The idea of pass-thoughts is nifty and all, but seems overly complicated and prone to error. This piece did remind me of a previous article in Wired (http://www.wired.com/wired/archive/14.01/lying.ht ml?pg=5) that covers work being done on a a portable fMRI using near-infrared light. Put the two together, and rather than a password, the authentication scheme can merely be a truthful response to "Are you really so-and-so?"
Have you had a look at any commercial firewall products lately (SonicWALL, Juniper/Netscreen, Cisco, Fortinet)? The past year has brought about the evolution of yesterday's packet filtering, stateful packet inspection, limited application layer gateways into full-blown "deep packet inspection unified threat management" devices (as the industry prefers to call them now). It's not really accurate to refer to them as firewalls anymore.
These devices can scan most TCP protocols for any kind of malicious content, like snort-style IPS sigs, viruses, phishing sigs, spyware (generally ActiveX), etc. And since they are the gateway, they can also block or sanitize the content. Some of the better implementations (I'll stop short of a specific product endorsement) can even scan all generic TCP streams, and do not impose any size or stream concurrency limitations on the the content they can scan.
The thing to be careful about is throughput - even the higher end models fall short of sustaining gig throughputs, so multiple devices might be required for more demanding networks.
Why do we keep trying to invent new (and fairly interruptive) methods of proving the identity of web-site when we have a perfect, yet sadly under-leveraged, method for this already available: SSL.
The certificate system underlying SSL is already largely in-place, particularly for trusted/confidential sites, and it provides relatively assured proof of identity. The problem is that there's no way we can expect users to click on the little lock icon, and examine or understand certification paths, issuers, subjectAltNames, etc.
Why don't browsers simply make this more plain and prominent? Why not just interpret this information and present it clearly to the user? Just an integrated toolbar that says in plain english/french/german/japanese/etc. "You and your browser know and trust the certifying authority of Verisign, and according to Verisign, this site [your bank name here] is who they claim to be. Chances are you're safe."
And if something is off, instead of a pop-up box with three relatively cryptic security alerts to which everyone has been trained to say "yes" regardless of understanding, try simply "The identity of this site cannot be confirmed. Click for details, proceed with caution." Different discrepancies can provide commensurate levels of warning to try to avoid cry-wolf syndrome.
This, combined with existing (and also underutilized) techniques to mitigate URL obfuscation won't be perfect, but they will go a long way, and it only requires a little effort from the browser folk.
Preparing a report in response seems an immense waste of time, but it could well be the only effective method of response - might even be a business obligation to meet some sort of new pain in the ass legislation.
Unless some event prompted the commissioning of the third-party evaluation, an alternative response might be:
With all due respect, Your Executiveness, I don't pretend to understand your business as well as you pretend to, or to criticize your leadership or decisions. Why don't you stick to your area of expertise, and let me stick to mine? I was entrusted with the security of this network, which meant I earned the trust of you or your underlings at one point. Since you and yours are surely only capable of infallibly correct hiring decisions, and since I've done nothing to betray that confidence, don't waste your precious time considering these trivial tactical issues, and go about your lofty strategic visionary business. Let the duly appointed base mortals deal with the annoyingly vulgar manifestations of reality. And with your faultlessly keen judgment you surely know to never trust contractors because they are parasitic false authorities who just want your pot of gold.
I'm just waiting for some company bent on total worldwide media dominance (Apple, Microsoft, Real, etc.) to develop a personal version of this. Somethis that can be configured to an individual's tastes, and which can then sample and select new music from the company's music library. Sort of a 'Tivo Suggests' for music. I'd buy that.
I perceive part of the problem to be the fact that everything online today requires a password, trivializing the importance of passwords, and forcing people down a path of selecting weak passwords as a result of over-exposure. I've taken to using two classes of passwords: the important stuff (banking, shopping, network authentication, etc.) where identity counts (because there's something of value at stake) gets a strong, unique, rotating password. Everything else (mailing lists, forums, bogus email accounts, etc.) gets the same shared password - easy to remember, nothing valuable lost if its compromised. Please don't capitalize on this confession by tring to steal my valueless identity.
Getting tired of hearing "have they considered Linux" every time a Windows exploit makes the news. While Linux is (arguably) architecturally more secure than Windows, all this really endorses is a variant of security through obscurity, and I thought "security through obscurity is bad" was mantra #2 around here. The greatest security advantage that Linux offers is that it is a relatively small target. When/If Linux is ever as widely deployed as Windows, it will be just as big a target, and probably just as commonly exploited.
They really should have put this energy into legislating against the real scam currently being run by retailers and manufacturers, namely, rebates.
Are we ready for Immortality?
on
Nano Body Building
·
· Score: 4, Insightful
All this no disease and living forever stuff is wonderful. Until you start thinking about other issues like the psychological implications of "immortiality" or more importantly, the practical issues of over-population. Maybe it will be metered, being available only to the rich. Or will lobbyists, civil liberties groups and insurance companies make it available to the masses? No amount of water conservation will enable us to sustain global populations of 20 billion people. But even if we figure out how to synthesize resources (shouldn't this come before the immortality quest?) what about space? As it is, I can't afford to buy a house in the Bay Area - what happens when the poplation quadrples because no one gets sick or dies, and the tech-elite remain vibrant and economically viable until they're 150 or older? This really is all great stuff, but we're not prepared for a total end to our current survival principles. We don't seem to be introducing these advancements in a reasonable order.
Now all they need to do is add an axe or a hammer to it so that it can take out rogue access points.
Re:Do younger minds absorb quicker?
on
Ageism in IT?
·
· Score: 1
Another thing to consider when learning anything is the amount of resources (energy, time, attention, etc.) one has to dedicate to the tasks of practice and assimilation. Children and teens generally have fewer consuming responsiblities than working adults who must support themselves and families (and spend time worrying about supporting themselves and their families in the face of such issues as age discrimination). This relative unencumbrance (coupled with aptitude, a lack of a lifetime's worth of crippling preconceptions and biases, and a legitimate interest or passion) can make for some pretty swift learning.
Actually, TLS (RFC2246) cannot do what you are describing. You are refering to HTTP over TLS (RFC2818) which can switch between unencrypted and encrypted modes with a directive (like STARTTLS). You're right in that this would be ideal, but it's going to be some time before browsers adopt this, I'm afraid.
Yes - it would be acceptable. There's a law in judaism that translates roughly to "for the sake of the life" that essentially overrides most other restrictive laws, including those of the sabbath and kosher practices. Contrary to what the "fanatical middle-east religion" poster suggested, life is actually considered valuable.
this notion of relevancy is nonsense. How is an ad for a razor relevant to *me* just because the on-screen character is shaving? Personal relevancy is already offered (or approximated, at least) by targetting the ads to the demographic: You watch Days of Our Lives, you get Midol and Tampon ads. You watch Jerry Springer, you get ads for Natural Light and Slim Jims. You watch Al Jazeera, you get ads for glycerine, nails, and anti-coagulants. Of course, this is purely speculation.
Rep. Howard Berman ought to read up on message digests and then try his "file decoy" strategy. Many P2P's today employ some kind of hashing which isn't too easily fooled by file naming dissemblance.
I'm the VP of Marketing for a large Internet company whose name I cannot disclose in a public forum. I'd like to offer you a director's position in our marketing department. Name your price. Can you start on Monday?
Slashdot Mirror
The idea of pass-thoughts is nifty and all, but seems overly complicated and prone to error. This piece did remind me of a previous article in Wired (http://www.wired.com/wired/archive/14.01/lying.ht ml?pg=5) that covers work being done on a a portable fMRI using near-infrared light. Put the two together, and rather than a password, the authentication scheme can merely be a truthful response to "Are you really so-and-so?"
Have you had a look at any commercial firewall products lately (SonicWALL, Juniper/Netscreen, Cisco, Fortinet)? The past year has brought about the evolution of yesterday's packet filtering, stateful packet inspection, limited application layer gateways into full-blown "deep packet inspection unified threat management" devices (as the industry prefers to call them now). It's not really accurate to refer to them as firewalls anymore.
These devices can scan most TCP protocols for any kind of malicious content, like snort-style IPS sigs, viruses, phishing sigs, spyware (generally ActiveX), etc. And since they are the gateway, they can also block or sanitize the content. Some of the better implementations (I'll stop short of a specific product endorsement) can even scan all generic TCP streams, and do not impose any size or stream concurrency limitations on the the content they can scan.
The thing to be careful about is throughput - even the higher end models fall short of sustaining gig throughputs, so multiple devices might be required for more demanding networks.
Why do we keep trying to invent new (and fairly interruptive) methods of proving the identity of web-site when we have a perfect, yet sadly under-leveraged, method for this already available: SSL.
The certificate system underlying SSL is already largely in-place, particularly for trusted/confidential sites, and it provides relatively assured proof of identity. The problem is that there's no way we can expect users to click on the little lock icon, and examine or understand certification paths, issuers, subjectAltNames, etc.
Why don't browsers simply make this more plain and prominent? Why not just interpret this information and present it clearly to the user? Just an integrated toolbar that says in plain english/french/german/japanese/etc. "You and your browser know and trust the certifying authority of Verisign, and according to Verisign, this site [your bank name here] is who they claim to be. Chances are you're safe."
And if something is off, instead of a pop-up box with three relatively cryptic security alerts to which everyone has been trained to say "yes" regardless of understanding, try simply "The identity of this site cannot be confirmed. Click for details, proceed with caution." Different discrepancies can provide commensurate levels of warning to try to avoid cry-wolf syndrome.
This, combined with existing (and also underutilized) techniques to mitigate URL obfuscation won't be perfect, but they will go a long way, and it only requires a little effort from the browser folk.
Preparing a report in response seems an immense waste of time, but it could well be the only effective method of response - might even be a business obligation to meet some sort of new pain in the ass legislation.
Unless some event prompted the commissioning of the third-party evaluation, an alternative response might be:
With all due respect, Your Executiveness, I don't pretend to understand your business as well as you pretend to, or to criticize your leadership or decisions. Why don't you stick to your area of expertise, and let me stick to mine? I was entrusted with the security of this network, which meant I earned the trust of you or your underlings at one point. Since you and yours are surely only capable of infallibly correct hiring decisions, and since I've done nothing to betray that confidence, don't waste your precious time considering these trivial tactical issues, and go about your lofty strategic visionary business. Let the duly appointed base mortals deal with the annoyingly vulgar manifestations of reality. And with your faultlessly keen judgment you surely know to never trust contractors because they are parasitic false authorities who just want your pot of gold.
Modify for diplomacy.
I live in Utah, on occasion. I'm accustomed to noble, selfless efforts to save my immortal soul: http://www.usatoday.com/life/cyber/tech/2001/10/15 /porn-czar.htm and http://archives.cnn.com/2002/US/West/12/10/baptizi ng.the.dead.ap/. But it's all business; we have to expect the ultimate dominance of the dollar over moral fiber: http://www.cnn.com/2003/US/West/01/15/porn.czar.ap /. I think the proxy baptisms have relatively negligible costs, and can be performed en masse, so they aren't so unpalatable, really.
I'm just waiting for some company bent on total worldwide media dominance (Apple, Microsoft, Real, etc.) to develop a personal version of this. Somethis that can be configured to an individual's tastes, and which can then sample and select new music from the company's music library. Sort of a 'Tivo Suggests' for music. I'd buy that.
I perceive part of the problem to be the fact that everything online today requires a password, trivializing the importance of passwords, and forcing people down a path of selecting weak passwords as a result of over-exposure. I've taken to using two classes of passwords: the important stuff (banking, shopping, network authentication, etc.) where identity counts (because there's something of value at stake) gets a strong, unique, rotating password. Everything else (mailing lists, forums, bogus email accounts, etc.) gets the same shared password - easy to remember, nothing valuable lost if its compromised. Please don't capitalize on this confession by tring to steal my valueless identity.
Packetizer
Doesn't anyone remember Within the Woods?
Getting tired of hearing "have they considered Linux" every time a Windows exploit makes the news. While Linux is (arguably) architecturally more secure than Windows, all this really endorses is a variant of security through obscurity, and I thought "security through obscurity is bad" was mantra #2 around here. The greatest security advantage that Linux offers is that it is a relatively small target. When/If Linux is ever as widely deployed as Windows, it will be just as big a target, and probably just as commonly exploited.
They really should have put this energy into legislating against the real scam currently being run by retailers and manufacturers, namely, rebates.
All this no disease and living forever stuff is wonderful. Until you start thinking about other issues like the psychological implications of "immortiality" or more importantly, the practical issues of over-population. Maybe it will be metered, being available only to the rich. Or will lobbyists, civil liberties groups and insurance companies make it available to the masses? No amount of water conservation will enable us to sustain global populations of 20 billion people. But even if we figure out how to synthesize resources (shouldn't this come before the immortality quest?) what about space? As it is, I can't afford to buy a house in the Bay Area - what happens when the poplation quadrples because no one gets sick or dies, and the tech-elite remain vibrant and economically viable until they're 150 or older? This really is all great stuff, but we're not prepared for a total end to our current survival principles. We don't seem to be introducing these advancements in a reasonable order.
Now all they need to do is add an axe or a hammer to it so that it can take out rogue access points.
Another thing to consider when learning anything is the amount of resources (energy, time, attention, etc.) one has to dedicate to the tasks of practice and assimilation. Children and teens generally have fewer consuming responsiblities than working adults who must support themselves and families (and spend time worrying about supporting themselves and their families in the face of such issues as age discrimination). This relative unencumbrance (coupled with aptitude, a lack of a lifetime's worth of crippling preconceptions and biases, and a legitimate interest or passion) can make for some pretty swift learning.
So that comment makes you: 1) a homophobe, 2) a Quaker, or 3) an ass.
Dear Lord! 20 posts on slashdot and I'm still getting 60K+ downloads from the site.
That was perhaps the funniest post I've ever seen on slashdot. Thank you!
Actually, TLS (RFC2246) cannot do what you are describing. You are refering to HTTP over TLS (RFC2818) which can switch between unencrypted and encrypted modes with a directive (like STARTTLS). You're right in that this would be ideal, but it's going to be some time before browsers adopt this, I'm afraid.
Yes - it would be acceptable. There's a law in judaism that translates roughly to "for the sake of the life" that essentially overrides most other restrictive laws, including those of the sabbath and kosher practices. Contrary to what the "fanatical middle-east religion" poster suggested, life is actually considered valuable.
Sure... get rid of the floppy. Next thing you know they'll want to take away my EMS memory expansion card.
this notion of relevancy is nonsense. How is an ad for a razor relevant to *me* just because the on-screen character is shaving? Personal relevancy is already offered (or approximated, at least) by targetting the ads to the demographic: You watch Days of Our Lives, you get Midol and Tampon ads. You watch Jerry Springer, you get ads for Natural Light and Slim Jims. You watch Al Jazeera, you get ads for glycerine, nails, and anti-coagulants. Of course, this is purely speculation.
beowulf cluster of these. Dear god - that's almost relevant. Strike that.
Rep. Howard Berman ought to read up on message digests and then try his "file decoy" strategy. Many P2P's today employ some kind of hashing which isn't too easily fooled by file naming dissemblance.
I'm the VP of Marketing for a large Internet company whose name I cannot disclose in a public forum. I'd like to offer you a director's position in our marketing department. Name your price. Can you start on Monday?
Doesn't naming a Linux distro after a religion violate some sort of public license?
(it could be that I really am that stupid)