You really shouldn't limit analysis of how bad an information-leak is by limiting access to other information.
If I obtain records which I can use if i get the corresponding SSN, i'm nearly in an exploit situation, all I need is the SSN.
Even worse, if I somehow wrongly obtained a SSN, I just the data you rate not-too-threatning-wihtout-SSN to do exploit.
SSN isn't that hard to obtain, it passes through millions of computer-systems as a unique-id on persons, which is just its function. SSN should never be used as an identity-proof.
Having traffic between you and google won't help anything either.
You can encrypt your IM using any method you like, for example Off-The-Record: http://www.cypherpunks.ca/otr/, which have all of the desireable properties.
This however does not protect you from google knowing *who* (gmail-id) you are messaging, when, and many other interesting things.
We can just use the Reagan-"star wars" sattelites to shoot down the blast. It would probably work even better than the defence we've got against asteroids.
Who is the actual source of the problem?
on
ID Theft Made Easy
·
· Score: 1
* 100% provided their names upon request
Wow, that's bad how?
* 94% provided pet's names (common passwords) and their mother's maiden name (common second form of authentication)
That leaves the suckers with pets/maiden-names as pw's vulnerable
* 98% gave their address in order to receive a winning voucher.
An address isn't secret, all of the above info is printed in the phonebook.
* 96% divulged the name of their first school. Combined with mother's maiden name, the two are key pieces of information used by banks for verification.
So the users are to blame? I think not... maybe the banks should use some other form of identification.
* 92% provided their date of birth and the same number supplied their home phone number.
Date-of-brith, if anyone uses that as identification they must be barking.
class F {
int X {
get {
if ( disposed )
throw new DisposedException();
else
return x;
}
} }
I keep getting: Your comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted.
While whitespace, when used properly, is good for readability, the "{}"'s on seperate lines reduces readability by eating screen realestate with empty lines.
The umbrella-allegori did not have relevance to the patent-discussion. You forgot to include the other ways one could be protected from rain.
Allegories are dangerous to the precision of discussions because they can subtly change properties in "translation".
I resent the insinuation that I do not understand the producers ratinale for patents. I also understand why society would allow producers of commonly benefitting things/ideas (that noone else probably would produce/have) a limited time of advantage.
I was discussing whether the action of patenting done by microsoft is actually defensive, in intent and in reality, and what it might defend against, Not the validity of the patent-system at large.
I have the luxury of not living in a contry where gun-ownership is considered a means of protection,... let alone nesssesary.
An umbrella has a specific advantage, it prevents you from getting wet, other ways to prevent you from getting wet include rain-proof clothes, staying indoors and simply waiting for it to stop raining. There are several possibilities, you are not forced to use an umbrella.
As i understand the current patent-law (at least in my country) you cannot patent public knowledge, so publication should be *at-least* a good a defensive measure as taking out a patent.
"We never intend to use the patents offensively,... honest",... now that requires some naivity to believe:)
Any weapon that can be used offensively in any way will eventually be used as such, have a look at history...
If you don't intend to use patents offensively, then don't take them out. And don't work for the same legislation in the EU, just make the results public instead and use your energy to fight the legislation instead.
CS slowly expands the amount of tools in the pragmatic tool-box.
The goals of CS and pragmatics are different:
CS investigates boundries to computing: performance, resource use,...
Pragmatism is about just looking for "enough" to complete a specific task
If you have a task/project with a very specific goal, you'd better be pragmatic, or you will delay delivery of the goal. If some CS (or related) thought up a great way to to this, like a compiler, algorithm, data-structure, language,...
then that's GREAT, if not, then you better solve the problem with the absolutely least amount of effort
We practically never use svn:externals, we just copy the library to share into a "deps" folder.
When we think we've done enough improvement for the library to make sensee to other lib-users, we merge the local changes into the shared location of the library.
If a new (well tested) "release" of the library emerges, we check if it's got the changes needed for the specific project that has a copy. now there are two scenarios:
1. all changes are included: just rm and recopy lib to deps-folder
2. not all changes are included: either stay with the version we've got or merge relevant changes into our local copy
This works REALLY well, allowing project to decide when changes to their dependencies are to their advantage.
Passwords are hard to remember, that's easy to solve: store passwords encrypted under a proper-strength password. But it doesn't remove the fundamental security-problem with passwords: to prove you know the secret, you must reveal the secret.
Zero Knowledge Proofs remedy this problem (google that), and public/private key challenge authentication (properly seeded from both participants) are zero-knowledge assuming the cryptographic operation is secure.
So lets scrap passwords and have a standard protocol for zero-knowledge proofs instead, used in everything from the web to car-keys to win32, with helper libraries for accessing the required key-data using a proper master-password, so we don't have to send secret data to untrusted code.
Have you tried writing or reading any code in any XML variant, for-example XSL?
It's all fine and dandy if you simply wanna move some subtrees around and select a few trees, but implement, lets say, a procedure to decide primality, and it will shortly dawn on you that the "domain-specific" languages for programming (C,C#,ML,python,ruby,...) are a lot nicer to work with than XML, which is basically just a way to write down trees of data, and a wierd one at that:)
While XML may be nice to parse, and certainly nicer that having a gazillion differently formatted data-transports, it certainly is very verbose, and a lot harder to read for humans that ad-hoc formatted text (yes, i write all my posts in "Plain Old Text", wonder why:)
Please, stop using XML for things where better, more readable solutions exist. If you MUST: write a program to transform your data (program) into XML, for later processing as XML
How is this incorrect? The program may choose not to do anything bad to your computer, but that's not the point.
If I run a program on any of the currently prevailing OS'es that program has any and all capabilities that I have, and may act in my stead.
It can run backdoors, allowing repeated violations of the intrusion, run local root explots (all systems have them, you know... code has bugs),...
Capability-based trust (like SELinux) changes this problem a bit, by limiting the capabilities that the program can exploit, but most programs need lots of capabilities to be usefull.
Re:If you are interested in solving math puzzles
on
Prime Obsession
·
· Score: 1
Not quite related to primes, but close
how? md5 is not based on primes, or even irreducible elements of fields. Your problem is much closer related to psuedo-random generators.
The task you set is (for f=md5sum):
Given f: D->D,find x,y: f(x) == y && f(y) == x
which is equivalant to (since y = f(x)):
find x: f(f(x)) == f^2(x) == x
So the task amounts to finding an element in the kernel of (f^2).
A solution may not even exist, for example:
let D = {0,1,2}
let f(x) = (x+1)%3
That depends entirely on the properties of the md5sum function, of which rather little is known. So, people might be right in saying it's unsolvable, and they might not... I don't think anybody knows at this time.
At any rate, if md5 is any kind of good as a hash (it's on it's last breath in the crypto-world http://eprint.iacr.org/2004/199.pdf) it is rather unlikely that any specific number is a solution.
Even if md5 is not a very good hash-function it is certainly complicated enough to require much more restricted attacks than finding f^2 neutral elemnts, at least at the current time:)
Poland is known for stamping down hard, ignoring otherwise established diplomatic ways of proceeding, and without much support from others. I've heard it said as "playing the hand to the limit".
They are often critizised for it by the press, but the tactics seems to work for them in a number of cases (esp. with the expansion of the EU) to a certain degree *because* they have this reputation.
Have the server ask you for the key, for example via SMS, or a web-site that will only serve to the expected IP. This way you can just refrain from answering the SMS or remove the information for the other web-site after your disks have been taken.
It's not real "security", but it is a nice little trick that allows you automated booting and encryption with a kind of safety-margin.
To protect the information in transit, you could let the server generate a new random public/private key-pair for every request and then delete the secret key once the the information for decrypting the disks has been recovered.
Even more intricate schemes can be implemented thorugh Shamir secret-sharing, but these measures would probably be enough for the first time an attacker steals your disk....
Even though it has been proven that no system is perfect, that should not prevent a discussion about which of the available systems are the best.
IRV is just about the worst. Condorcet honors the 5 principels for a large number of distributions of votes. What's left to argue about is what to do when Condorcet doesn't find a winner.
What I wan't is something to replace the phone/pda/gps/mp3/cam combination that you "need" to carry around in atleast 2-3 different units today. I only want to have one device in my pocket.
It should definatly be possible to use WIFI from it, as VoIP world-domination is getting closer (i have my regular phone on VoIP)
It should have cell-phone, for use when the network is out of range
GPS for remembering where the hotspots with free WIFI are.
MP3 for having something to listen to
Syncing with major calendar apps, mail, browser and all that should of course be in there too.
Atleast a low-quality camera, because all the smart teen-agers has one:)
Slashdot Mirror
You really shouldn't limit analysis of how bad an information-leak is by limiting access to other information.
If I obtain records which I can use if i get the corresponding SSN, i'm nearly in an exploit situation, all I need is the SSN.
Even worse, if I somehow wrongly obtained a SSN, I just the data you rate not-too-threatning-wihtout-SSN to do exploit.
SSN isn't that hard to obtain, it passes through millions of computer-systems as a unique-id on persons, which is just its function. SSN should never be used as an identity-proof.
I have absolutely no use for commercials, so of course I block them when I can.
I have MythTV, and that way I don't have to watch commercials on TV either.
A declaration of intent is no protection at all.
Having traffic between you and google won't help anything either.
You can encrypt your IM using any method you like, for example Off-The-Record: http://www.cypherpunks.ca/otr/, which have all of the desireable properties.
This however does not protect you from google knowing *who* (gmail-id) you are messaging, when, and many other interesting things.
I've always thouoght of the USA as a cartoon. Certainly no country like that could exist in the real world.
So, actaully Microsoft and Hollywood are funding terrorism via the black markets in asia?
Lets nail those bastards!
Just in: A grouping known as "humans" are knowingly infringing on copyright.
We can just use the Reagan-"star wars" sattelites to shoot down the blast. It would probably work even better than the defence we've got against asteroids.
* 100% provided their names upon request
Wow, that's bad how?
* 94% provided pet's names (common passwords) and their mother's maiden name (common second form of authentication)
That leaves the suckers with pets/maiden-names as pw's vulnerable
* 98% gave their address in order to receive a winning voucher.
An address isn't secret, all of the above info is printed in the phonebook.
* 96% divulged the name of their first school. Combined with mother's maiden name, the two are key pieces of information used by banks for verification.
So the users are to blame? I think not... maybe the banks should use some other form of identification.
* 92% provided their date of birth and the same number supplied their home phone number.
Date-of-brith, if anyone uses that as identification they must be barking.
I can't even post your proposed equivalent of
class F {
int X {
get {
if ( disposed )
throw new DisposedException();
else
return x;
}
}
}
I keep getting:
Your comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted.
While whitespace, when used properly, is good for readability, the "{}"'s on seperate lines reduces readability by eating screen realestate with empty lines.
The umbrella-allegori did not have relevance to the patent-discussion. You forgot to include the other ways one could be protected from rain.
Allegories are dangerous to the precision of discussions because they can subtly change properties in "translation".
I resent the insinuation that I do not understand the producers ratinale for patents. I also understand why society would allow producers of commonly benefitting things/ideas (that noone else probably would produce/have) a limited time of advantage.
I was discussing whether the action of patenting done by microsoft is actually defensive, in intent and in reality, and what it might defend against, Not the validity of the patent-system at large.
I have the luxury of not living in a contry where gun-ownership is considered a means of protection,... let alone nesssesary.
An umbrella has a specific advantage, it prevents you from getting wet, other ways to prevent you from getting wet include rain-proof clothes, staying indoors and simply waiting for it to stop raining. There are several possibilities, you are not forced to use an umbrella.
As i understand the current patent-law (at least in my country) you cannot patent public knowledge, so publication should be *at-least* a good a defensive measure as taking out a patent.
"We never intend to use the patents offensively, ... honest",... now that requires some naivity to believe :)
Any weapon that can be used offensively in any way will eventually be used as such, have a look at history...
If you don't intend to use patents offensively, then don't take them out. And don't work for the same legislation in the EU, just make the results public instead and use your energy to fight the legislation instead.
--
Helge
CS slowly expands the amount of tools in the pragmatic tool-box.
...
...
The goals of CS and pragmatics are different:
CS investigates boundries to computing: performance, resource use,
Pragmatism is about just looking for "enough" to complete a specific task
If you have a task/project with a very specific goal, you'd better be pragmatic, or you will delay delivery of the goal. If some CS (or related) thought up a great way to to this, like a compiler, algorithm, data-structure, language,
then that's GREAT, if not, then you better solve the problem with the absolutely least amount of effort
We practically never use svn:externals, we just copy the library to share into a "deps" folder.
When we think we've done enough improvement for the library to make sensee to other lib-users, we merge the local changes into the shared location of the library.
If a new (well tested) "release" of the library emerges, we check if it's got the changes needed for the specific project that has a copy. now there are two scenarios:
1. all changes are included: just rm and recopy lib to deps-folder
2. not all changes are included: either stay with the version we've got or merge relevant changes into our local copy
This works REALLY well, allowing project to decide when changes to their dependencies are to their advantage.
--
Helge
Passwords are hard to remember, that's easy to solve: store passwords encrypted under a proper-strength password. But it doesn't remove the fundamental security-problem with passwords: to prove you know the secret, you must reveal the secret.
Zero Knowledge Proofs remedy this problem (google that), and public/private key challenge authentication (properly seeded from both participants) are zero-knowledge assuming the cryptographic operation is secure.
So lets scrap passwords and have a standard protocol for zero-knowledge proofs instead, used in everything from the web to car-keys to win32, with helper libraries for accessing the required key-data using a proper master-password, so we don't have to send secret data to untrusted code.
You mean, Microsoft earned their money to give them away?
Or do you think they are aware enough of their image to try and invest in improving it?
Have you tried writing or reading any code in any XML variant, for-example XSL?
:)
:)
It's all fine and dandy if you simply wanna move some subtrees around and select a few trees, but implement, lets say, a procedure to decide primality, and it will shortly dawn on you that the "domain-specific" languages for programming (C,C#,ML,python,ruby,...) are a lot nicer to work with than XML, which is basically just a way to write down trees of data, and a wierd one at that
While XML may be nice to parse, and certainly nicer that having a gazillion differently formatted data-transports, it certainly is very verbose, and a lot harder to read for humans that ad-hoc formatted text (yes, i write all my posts in "Plain Old Text", wonder why
Please, stop using XML for things where better, more readable solutions exist. If you MUST: write a program to transform your data (program) into XML, for later processing as XML
We have to do something in orde to protect ourselves. Perhaps a NRA for computer hobbiests might be in order. We have no lobbiests on our side.
http://piratgruppen.org
How is this incorrect? The program may choose not to do anything bad to your computer, but that's not the point.
...
If I run a program on any of the currently prevailing OS'es that program has any and all capabilities that I have, and may act in my stead.
It can run backdoors, allowing repeated violations of the intrusion, run local root explots (all systems have them, you know... code has bugs),
Capability-based trust (like SELinux) changes this problem a bit, by limiting the capabilities that the program can exploit, but most programs need lots of capabilities to be usefull.
Not quite related to primes, but close
:)
how? md5 is not based on primes, or even irreducible elements of fields. Your problem is much closer related to psuedo-random generators.
The task you set is (for f=md5sum):
Given f: D->D,find x,y: f(x) == y && f(y) == x
which is equivalant to (since y = f(x)):
find x: f(f(x)) == f^2(x) == x
So the task amounts to finding an element in the kernel of (f^2).
A solution may not even exist, for example:
let D = {0,1,2}
let f(x) = (x+1)%3
That depends entirely on the properties of the md5sum function, of which rather little is known. So, people might be right in saying it's unsolvable, and they might not... I don't think anybody knows at this time.
At any rate, if md5 is any kind of good as a hash (it's on it's last breath in the crypto-world http://eprint.iacr.org/2004/199.pdf) it is rather unlikely that any specific number is a solution.
Even if md5 is not a very good hash-function it is certainly complicated enough to require much more restricted attacks than finding f^2 neutral elemnts, at least at the current time
Poland is known for stamping down hard, ignoring otherwise established diplomatic ways of proceeding, and without much support from others. I've heard it said as "playing the hand to the limit".
They are often critizised for it by the press, but the tactics seems to work for them in a number of cases (esp. with the expansion of the EU) to a certain degree *because* they have this reputation.
Have the server ask you for the key, for example via SMS, or a web-site that will only serve to the expected IP. This way you can just refrain from answering the SMS or remove the information for the other web-site after your disks have been taken.
It's not real "security", but it is a nice little trick that allows you automated booting and encryption with a kind of safety-margin.
To protect the information in transit, you could let the server generate a new random public/private key-pair for every request and then delete the secret key once the the information for decrypting the disks has been recovered.
Even more intricate schemes can be implemented thorugh Shamir secret-sharing, but these measures would probably be enough for the first time an attacker steals your disk....
--
Helge
Even though it has been proven that no system is perfect, that should not prevent a discussion about which of the available systems are the best.
IRV is just about the worst. Condorcet honors the 5 principels for a large number of distributions of votes. What's left to argue about is what to do when Condorcet doesn't find a winner.
Well apparently my job is:
So it may take a while before I can tell the customer his problems are solved.
What I wan't is something to replace the phone/pda/gps/mp3/cam combination that you "need" to carry around in atleast 2-3 different units today. I only want to have one device in my pocket.
:)
It should definatly be possible to use WIFI from it, as VoIP world-domination is getting closer (i have my regular phone on VoIP)
It should have cell-phone, for use when the network is out of range
GPS for remembering where the hotspots with free WIFI are.
MP3 for having something to listen to
Syncing with major calendar apps, mail, browser and all that should of course be in there too.
Atleast a low-quality camera, because all the smart teen-agers has one