Copyright laws which rely on creating artificial scarcity need to die. Compulsory "mass media" licenses like this are a step down that inevitable path.
How about we regulate the banks to provide real two-factor authentication for any online financial transaction? How about we set a standard for smart-cards (hell, add the capability to dirvers' licenses) and require that PCs come with smart-card readers?
If we just had these standards in place, they would pay for themselves extremely quickly.
Maybe, but a really small business is very unlikely to be something worthwhile to attack.
You are absolutely wrong. I hope you're not responsible for anyone else's IT operations. Do you have an IP address? It is certain that you are worthwhile to attack.
Big hosts like google and amazon will attract more attacks with more sophisticated methods, as I said, but no matter how small you are, you will be attacked. Constantly. Check your ssh and httpd logs if you don't believe me.
Pay me a good salary and give me an interesting job and you can call me the tooth fairy. Your priorities are entirely backwards. Besides, nobody said that was the job title. Troops today have titles other than "warrior," you know.
If anyone is living in fantasy, it's you. Computer systems are compromised all the time here in reality. Sometimes it's by bored teenagers, sometimes it's by the mafia, and sometimes it's by foreign governments and their proxies. There is nothing of fantasy about hiring people with those skills; they could help you secure your own systems and gather intelligence on your enemies.
Right now, it is trivial to get into any medium or large company's datacenter. And it happens all the time. I would imagine that the term "cyber-warrior" would refer to someone skilled in the craft of doing exactly that.
Are they hiring these people to "hack back" for counter-intelligence purposes? Will they be using these guys to try and get botnets all over countries we have poor relations with for intelligence-gathering purposes? Or are they hiring them merely ramp-up penetration testing efforts against our own systems?
It's hard to say, but I'm guessing there might be some of each.
Oh come on! You can't just throw terminology around like that without metrics to back it up! What does Gartner have to say about it? What magic quadrant is it in?
In my opinion, the advantage of multi-core is not that you can make tasks parallel, but that you can run non-parallel tasks in parallel.
Yesterday I had to do some password-cracking. My fastest system was my quad-core desktop. On a single-core system, the cracking software would have made my desktop unusable. But since this was quad core, I could fire the process off and continue to use my system as usual, with no perceptible slow-down on FireFox, NetBeans, or any other app I was working with at that time.
The reason they have this requirement is that they don't actually print faxes, so they can't merely turn the paper. They have an all-electronic system. And this system lacks a rotate feature (probably due to patent issues).
The NSA are experts in systems security. We use their hardening guidelines to secure our servers. They really contribute good stuff to Linux security. They really do want to keep US systems secure. I don't think anyone has ever seen them doing something truly shady, like injecting backdoors into popular software. As far as I can tell, they break codes in one department, and help secure systems in another department. These are the good guys (unlike the FBI, who are media-whoring, civil-rights-abusing porno-police).
Cloud computing has interesting security implications.
The IT security team protecting Gmail are better at security than the team protecting your average datacenter, and they are FAR better at security than your average small business or home user "IT security team."
But on the other hand, far more attackers are going to try far harder to get into gmail than to get into your small business mail server.
So how do these factors balance out? On the whole, I think medium-to-large businesses with dedicated IT security staff will provide better security than you would get by cloudsourced IT; but the small businesses with no dedicated IT security staff really would be better off, from a security perspective, sending their IT systems to "the cloud."
What? Using passwords is not new to web apps. Apache itself supports passwords.
And using a CMS does not mean breaking linkability. Any RESTful CMS (like wikipedia) will provide links to data. Static pages have no monopoly on this.
Third party mods are not part of Apache proper. The other stuff really should be done by the app, where it can be altered without HUPing any processes.
It seems that basic web sites made by uploading html and other files are going extinct, in favor of web apps like CMSs and blogs. As a result, the majority of the functionality provided by web servers like Apache is becoming unnecessary.
As an example, any web app which interfaces with Apache via Rackmiddleware needs only the enabling of mod_rack. Other than that, you don't need to touch apache2.conf. Apache basically just handles the sockets; the rest of its functionality goes unused.
It's actually pretty rare to encounter an unencrypted wifi access point these days. And the few that are unencrypted tend to have some sort of security at another layer (browser-based authentication, for example). This would suggest that most people actually do know how to enable security on their routers.
A netbook is not a replacement for a fully-powered computer. It is a supplement to such a computer. Netbook processors can't do games, rich media (like full-screen flash video) or a lot of other things many people do with their computers these days. When you're not at your computer, they're great. But if your only computer were a netbook, you would go mad with frustration.
So you're admitting that letting grandma manage keys is a bad idea?
No. I don't check every time. It's not hard to check (mouseover in the url bar), so it's not something that would go unnoticed on the internet, either. Which is the point.
I think you missed the point. To use "hacker" to refer to someone who breaks computer security is using the word properly.
And in all honesty, nobody outside of slashdot says "cracker" unless they are talking about password-cracking software, delicious snacks, or white people. In the pro IT security world, we say "attacker" or "hacker" these days. You crack a password, but you hack a computer system.
No, both models would be detectable. I would notice of my connection to Bank of America says "Signed by China Telecom."
Letting the average user manage keys by himself means both widespread MITM is possible, and users get trained to accept keys.
If you think Grandma shopping online would really be more secure if she managed keys herself, you've never met an end user. SSL MITMs have been fantastically rare, despite extremely widespread use by untrained masses. There's no better proof of SSL's success than that.
Slashdot Mirror
Copyright laws which rely on creating artificial scarcity need to die. Compulsory "mass media" licenses like this are a step down that inevitable path.
If they intend to counter hacks in an offensive manor, then war really is a fair analogy.
How about we regulate the banks to provide real two-factor authentication for any online financial transaction? How about we set a standard for smart-cards (hell, add the capability to dirvers' licenses) and require that PCs come with smart-card readers?
If we just had these standards in place, they would pay for themselves extremely quickly.
Wikipedia is a web app. This disproves your claim that web apps can't be linked.
Q to the E to the D.
You are absolutely wrong. I hope you're not responsible for anyone else's IT operations. Do you have an IP address? It is certain that you are worthwhile to attack.
Big hosts like google and amazon will attract more attacks with more sophisticated methods, as I said, but no matter how small you are, you will be attacked. Constantly. Check your ssh and httpd logs if you don't believe me.
Pay me a good salary and give me an interesting job and you can call me the tooth fairy. Your priorities are entirely backwards. Besides, nobody said that was the job title. Troops today have titles other than "warrior," you know.
If anyone is living in fantasy, it's you. Computer systems are compromised all the time here in reality. Sometimes it's by bored teenagers, sometimes it's by the mafia, and sometimes it's by foreign governments and their proxies. There is nothing of fantasy about hiring people with those skills; they could help you secure your own systems and gather intelligence on your enemies.
Right now, it is trivial to get into any medium or large company's datacenter. And it happens all the time. I would imagine that the term "cyber-warrior" would refer to someone skilled in the craft of doing exactly that.
Are they hiring these people to "hack back" for counter-intelligence purposes? Will they be using these guys to try and get botnets all over countries we have poor relations with for intelligence-gathering purposes? Or are they hiring them merely ramp-up penetration testing efforts against our own systems?
It's hard to say, but I'm guessing there might be some of each.
Sniffing Internet traffic is more like listening to radio signals than wire-tapping, in my opinion.
It would be nice to have the laws regarding this stuff clarified, though.
Oh come on! You can't just throw terminology around like that without metrics to back it up! What does Gartner have to say about it? What magic quadrant is it in?
In my opinion, the advantage of multi-core is not that you can make tasks parallel, but that you can run non-parallel tasks in parallel.
Yesterday I had to do some password-cracking. My fastest system was my quad-core desktop. On a single-core system, the cracking software would have made my desktop unusable. But since this was quad core, I could fire the process off and continue to use my system as usual, with no perceptible slow-down on FireFox, NetBeans, or any other app I was working with at that time.
The reason they have this requirement is that they don't actually print faxes, so they can't merely turn the paper. They have an all-electronic system. And this system lacks a rotate feature (probably due to patent issues).
The NSA are experts in systems security. We use their hardening guidelines to secure our servers. They really contribute good stuff to Linux security. They really do want to keep US systems secure. I don't think anyone has ever seen them doing something truly shady, like injecting backdoors into popular software. As far as I can tell, they break codes in one department, and help secure systems in another department. These are the good guys (unlike the FBI, who are media-whoring, civil-rights-abusing porno-police).
Cloud computing has interesting security implications.
The IT security team protecting Gmail are better at security than the team protecting your average datacenter, and they are FAR better at security than your average small business or home user "IT security team."
But on the other hand, far more attackers are going to try far harder to get into gmail than to get into your small business mail server.
So how do these factors balance out? On the whole, I think medium-to-large businesses with dedicated IT security staff will provide better security than you would get by cloudsourced IT; but the small businesses with no dedicated IT security staff really would be better off, from a security perspective, sending their IT systems to "the cloud."
What? Using passwords is not new to web apps. Apache itself supports passwords.
And using a CMS does not mean breaking linkability. Any RESTful CMS (like wikipedia) will provide links to data. Static pages have no monopoly on this.
Third party mods are not part of Apache proper. The other stuff really should be done by the app, where it can be altered without HUPing any processes.
It seems that basic web sites made by uploading html and other files are going extinct, in favor of web apps like CMSs and blogs. As a result, the majority of the functionality provided by web servers like Apache is becoming unnecessary.
As an example, any web app which interfaces with Apache via Rackmiddleware needs only the enabling of mod_rack. Other than that, you don't need to touch apache2.conf. Apache basically just handles the sockets; the rest of its functionality goes unused.
It's actually pretty rare to encounter an unencrypted wifi access point these days. And the few that are unencrypted tend to have some sort of security at another layer (browser-based authentication, for example). This would suggest that most people actually do know how to enable security on their routers.
For web apps (PHP), the most resource-intensive lines are those that hit the database. How fast they are depends on what's in the database.
What you ask is not possible for an IDE to do.
So you're admitting that letting grandma manage keys is a bad idea?
The SSH key distribution model has never been shown to work well when managed by untrained masses. The CA model has.
A netbook is not a replacement for a fully-powered computer. It is a supplement to such a computer. Netbook processors can't do games, rich media (like full-screen flash video) or a lot of other things many people do with their computers these days. When you're not at your computer, they're great. But if your only computer were a netbook, you would go mad with frustration.
So you're admitting that letting grandma manage keys is a bad idea?
No. I don't check every time. It's not hard to check (mouseover in the url bar), so it's not something that would go unnoticed on the internet, either. Which is the point.
I think you missed the point. To use "hacker" to refer to someone who breaks computer security is using the word properly.
And in all honesty, nobody outside of slashdot says "cracker" unless they are talking about password-cracking software, delicious snacks, or white people. In the pro IT security world, we say "attacker" or "hacker" these days. You crack a password, but you hack a computer system.
No, both models would be detectable. I would notice of my connection to Bank of America says "Signed by China Telecom."
Letting the average user manage keys by himself means both widespread MITM is possible, and users get trained to accept keys.
If you think Grandma shopping online would really be more secure if she managed keys herself, you've never met an end user. SSL MITMs have been fantastically rare, despite extremely widespread use by untrained masses. There's no better proof of SSL's success than that.
Um.... no! The CA model exists precisely because the SSH model is vulnerable to MITM!