers to soften or pull a story that is critical of them or their industry, you don't have ads competing with content on the page, and we don't have ads sucking cpu cycles on our readers.
I don't think we have a prayer in this regard, but they really could change the face and motives of journalism in America by switching to a subscriber-supported model.
Look, if it's that easy to detect the heat coming off of a grow-op, then the growers should be out there detecting and stopping the leaks before the police do.
I'm all in favor of privacy and civil liberties. But I also notice that the police routinely use things like helicopters and phone taps that the average citizen doesn't have access to. So it seems like maybe it was a bogus, or overly optimistic, ruling.
I think that the police should be required to be open and above-board about their methods. They should publicize the fact that they are using thermal imaging devices to scan for suspicious heat in the community. But banning their use outright is silly.
Yes, patronage is exactly the solution, as it has been for most (all?) of human history.
Music, stories, and other cultural expressions scratch societal itches, from aesthetics to diversion to immortality. People with resources will gladly support artists that help them scratch their particular itch. In doing so they also tend to benefit humanity, because cultural expression is something that it is both easy and satisfying to share with others.
It is only in the last hundred years or so that cultural expression has been created for the exclusive purpose of making a lot of money for investor-distributors.
I don't necessarily want to rely on Bill Gates' or George Soros' taste in entertainment to be entertained, but as you point out, patronage can be a co-op where each member puts a small amount toward the budget for producing a new "professional" work.
The hacks in Flash are often social engineering tricks to get at files, camera, microphone... though I think the most growth will be enabled by the excellent support for socket communication in today's actionscript. In other words, good old-fashioned cross-site-scripting.
People often just don't update Flash much.
Except that Flash can be made to auto-update since around version 8.
So no, people don't update Flash. It updates itself!
Or just a series of JPEGs for crying out loud.
It's a SLIDESHOW.
Kindle downsides not mentioned yet:
a) When you read the same book day after day for two years it starts to look a little grungy.
b) There are few questions more pathetic than "My book just ran out of batteries, can I borrow a magazine?"
c) They have not (whatever anyone may tell you) figured out how to adapt poetry to a screen with arbitrary text sizes.
I don't miss paper books at all, BTW.
Hey, why not? We all paid $34 for QuickTime Pro, some of us multiple freeking times.
Mac users don't expect to get everything for free. You can call that "having more money than sense" or you can call it "not being a programmer, so willing to pay programmers." Either way, plenty of people would pay for VLC.
But I'm afraid that if they start taking money for it, they will also have to start obeying the dmca and patent laws, and then it will be just as shitty as QuickTime player, but without the ability to edit video.
Maybe Google could throw some interns at it?
Nice. That's going on my wall.
So how is a website supposed to track whether you gave it permission to use cookies, anyway? I mean, normally you'd store that kind of preference in a cookie, or in a session record identified by a cookie.
So what if the user says "No, I don't want you to send me cookies"? You can't store their no-cookie preference anywhere for use on subsequent requests.
Well, if all else fails, we can make this thing sound so horrible that any politician that touches it would be publicly shamed. They can't prove us wrong unless they publicize the details of the treaty... ...
A reliable source told me that the Anti-Counterfeiting Trade Agreement will make it illegal to read the bible online.
Oh, this is hilarious.
Kindle books are riddled with typos, presumably caused when print editions are scanned to make e-books. (Why don't they get electronic gallies from the publisher? Who knows?)
So either they have been causing them on purpose to track redistribution, or this is a fine example of making patented lemonade from the technological lemons produced by their scanners
I love my kindle, but I hate Amazon more and more each day.
CAPTCHAs don't work. The technology implies an arms race (better obfuscation vs. better pattern recognition), but the whole thing is trivially easy to subvert through social engineering / outsourcing. You don't need to pay for better algorithms, just give a kid $20 and challenge him to create more Google accounts today than he did yesterday.
Meanwhile, they annoy the shit out of honest users.
Google knows how to detect and filter spam. Hell, any engineer could figure out that the same message cross-posted to more than 5 unrelated groups is a good candidate for automatic filtering. Others have mentioned honeypots. Others have mentioned SPF. Others have mentioned tracking known SMTP relay routes. All of those things make more sense than hoping that stronger captchas will fix anything.
Bingo. They need a moratorium on new products for 3 years while they chain the engineers to big, burly product managers and get all of their offerings on the same page.
Of course, that's (more or less) what happened at Yahoo!, and Google took the opportunity to fly right past them.