Slashdot Mirror


User: Skapare

Skapare's activity in the archive.

Stories
0
Comments
6,883
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 6,883

  1. Re:Villianous? on SBC Patents Links, Dynamic Pages · · Score: 1

    It's the nature of the beast for an alligator or a lion to kill and eat you. But we sure as hell don't passively allow that to happen if we have any means of control over it. Maybe we run away. Maybe we kill the predator. The one thing we cannot do is redefine what the nature of the beast is. Instead, we have to make its nature ineffective.

    What's all wrong with this picture is not that businesses try to make money. Rather, what's wrong here is a patent system that effectively legalizes extortion by issuing patents which:

    • Do not represent the innovation the whole patent concept was intended to promote.
    • Hands off real decisions about validity to a process (judicial) that is extremely costly.
    • Generate huge zero-sum incomes to the intellectual property law industry.

    The fundamental flaw here is that the USPTO's process is what is broken. Nevermind our hatred of software patents; that's not what this is about (and efforts to fight software patents isn't a fight against this problem at all). To be effective in this fight, we have to accept that the original premise of patents, to promote innovation through exclusive rewards, is fundamentally sound even for software, and then argue that the system in place today just does not represent that original premise whatsoever. We need to show that for each of most of the patents issued, that today (this was not the case in 1803, but is in 2003) the net effect is a reduction of innovation, as well as a drain on the economy.

    As RXC tells us, our battle is not in Austin Texas, but rather, in Washington D.C. But still, if you do find prior art, bring it up, as that can also be used to show how broken the patent process is. Be sure to not only look at web applications, but also at others done over the network as specified by the patent, such as those built on X Windows.

  2. Re:Conspiracy theories on Sony to Stop Producing Smaller CRTs · · Score: 1
    Remember that Sony can't "force" you to buy a higher price LCD as you can always buy another brand. The fact that there taking the smaller ones of the market means that they feel that they won't lose very many customers.

    Or perhaps they aren't making enough profit on the low end monitors to justify their corporate resources which they could use to expand production of what they see as more profitable markets, such as extending LCD production to a better range, or perhaps even better quality.

  3. Re:"Good Guys" vs "Bad Guys" on AT&T Identifies Widespread Security Hole - In Locks · · Score: 1

    As someone else already mentioned elsewhere. These low security keying systems do more for preventing honest people from being tempted than preventing dishonest people from being able to break in. I was back then able to pick most locks in a matter of a few minutes, and learned it by reading a book, not from some skilled guru. I bet you can google for the info today.

  4. Re:I did this 30 years ago in college on AT&T Identifies Widespread Security Hole - In Locks · · Score: 1

    Our room keys worked the front door. There were 2 positions that all the keys in the same building had the same levels at. What they probably did was made the front door only have pins in those positions and empty in the others where all the keys varied. They didn't have the splits as the master key didn't work on the front door (but my room key did). The other three dorm buildings used the same blanks, but were on a different submaster as those 2 positions common within a building were different between buildings. Their front doors were worked by their room keys. While my grand master key would not let me in to their buildings, it did work the room locks once in.

    The grand master also did not work the locks for the mail boxes, although the room keys did. They just didn't have the splits. They didn't need to master the mail boxes because they had the key to the mail room itself (which the master did work for).

    One other room the master didn't work on was the room where the 3000+ volt to 120/240 volt transformers were. It wasn't even the same blank. I guess the electric company just didn't trust anyone :-)

  5. Re:Oh, one more thing... on AT&T Identifies Widespread Security Hole - In Locks · · Score: 1

    Actually, a friend of mine solved that problem. He cut a chemistry spatula to be a master key. And it worked. It was a little bent up to fit the lock. Lots of flat metal the right width will slide right in. No reason it couldn't have been notched. His was just a copy of my master.

  6. Re:It is well-known among locksmiths on AT&T Identifies Widespread Security Hole - In Locks · · Score: 1

    When I made a grand master key in college some 30 years ago, half the splits were above my room key, and half were below. But that's no big deal because with the room key, it was trivial to rule out those splits as being part of the master levels because I was sure they wouldn't have given me a submaster key (which would have had some master levels, and some levels specific to the submaster area).

  7. I did it without the blanks on AT&T Identifies Widespread Security Hole - In Locks · · Score: 2, Interesting

    For one thing, building up solder in each position makes it a lot easier to see the indentations. But the real reason this works is that if you apply a back and forth motion as your attempt to turn the key, the indentations can be made even if the other positions are not cut properly at all. So this can be done with one key, and it doesn't even have to be a blank (but it does get modified in the process, so if you can get a blank, that's better).

  8. Oh, one more thing... on AT&T Identifies Widespread Security Hole - In Locks · · Score: 5, Insightful

    Oh, one more thing. If you do decide to make yourself a grand master key, and are tempted to carry it around on your key ring, cut the hilt off so that the key will go in too far to work. Then only you will know that you have to put it in only part way. So if you get stopped and someone thinks you might have a master key and tries the keys on your ring, their natural human thing of "go all the way" will prevent them from detecting that your key works the lock.

  9. Re:Too little concern for physical security.... on AT&T Identifies Widespread Security Hole - In Locks · · Score: 1

    I've done that, too. Just cut back the hilt. This is usually good for one more position.

  10. Re:think about dorms on AT&T Identifies Widespread Security Hole - In Locks · · Score: 1

    Absolutely get yourself a lockbox that can be bicycle-cabled to something that can't be moved. While I did have a grand master key in college, I didn't go entering people's rooms (instead I did "nice" things like getting extra TP from the janitor's closet when the bathrooms ran out, or went in the utility closet to reset circuit breakers when someone overloaded a circuit). But that's not to say that someone totally dishonest can't employ these methods. Afterall, I learned it from a book I checked out of the college library.

  11. And now for the secure solution on AT&T Identifies Widespread Security Hole - In Locks · · Score: 3, Informative

    And now for the secure solution. You're gonna like this (in German).

  12. Re:I Financed my University Education that way.. on AT&T Identifies Widespread Security Hole - In Locks · · Score: 1

    Why post anonymously? Working as a locksmith part time to pay your way through school is an honorable way to do things. Oh wait ... :-)

  13. I did this 30 years ago in college on AT&T Identifies Widespread Security Hole - In Locks · · Score: 4, Interesting

    This is not an unknown technique. I did this 30 years ago in college. And I only made adaptations to the technique described in a book on locksmithing which was checked out of the college library. I just didn't have any blanks to work with so I made do with one lost key I found. The campus used a type of blank not sold to the public.

    A grand master keying system is based on 5 to 8, but usually 6, tumblers, with typically 10 levels or codes for each tumbler. A simple master system will have at least 2 tumbers with double cuts (but the doubles cannot be cut too close). A more complex system with a level of submastering will have 4 tumblers double cut. A grand master system with potentially two or more levels of submastering will have all the tumblers double cut.

    Presuming it is a grand master system (and very large numbers of change keys generally are made this way even if no grand master key is produced), then you can presume that each position on the key is different between your key and the grand master. And not only is it different, but you can also rule out the level which is one above or below what your key has (the tumbler piece would be prone to pivot and jam, instead of slide, if cut too close). And even two levels apart is often avoided because a tumbler piece of those length can jam, although they insert a ball if the tumbler width is the same as 2 levels in that position (or 3 in some systems).

    So for a typical 6 tumbler 10 level system, you can rule out 3 levels (or 2 if your key is at the highest or lowest) at each position, and the levels 2 above and below are less likely (try them last).

    From your key, you can figure out about where all the levels are. Any additional keys (and I had one, and since this is a non-destructive step, I could also look at a friends' keys) can help. Now with the one spare key I had (extras help a little), you begin the step to find the master levels.

    When a key position is ground just a little bit too high, usually about 1/4 of a level interval, it can still engage the tumbler cuts, but it will be rough when doing so. The same thing happens when it's low, but that's not helpful, so make the cut a little high. Even if the other positions are wrong this can be done, but if they are right it's easier. Putting a bit of solder on the position to raise it really helps because now you can see an indentation formed due to the pressure. Attempting to turn the key in the lock will try to work in those positions just a bit off, but will leave a mark on the key, especially if the metal is soft like solder. If there is no indent, you didn't get the right level, so try another at that position.

    Repeat for all positions. If you are good you can even work all positions in parallel and accomplish this in just minutes. Once you have a level for every position which is at a different height than your own key, you probably have the grand master. If your key was really a submaster, this could trip you up. But they generally try to avoid giving out submaster keys to students.

    There are two other ways to do this.

    You can remove the lock and pull the tumblers and measure them. Be very careful because when you tap out the slide to expose the tumblers, do so one at a time because there's always a spring on top to keep the tumblers under pressure. Of course don't lose the parts, and don't lose the order the tumbler pieces come out. Now you can simply see what levels for each position make up the grand master.

    Another method is to figure out all the levels and their distances. The micrometer caliper helps here. Write down the levels for your key. The next step is to examine other keys of other students. Of course they will think you're trying to make a copy of their key, but if they're your friends and you can trust them, you can reveal your real plan. Write down the levels for their key as well. This now lets you rule out some more levels at each position which the master cannot be. With enough keys you can narrow down just what the grand master key is.

    If all the keys you examine are part of the same submaster system, you'll notice that 2 or 3 or maybe 4 positions are just the same on all keys. The grand master will be different there, but if you just cut your new master key at those levels anyway, while you won't have a grand master, you will end up with a submaster which can be used on all the locks in area (usually a building or so) that the examined keys came from.

    A combination of having a few change keys (yours and a few friends' keys) to rule out more levels in some positions, and working with the first method to find the master levels, can speed things up for you.

    Like I said before, I didn't actually invent these methods; I read them from a locksmithing book. I merely adapted the solder techniques to make things a little easier. Real locksmiths can do it without solder.

  14. Re:my master key to the entire university campus on AT&T Identifies Widespread Security Hole - In Locks · · Score: 2, Interesting

    It's possible to make a lock system with hundreds of thousands (in a 6 or 7 pin system) of "change keys" and a thousand or so "sub master keys" in one or two levels of hierarchy, and still have a "grand master" for the whole system. It may be that the campus was designed exactly that way to ensure that no "change key" could accidentally be a valid key (possibly even a "sub master") of another building. They simply would not create an actual "grand master key". But that wouldn't have prevented deriving it's code since it would be part of the design. The only way to have really avoided a grand master would have been to use a whole different blank for each building, and that might have been ruled out as too costly to stock blanks in whatever department was making the keys.

  15. Define "false positive" on Plan for Spam, Version 2 · · Score: 1

    We need to define "false positive". Differences between different tests might hinge on what the definition of a "false positive" is. And further, where and how filtering should, or should not, be deployed can also depend on what is a "false positive" for the recipients where it could be deployed.

    Given that spammers totally disregard failed delivery, even if they get an SMTP response code indicating this when they do direct delivery, and do not clean up their lists, one effect is that even where the spam is refused or filtered into a junk box, the spam keeps coming. And the rate of growth is still substantial as more and more people attempt to get their cut of the pie that is there for spammers as a result of this theft or delivery resources they do to keep their own costs down (i.e. spamming with an unmaintained list of a million is cheaper than working to clean it down to just those who actually want it).

    ISPs that host spammers who steal delivery resources from recipients (and their ISPs) are just as guilty of theft as the spammers themselves, as far as I'm concerned, because they could put a stop to it, but don't because it means more revenue for themselves (and increases the level of theft the rest of us incur). So to me, my anger is not only aimed at the spammers, but also to those who support the spammers, and even to those who support those who support spammers (e.g. the other customers of the ISPs harboring spammers). So I don't want any of their mail. I don't want their servers to contact my servers at all. I don't want my servers to have to spend any time queueing and classifing their mail. And I certainly don't want it in my mailbox.

    So basically, the mail from all the other customers of a bad ISP (because they harbor spammers) is also unwanted mail. If it gets rejected by whatever tool I use to block spam, then it is not a false positive at all.

    IP address based tools like DNS based blacklists often provide exactly what I need. Since all the mail from places where spam comes from is what I want to refuse, by blocking the whole mail server, the effect is an excellent match. And the SPEWS DNSBL even lets me block the rest of the ISP so I can "send the message" back to their other (so called "legitimate") customers that I don't care for them to be supporting an ISP that supports spammers.

    So basically, what I have now seems to do the job very well. That's because of what I happen to define as the mail I don't want to get. Others who define the mail they don't want to get differently might need to use a different approach, and maybe Bayesian filtering is right for them. It isn't right for me because it isn't really addressing the problems I have, which is that my mail servers are still being bombarded by spammers attempting to send spam. As it is now, I reject all this junk mail during the SMTP session with no reception of the message content, no queueing, and no text processing. All a Bayesian filter would do for me is increase my costs because then I'd have to receive content I already know I don't want, and process that content to make a decision I already have made. So there's nothing in it for me.

  16. The cost of filtering spam on Plan for Spam, Version 2 · · Score: 1

    The cost of sending email is generally substantially less than the cost of receiving email. And this is one of the reasons the spam problem is so pervasive; it's so cheap to spam, and costs the victims so much. The cost of spam is the cost of receiving email, plus the cost of having to deal with junk you don't want. What filtering does is reduce or eliminate the personal cost of dealing with junk in your mailbox. But that still means your mail servers are dealing with more than twice the number of network connections, and twice the number of SMTPD processes, plus the added cost of applying the Bayesian filtering (which can't be less than the cost of receiving and queueing mail because it has to open it up to apply the test).

    Sure, I'd would rather not have to wear out my 'd' key, and filtering can save it. But the real costs of spam are at the servers having to deal with all those spam connections that continue to happen despite the fact that spam isn't being accepted. I currently refuse spam using SPEWS and several other DNSBLs, and this means the spammer gets a 5XX refusal code, so they know it doesn't work here. Yet they don't clean their lists (there are over 200 email addresses here being spammed regularly that have never even existed). They keep on spamming. They keep on using my bandwidth. They keep on using CPU cycles, virtual RAM, and swap space. They keep on costing me money because I have to add more mail server capacity sooner than I should have to.

    At least by refusing the mail to begin with my costs are lower. I'm looking to some solutions where I can have huge lists of IP addresses I refuse IP layer traffic from, next, to further reduce the costs.

    And efforts by certain anti-spam groups, which get labeled as "collateral damage" are in fact working at some ISPs to get spammers shut down and kicked out. If these methods would be used by everyone, then every ISP would be forced to eject spammers, and then we'd finally see the spam levels going down. And as the ISPs clean up, their address space drops from being listed, and the "collateral damage" (we (TINW) call it "peer pressure") itself will be reduced, too.

    Bayesian filtering sounds like a nice idea. It's just not trying to solve the right problem, which is the total cost of spam.

  17. If C becomes an OS ... on Programming Languages Will Become OSes · · Score: 1

    If C becomes an OS then how would we code the Linux kernel?

  18. Re:I mean, c'mon now, really on The End of the Free PCI Device List (Update) · · Score: 1

    Paper trail? Sure. Lawyers to make sure the right things are said? OK. But making legal threats and demanding more than is common practice (e.g. merely the text "PCI"). Absolutely not! If some lawyer thinks that is required to protect one's right then either he is incompetent, or all the other lawyers are for having made a system that is totally fubar. Either way, it's unacceptable to normal people.

  19. Lawyers are easily confused on The End of the Free PCI Device List (Update) · · Score: 1

    Lawyers are easily confused. This is probably why they think the public gets confused so often. If they see the letters "PCI" on a web site, they immediately jump to the conclusion it must be sanctioned and supported by the PCI-SIG, or maybe it even is the PCI-SIG. And boy are they pissed when they find out they had it wrong, which in the case of trademarks, including the fair use of a trademark (such as saying "IBM" to refer to IBM, or saying "Microsoft" to refer to Microsoft, or saying "PCI" to refer to PCI), seems to be quite frequent. I guess that's what happens when you're a land shark.

  20. Re:What's the problem? on The End of the Free PCI Device List (Update) · · Score: 1

    Certain uses of other people's trademarks to refer to the trademark owner is common and accepted practice. Having the logo on there probably isn't included, even if linked to the PCI-SIG web site. But using the 3 letters "PCI" in reference to the PCI technology surely would fall into this common practice. The PCI-SIG and/or their land shark went overboard. Had they simply written a proper request the first time around, without the threatening part, and ask for specific changes, and made sure it got delivered, this whole mess would not happen. What they actually did is, IMHO, was essentially a form of disrespect for someone who has majorly contributed to the usefulness and effectiveness of the work of the PCI-SIG. The reaction may have been a bit overboard, but the original action was definitely more so. Maybe someone else will bring a new ball to the game.

  21. All your secrets are belong to us on Decrypting the Secret to Strong Security · · Score: 1

    If your secret (private key) becomes known, sure you now have the cost of creating a new key, revoking your old key, and making sure the trusted depository has both. Also, this does not eliminate some risks in others having trusted documents signed with your old key by your nemesis during the interim (or by those who fail to verify the key has not been revoked). But this cost is nowhere near the cost of designing a replacement algorithm were it the case we were using one which depended on secrecy to avoid being compromized. Not only would there be that cost of redesigning, but also the cost of having no reliable system in the interim. Instead, just one entity (you, if your secret key gets out) incurs the costs. This is also why keys should come with a set expiration date, so that those who trust them won't extend their trust too far.

    It's 2003. Have you changed all your passwords, yet? Have you created new SSH keys and removed all trust of the old ones?

  22. How about 802.11a? 5650-5925 MHz anyone? on High-Speed Multimedia Hamming · · Score: 3, Interesting

    Hams also have 5650-5925 MHz. Of course, RF parts for this portion of the spectrum are more expensive. But antennas are smaller for the same directionality and gain, and the bandwidth is greater. It can open some additional channels, too. Anyone know of any amateur work being done with 802.11a in this area?

  23. We still have 2300-2310 on High-Speed Multimedia Hamming · · Score: 2

    US hams are still authorized for 2300-2310 MHz. See the ARRL band plan for the 13cm band. Actually, we used to have all of 2300-2450 in one big 150 MHz chunk. But 80 MHz of it has been lost, so it's now 2300-2310 MHz (mostly because that's where the DX work was done, although it does include things like repeater inputs input so as to have a wider frequency split) and 2390-2450 MHz. Hams do not have 2450-2483.5 MHz, so any operation there has to be strictly under Part 15 rules, including things like not interconnecting any Part 97 operations.

    US Hams still have all of 5650-5925 MHz in a single 275 MHz chunk in case you might be interested in working some 802.11a.

  24. Re:End users don't need root or TLD servers on More Info on the October 2002 DNS Attacks · · Score: 2

    What egress filtering? The kind that blocks DNS queries sent to the root or TLD servers with a source address of the actual machine doing the querying, while under control of a virus or trojan that has infected a million machines? Sure egress filtering will stop a few bad actors who are forging source addresses, such as bouncing attacks off of broadcast responders. And egress filtering is not easy to do on large high traffic routers where there are a few hundred prefixes involved, belonging to the ISP and multitudes of their customers. You think an access list that big isn't going to bring a router to its knees?

  25. End users don't need root or TLD servers on More Info on the October 2002 DNS Attacks · · Score: 4, Insightful

    End users don't need root or TLD servers; they just need to have DNS queries answered. That's why normally, they are configured to query the ISP or corporate DNS servers, which in turn do the recursive query to root, TLD, and remote DNS servers. Given that, consider the possibility of the ISP or corporate data center intercepting any queries done (as if the end user were running a recursive DNS server instead of a basic resolver) and handle them through a local cache (within the ISP or corporate data center). It won't break normal use. It won't break even if someone is running their own DNS (although they will get a cached response instead of an authoritative one). It will prevent a coordinate attack-load from the network that does this.

    They talk about root and TLD servers located at major points where lots of ISPs meet, which poses a potential risk of a lot of bandwidth that can hit a DNS server. So my first thought was why not have multiple separate servers with the same IP address, each serving part of the bandwidth, much like load balancing. And then, you don't even have to have them at the exchange point, either; they can be in the ISP data center. They could be run as mimic authoritative servers if getting zone data is possible, or just intercepting and caching.