S/MIME is built into every modern e-mail client that I'm aware of. Microsoft Exchange Server has cert-generating features built in, or you can use OpenSSH. You can roll your own certs with no problem except for the mail program yammering about "unknown root CA". All the hoohah of "PKI" is only needed if you can't verify key fingerprints over the phone, or by some other out- of- band communication.
PGP/Gnupg works just fine, but it's a pain in the butt. Putting your data on a CD-R or USB memory stick (encrypted, please!) and hand- carrying it works, and will probably generate the least stomach acid.
BTW, if you can't trust your consultant to handle your data with security that's adequate (in *your* opinion, not theirs), get a new consultant (speaking as a consultant.)
I've wondered about this for years. Get a cert from Verisign or whoever. Sign your outgoing mail. Put the public key on your DNS server. Done.
All modern e-mail clients that I'm aware of have S/MIME signature checking built in.
Only problem I see is outfits like Yahoo that like to stick their own stuff onto the end of your mail. Domain spoofing is too difficult to use just for spam.
Thank you for posting the extra information. I'll be interested in seeing your algorithm when you publish it.
Biggest problem I see is in telling which messages are "the same". I'm assuming that messages are "the same" if they come in on the same SMTP connection, with a whole list of RCPT TO lines.
Sending one message per SMTP connection would seem to defeat this. Inefficient, but good enough for a botnet.
The network part is very much Old News; it's called Dedicated Short-Range Communications (DSRC). It's been around for several years, and there are a number of standards committees working on it.
Last I heard, a year or so ago, there was a limited rollout planned for some luxury cars in the 2008 model year, with some simple car-to-roadside communications (map updates, traffic signal status, etc).
The new part here is using AI to sort out what information to give to the driver, and how. It's obvious that if you're not careful, you'll swamp the driver in information.
Coupla other items:
Spoofing: A problem. Last time I worked on it, they were looking at some digital signature tricks.
Privacy: A problem. Basically, every time a radio goes out of contact, it randomizes its MAC address. It'll work fine -- if it's properly implemented. Remember WEP?
My purpose is not to obtain illicit material, but rather to get inside the head of someone who may be a danger to my children. How would Bush or anyone else know the difference based upon a Google search?
Not an idle worry. Peter Townsend of The Who spent 5 years on a registry of sex offenders for just exactly this. Took some fancy lawyering to keep him from being formally charged, too.
OK, so rusty 150 year old steam farm tractors are dangerous. How does this apply to anything remotely modern? With the car in the source article, I got the impression that it didn't even have a boiler -- it was more of a combined steam/gas turbine.
My understanding is that modern steam engines have a relatively tiny amount of water -- in case of an explosion (which I've never heard of happening) the steam simply wouldn't be a problem, and the fragments could be contained by a Kevlar shroud. Main problem is the same as an internal combustion engine -- the fuel.
BTW, do you have a reference for a water heater taking off like a water rocket? (I'm having this argument^Wdiscussion with the friendly neighborhood plumber).
BTW, I thought plumbers and steamfitters were different unions that didn't like each other very much?
Re:Outsourcing made simple
on
Offshoring IT
·
· Score: 1
Bingo.
Many of the arguments for outsourcing have nothing to do with the cost of programming talent:
Escape from Government regulation. (Pension rules, overtime rules, health & safety rules)
Escape from corporate oversight. (Stockholders, board of directors, top corporate managemnt)
Not having to deal directly with programmers, who tend to be ornery cusses.
There are corresponding non-monetary downsides, of course:
Loss of control. (Your supplier delivers a piece of crap. Now what?)
Loss of oversight. (Your supplier sells your data to the Russian mafia. Now what?)
Loss of capability. (You fired all the programmers. Now who's going to answer your questions? You're stuck with your outsource, who probably comes from a culture of Tell The Boss What He Wants To Hear.)
And as someone who is a US citizen and has seen what happens on this end of the stick, I'd say you are correct.
US schools (which are having financial problems anyway) are losing foriegn students.
International conferences are starting to stay away from the US.
Performers and athletes are starting to stay away.
And to those who say "good riddance to ferriners", remember we have this little thing called a Global Economy. The US and the rest of the world need each other.
Feh. This always leads to "this shows that [members of the not-my party] are stupid and should be prevented from voting". This isn't democracy; it's a one-party tyranny.
Oh, and don't suggest a "nonpartisan" voter test. There is no such thing.
BTW, the Cato Institute is a pseudolibertarian think tank that invariably supports social Darwinist and international corporatist viewpoints. Everything they say fits their agenda. Nonpartisan, they ain't. Looks like this one is from their "poor people are stupid" file.
Joe Coors smuggles anticommunist tracts into the Soviet Union. Nobody cares.
Ross Perot makes TV infomercials attacking NAFTA. Nobody cares.
Richard Mellon Scaife founds and funds right- wing think tanks. Nobody cares.
Sun Myung Moon funds a money- losing newspaper that becomes known as the "voice of the Republican Party". Nobody cares.
George Soros funds a "liberal talk radio network". The right wing screams like a roomful of little girls at a horror movie.
Michael Moore makes a movie that shows George W. Bush in a less than flattering light. Suddenly it's the End of the Republic.
I see a bit of bias here.
My brother is a fanatical Clinton- hater He has dozens of "documentaries" on the Clintons' numerous crimes, including mass murder. The only difference here is that Moore is a talented filmmaker who sticks to the facts, as opposed to a hack who just makes stuff up. The Right has trouble attracting artistic types; it's pretty obvious which side of the aisle is telling artists "You can't do that!"
BTW, the only error of fact that I've heard of being sustained was that the story was "The Pet Goat", not "My Pet Goat".
So what are you going to do if the results come back 70% Bush, 25% Nader, and 3% Kerry? Hey, the machine can't be wrong! That's what it says right here in the Diebold literature.
(Yeah, I know that any vote rigging would be a lot more subtle. Same point. It's still "bend over and spread 'em". Not a goddam thing anybody could do.)
In theory, yes. Keep in mind, however, that a man- in- the- middle attack can work if and only if the MITM controls *all* communications between the endpoints. This includes things like phone calls and snail mail.
Something like a formal CA is needed if you want to communicate with absolutely anybody with no prior knowledge or communication. This is why e-commerce sites use them. If you are communicating with somebody you already know, it's not really necessary.
Just browse over to Thawte for a free S/MIME cert (your choice of Outlook or Mozilla), install it, and start sending encrypted e-mail. (Yeah, S/MIME has Closed Source Cooties. Tough. It works.)
There are three reasons that more people don't encrypt their mail:
1. Some mailers won't handle S/MIME, and behave badly when they come across it (refusing to let you read a signed message, for example).
2. People's e-mail rituals don't include signing/encrypting mail. They don't do it because they don't do it.
3. Security mavens tend to run in full Paranoid Nazi mode. They tend to insist on solutions that are only needed if you insist on full anybody- to- anybody communication with a guarantee of no man in the middle. They also seem to think that "security" is synonymous with "how many times can we make the user type in his password?"
Because of #2 above (the real killer) nothing will be done until businesses start insisting on using secure mail. If I remember correctly, Microsoft Exchange has the capability to enforce this, as well as generating certs. No excuse for not using it.
One thing to keep in mind is that, with Government contracts, if it's not in the spec, you don't get it. They probably have the exact data export facilities that the original contract specifies, and not one bit more.
Also, this database is probably running on something like an old UNIVAC, with manuals on clay tablets. Not a good candidate for a quickie upgrade.
I've always wondered who came up with the idea of the Windows registry in the first place.
It's a method of locking a program to a particular machine. The install routine scatters a bunch of values through the Registry, and the program won't work if they're not there.
Before the Registry, you could usually copy the program directory to another machine and run it.
My other question is how well shielded are these things?
That's an interesting point. Unless they've got some really fancy shielding, as soon as they pull the trigger, anybody who can do triangulation with radios will know exactly where they are.
Perhaps their war plans all involve opponenets who can't shoot back.
Willis is comparing terms and conditions now with the situation of (much worse scarcity) of 30-35 years ago, then cracks up in laughter at his own ignorance of the past.
Not just in hardware and software costs, but also in matters of organization. For example, you'll never hear anybody complain about unit test routines or internal structure diagrams anymore. When I started in this crazy business (a decade after Brooks), you'd get chewed out for writing one line of code or one line of documentation that the customer didn't demand.
Another example would be Brook's statement that a major programming team should have their own machine. It sounds falling- off- a- rock obvious now, but at the time, it took the development team out from under the very firm thumb of MIS (now called IT). The old line about MIS people being the equivalent of priests is very well taken -- and they were the nastiest kind of Puritans.
Congress wants to help. I think it's odd that they think it's your God-given right to reverse-engineer your car, but not your XBox.
Probably has something to do with the fact that the engine computers in cars aren't being sold as loss leaders.
Also note that car repair shops who do a good job for a fair price are turnng away customers. They don't need "lock ins".
Re:The DMA hates spammers (true)
on
NYT on Spam Cops
·
· Score: 3, Insightful
The problem with "legitimate" spam is that there would be 'way too much of it. Let's say that there are 100,000 "legitimate" spam senders, each of whom sends me one spam per year. That's almost 300/day -- worse than I have now. 100,000 is very definately a lowball estimate, and one per year is simply silly.
The "unsubscribe" business is a con -- you will have to unsubscribe to every company and mailing list provider that might want you to buy something. I'll also bet that most of them will be set up as obfuscated web pages that will actually subscribe you to extra lists (unsubscribe to List A, be automatically subscribed to Lists B through Z unless you find the Magic Button).
Let's face it. There is *no* *such* *thing* as "legitamate" spam -- if we want to keep e-mail as a useful means of communication.
Slashdot Mirror
S/MIME is built into every modern e-mail client that I'm aware of. Microsoft Exchange Server has cert-generating features built in, or you can use OpenSSH. You can roll your own certs with no problem except for the mail program yammering about "unknown root CA". All the hoohah of "PKI" is only needed if you can't verify key fingerprints over the phone, or by some other out- of- band communication.
PGP/Gnupg works just fine, but it's a pain in the butt. Putting your data on a CD-R or USB memory stick (encrypted, please!) and hand- carrying it works, and will probably generate the least stomach acid.
BTW, if you can't trust your consultant to handle your data with security that's adequate (in *your* opinion, not theirs), get a new consultant (speaking as a consultant.)
I've wondered about this for years. Get a cert from Verisign or whoever. Sign your outgoing mail. Put the public key on your DNS server. Done.
All modern e-mail clients that I'm aware of have S/MIME signature checking built in.
Only problem I see is outfits like Yahoo that like to stick their own stuff onto the end of your mail. Domain spoofing is too difficult to use just for spam.
Thank you for posting the extra information. I'll be interested in seeing your algorithm when you publish it.
Biggest problem I see is in telling which messages are "the same". I'm assuming that messages are "the same" if they come in on the same SMTP connection, with a whole list of RCPT TO lines.
Sending one message per SMTP connection would seem to defeat this. Inefficient, but good enough for a botnet.
Last I heard, a year or so ago, there was a limited rollout planned for some luxury cars in the 2008 model year, with some simple car-to-roadside communications (map updates, traffic signal status, etc).
The new part here is using AI to sort out what information to give to the driver, and how. It's obvious that if you're not careful, you'll swamp the driver in information.
Coupla other items:
My purpose is not to obtain illicit material, but rather to get inside the head of someone who may be a danger to my children. How would Bush or anyone else know the difference based upon a Google search?
Not an idle worry. Peter Townsend of The Who spent 5 years on a registry of sex offenders for just exactly this. Took some fancy lawyering to keep him from being formally charged, too.
Perl is an example of an "application specific language". It's optimized for one thing -- schlepping text around.
The reason Perl is so popular is that something like 80% of all programming is code to schlep text around.
OK, so rusty 150 year old steam farm tractors are dangerous. How does this apply to anything remotely modern? With the car in the source article, I got the impression that it didn't even have a boiler -- it was more of a combined steam/gas turbine.
My understanding is that modern steam engines have a relatively tiny amount of water -- in case of an explosion (which I've never heard of happening) the steam simply wouldn't be a problem, and the fragments could be contained by a Kevlar shroud. Main problem is the same as an internal combustion engine -- the fuel.
BTW, do you have a reference for a water heater taking off like a water rocket? (I'm having this argument^Wdiscussion with the friendly neighborhood plumber).
BTW, I thought plumbers and steamfitters were different unions that didn't like each other very much?
Bingo.
Many of the arguments for outsourcing have nothing to do with the cost of programming talent:
There are corresponding non-monetary downsides, of course:
And, of course
I suspect that when the dust settles, we'll find that outsourcing makes sense for some projects and not others, just like anything else.
And as someone who is a US citizen and has seen what happens on this end of the stick, I'd say you are correct.
US schools (which are having financial problems anyway) are losing foriegn students.
International conferences are starting to stay away from the US.
Performers and athletes are starting to stay away.
And to those who say "good riddance to ferriners", remember we have this little thing called a Global Economy. The US and the rest of the world need each other.
The one I had to clean up was
In root, running as root. (Think of what happens when foo doesn't exist ...)
30 days of data entry by three shifts of clerks.
And the backups were bad. All of them.
Anybody who says "nobody's that stupid!" hasn't been around very long.
Feh. This always leads to "this shows that [members of the not-my party] are stupid and should be prevented from voting". This isn't democracy; it's a one-party tyranny.
Oh, and don't suggest a "nonpartisan" voter test. There is no such thing.
BTW, the Cato Institute is a pseudolibertarian think tank that invariably supports social Darwinist and international corporatist viewpoints. Everything they say fits their agenda. Nonpartisan, they ain't. Looks like this one is from their "poor people are stupid" file.
American style.
I see a bit of bias here.
My brother is a fanatical Clinton- hater He has dozens of "documentaries" on the Clintons' numerous crimes, including mass murder. The only difference here is that Moore is a talented filmmaker who sticks to the facts, as opposed to a hack who just makes stuff up. The Right has trouble attracting artistic types; it's pretty obvious which side of the aisle is telling artists "You can't do that!"
BTW, the only error of fact that I've heard of being sustained was that the story was "The Pet Goat", not "My Pet Goat".
Minor parties? Like, say, the Democrats?
So what are you going to do if the results come back 70% Bush, 25% Nader, and 3% Kerry? Hey, the machine can't be wrong! That's what it says right here in the Diebold literature.
(Yeah, I know that any vote rigging would be a lot more subtle. Same point. It's still "bend over and spread 'em". Not a goddam thing anybody could do.)
I've also run into a fair number of "collectors":
Monkey1: I've got six different Chinese versions of Microsoft Office! ...
Monkey2: Do you speak Chinese?
Monkey1: No
No, Microsoft did not lose six sales here.
In theory, yes. Keep in mind, however, that a man- in- the- middle attack can work if and only if the MITM controls *all* communications between the endpoints. This includes things like phone calls and snail mail.
Something like a formal CA is needed if you want to communicate with absolutely anybody with no prior knowledge or communication. This is why e-commerce sites use them. If you are communicating with somebody you already know, it's not really necessary.
Just browse over to Thawte for a free S/MIME cert (your choice of Outlook or Mozilla), install it, and start sending encrypted e-mail. (Yeah, S/MIME has Closed Source Cooties. Tough. It works.)
There are three reasons that more people don't encrypt their mail:
1. Some mailers won't handle S/MIME, and behave badly when they come across it (refusing to let you read a signed message, for example).
2. People's e-mail rituals don't include signing/encrypting mail. They don't do it because they don't do it.
3. Security mavens tend to run in full Paranoid Nazi mode. They tend to insist on solutions that are only needed if you insist on full anybody- to- anybody communication with a guarantee of no man in the middle. They also seem to think that "security" is synonymous with "how many times can we make the user type in his password?"
Because of #2 above (the real killer) nothing will be done until businesses start insisting on using secure mail. If I remember correctly, Microsoft Exchange has the capability to enforce this, as well as generating certs. No excuse for not using it.
One thing to keep in mind is that, with Government contracts, if it's not in the spec, you don't get it. They probably have the exact data export facilities that the original contract specifies, and not one bit more.
Also, this database is probably running on something like an old UNIVAC, with manuals on clay tablets. Not a good candidate for a quickie upgrade.
I've always wondered who came up with the idea of the Windows registry in the first place.
It's a method of locking a program to a particular machine. The install routine scatters a bunch of values through the Registry, and the program won't work if they're not there.
Before the Registry, you could usually copy the program directory to another machine and run it.
My other question is how well shielded are these things?
That's an interesting point. Unless they've got some really fancy shielding, as soon as they pull the trigger, anybody who can do triangulation with radios will know exactly where they are.
Perhaps their war plans all involve opponenets who can't shoot back.
Two non-industrial countries seem to be doing a pretty good job of it right now.
Willis is comparing terms and conditions now with the situation of (much worse scarcity) of 30-35 years ago, then cracks up in laughter at his own ignorance of the past.
Not just in hardware and software costs, but also in matters of organization. For example, you'll never hear anybody complain about unit test routines or internal structure diagrams anymore. When I started in this crazy business (a decade after Brooks), you'd get chewed out for writing one line of code or one line of documentation that the customer didn't demand.
Another example would be Brook's statement that a major programming team should have their own machine. It sounds falling- off- a- rock obvious now, but at the time, it took the development team out from under the very firm thumb of MIS (now called IT). The old line about MIS people being the equivalent of priests is very well taken -- and they were the nastiest kind of Puritans.
I think everybody realizes that "privacy policies" are worthless.
No.
They may *bill* that much, but that's not what they take home.
You might be surprised at what your company bills *your* time at.
Also, there's a big difference between "having lots of sex" and "getting fucked a lot." Whores and sysadmins know a lot about the latter.
Probably has something to do with the fact that the engine computers in cars aren't being sold as loss leaders.
Also note that car repair shops who do a good job for a fair price are turnng away customers. They don't need "lock ins".
The problem with "legitimate" spam is that there would be 'way too much of it. Let's say that there are 100,000 "legitimate" spam senders, each of whom sends me one spam per year. That's almost 300/day -- worse than I have now. 100,000 is very definately a lowball estimate, and one per year is simply silly.
The "unsubscribe" business is a con -- you will have to unsubscribe to every company and mailing list provider that might want you to buy something. I'll also bet that most of them will be set up as obfuscated web pages that will actually subscribe you to extra lists (unsubscribe to List A, be automatically subscribed to Lists B through Z unless you find the Magic Button).
Let's face it. There is *no* *such* *thing* as "legitamate" spam -- if we want to keep e-mail as a useful means of communication.