Looking at human behavior, one must draw the conclusion that people will always take a homogenous group and turn it into a heterogeneous group. It doesn't seem to matter what the subject is, this seems to be the pattern. People almost never unify things. Given that, one would expect there to be many projects with the same focus.
It looks like duplication of effort is a part of human nature. Of course, in any case, my effort is worth more than your effort. Or, wanting another saying, "if you want something done right, you have to do it yourself." Sad, but true via empirical evidence.
I've been following this technology with great interest. There seems to be a fundamental problem: it is point to point. Its applications will be fairly limited.
It seems to me, at least in terms of networks, that this would really be used to secure lines between networks, clusters, or individual computers. But on today's public Internet, this isn't really an issue. Of course, I would rather use this technology than to not have lines protected with quantum indeterminism.
Most security people are more concerned about platform security than link security. If this technology can be used to reinforce something used for platform security, then boo yeah! Otherwise, this is cool, but I'm not going to get a heart condition over it.
The only platform benefit I see is reducing the need to perform expensive computations to encrypt and decrypt data. Let the link take care of that and thus increase performance. Of course, how many nodes on the Internet only want to talk to their nearest neighbor? And how many routers and such are between them and their nearest neighbor? It might not even be possible to secure the link between a node and its nearest neighbor in most cases.
I doubt this technology will impact current Internet infrastructure all that much. We'll see.
Re:are artillery shells that delicate?
on
Battlefield Lasers
·
· Score: 3, Interesting
For artillery shells without an explosive payload, I would imagine if you could melt the tip, it would throw off the aerodynamics to throw the shell off course. That is assuming, of course, that you didn't vaporize it.
And for ones with an explosive payload, the obvious would happen in flight.:)
Since a lot of you are having DNS problems, it might be a good time to switch to OpenNIC DNS servers. I did a week ago and it is very cool. You'll be able to resolve legacy DNS zones, such as.com,.net, and.org, but you'll get the cool, open zones as well.
Then, if you get into it, get a.geek domain! Don't worry if you can't go to the.geek NIC yet, you'll have to set up the open DNS servers for your machine or network.
Since a lot of you are having DNS problems, it might be a good time to switch to OpenNIC DNS servers. I did a week ago and it is very cool. You'll be able to resolve legacy DNS zones, such as.com,.net, and.org, but you'll get the cool, open zones as well.
Then, if you get into it, get a.geek domain! Don't worry if you can't go to the.geek NIC yet, you'll have to set up the open DNS servers for your machine or network.
You're missing the underlying point. If I share my cable internet connection with my neighbors, they may be getting service for free, but at the cost of my bandwidth. Every time they view a page, or play a game, I suffer and lose some of my bandwidth. Therefore, I'm paying for them to use my connection. It's not stealing from the cable company, even if you share with your neighbor. I'm paying for bandwidth and I can do whatever I want with it.
That's what lept to my mind. Unlike cable TV, where service is, for all purposes, unlimited for sharing, internet service is very limited. In other words, if I buy a certain amount of bandwidth and choose to share it with my neighbors, I am depriving myself of that bandwidth.
I am not "stealing" anything from the ISP by sharing bandwidth. I am taking no more than my allotted amount of bandwidth when sharing with my neighbors.
What they are doing here is changing the rules. They are no longer providing 2.5 Mb/s down and 128 Kb/s up, they are providing connections to individuals. They are doing this for the sole purposes of increasing their profits. Now this might be acceptable, if they rewrote their contract, but right now, at least for my ISP, they are selling bandwidth.
And as long as they are selling bandwidth, and I abide by the AUP, I can do whatever I flipping well please with my bandwidth, including sharing it with my neighbors.
Your counter argument to my point is well taken, but there is one fatal assumption that hasn't been addressed: that the keycard number is supposed to be able to address millions of doors. In the face of pure fantasy, where we just accept that there are doors such as those to alternate dimentions, we purport to completely understand what those keycard numbers represent and how they are properly used. In this case, suspension of disbelief also applies to the keycard numbers, as well as the doors themselves. Questioning the use of six digits for what is assumed to be an address space of greater than one million doors is just as silly as questioning how the magical doors work. Since they never really showed any more than them using the keycard to call up a numbered door, it is still in the fantasy domain.
For those still craving to satisfy logical continuity, did it occur to anyone that the keycard number might not be a simple sequential index, but might be a hash of some other reference value? Sort of like a PGP fingerprint?
I agree, instituting a mandatory identification system is just the beginning. How it is used or abused comes later.
We already have identifcation systems, they are inherent to sophisticated organisms. The problem is that as our society becomes more detached and automated, artifical identification systems have to be put into place. The reason? Good question. We tend to construct systems that prerequesite inescapable identification.
Social security accounts are trying to fill that role, however depressingly inadequate they are. Of course, more often than not, social security accounts serve merely to keep records straight rather than identify someone. However, I have always treated incidents involving social security accounts as a glimpse into the future.
One root of abuses is the requirement that the binding between entities and certificates are inescapable and unforgable when they're not. This leads to two problems, which you already pointed out: identity theft, and the mistaken assumption that the lack of a certificate proves the negation of what the certificate is supposed to show. And I also agree with you that former is much less dangerous than the latter.
Also, the certificate is just a small portion of the system. So, the question becomes how to construct the system such that those two problems are minimized.
The problem here is that these problems exist in the current system. So anything that adds convienence to the current system is going to simple exacerbate the current problem.
I think it might be necessary to institute a new system, and make the existing system interface with it, as opposed to extending what we have now. Then, at some later point, we can retire the old system. That way, we don't have to carry along flawed assumptions and ideas that don't scale or lend themselves to automation.
Wait, wait, wait. So, let me get this straight... You're criticizing the key-card scheme, but ignoring magic doors where you can step through alternate dimensions simply by having a wooden door?
Of course, the movie doesn't explain how they got the doors in the first place, or whether there are doors that go to other parts of the monster world. Please, it's just a movie, and a movie for kids at that.
That wasn't a national ID card, it was an access card for the child's door. How else would you solve that particular problem? Imagine trying to explain to a child how monsters can access their door. There's nothing sinister here.
My last job, I ended up bringing in my own computer. It was nicer to work off my own laptop instead of the provided development box, and I had total control over what I could or could not do on it. I used it for all my development and it worked out just fine.
If presented with a locked-down environment, I would simply use my own equipment.
I'll be very upset if it was known by various intelligence gathering agencies that something was going to take place today and we did nothing about it.
WEP, from current analysis, is a reasonable protection from causal and low-resource snooping. If someone with a laptop happens by your house and tries to get onto your network, then you're probably okay with WEP. However, if they have one of the tools being published to compromise your WEP keys and decides to park themselves within radio range and gather enough data to do this, then WEP would not be sufficient.
Your physical mailbox and receipts thrown away in the garbage at stores expose your financial resources to a greater degree than copying Quicken files over your 802.11b network using WEP. Given that the scope of exposure is limited to local physicality, and thus not exposed to the script kiddies of the world, the chances of having a skilled and resourced attack against your network is much smaller than someone trying to carry out credit transactions from a receipt recovered from the trash of a store.
In short, change your WEP keys every week or two and use a higher level cryptographic protocol when possible. I am not familiar with AppleTalk's cryptographic capabilities. If it provides some mechanisms for authentication and confidentiality, then I would feel okay with that setup.
Also, monitor your network. Try to configure any resources accessible on your network to generate logs and review them periodically. Most of the time, attackers will spend quite a bit of time casing and probing your network before breaching integrity of your resources and data. Unfortunately, with WEP, a passive attack is usually sufficient. However, it does take time, so if you change your keys frequently enough, you're frustrating them to the point where all but the most persistent attackers will go away.
Remember the cardinal rule of crime: attack the easy targets. As long as there are lots of 802.11b networks wide open, then your WEP enabled network is, in all likelyhood, going to be skipped over.
It takes less than 1000 packets to crack the cryptographic protocols in 802.11b WEP, regardless of key strength. Even those 802.11b networks with so-called security probably aren't very secure against someone casing the network. Use a higher-level protocol such as Kerberos or IPSec on top of the WEP.
This is what happens when anyone envisions a society. They find that their design must be enforced, or the vision will fracture, evolve, and maybe die. This is a consequence of a society, and of organic systems in general. Of course, the society is more powerful than the creator, and the society will eventually win. No amount of force can constrain the society to the model indefinitely.
The vision Stallman has will not be reality, no matter how much Stallman kicks and screams. He created something wonderful, but now that other people are involved, it is something else than what he originally envisioned and he is fighting that. He can't fight it forever. It is not his anymore.
I believe in full disclosure, but I don't believe
full disclosure should always happen immediately.
The overall point is to increase security, not decrease security. And sometimes full disclosure at a certain point in time will decrease security.
I mean, for god's sake, tell the distribution maintainers before you tell the script kiddies. What's so hard to understand about that?
I agree that software defects shouldn't always
be flung out to the wind as soon as they are
discovered. I believe they should be released,
after the community that it impacts is able to remedy the problem, or at least some
time has passed to give the community a chance
to remedy the problem.
It's not a philosophical question, but merely
a pragmatic, logistical reality. Unfortunately,
companies love to try to keep a problem quiet
rather than fix it, gambling that it won't get
out of hand. Of course, this is bad for security,
so in some cases, immediate disclosure is the
only way to get companies to do something.
With Code Red X, in the immediate sense, it's not Microsoft's fault that it spread so far, they did their part this time. You can always blame the architecture, but it's not just Microsoft's problem. It's a systemic problem that faces all software distributions. The patch was
out for at least a month before Code Red showed up. People simply didn't apply the patch. A lot
of people didn't even know they were running a
web server, or even what that means.
Of course, I don't want to be forced to apply
patches, nor am I very comfortable with my machine
visiting microsoft.com autonomously. But there
has to be a channel through which information about patches can be pushed or polled.
Microsoft has done a lot of good with http://windowsupdate.microsoft.com and I hope the trend continues. I would like to see every new Microsoft distribution go out and check
for updates at regular intervals, but have the
ability to turn that off if I dun like it.
Slashdot Mirror
That was for the Pro II pack, which includes five keyloggers. That makes each Keylogger Pro $200.
Looking at human behavior, one must draw the conclusion that people will always take a homogenous group and turn it into a heterogeneous group. It doesn't seem to matter what the subject is, this seems to be the pattern. People almost never unify things. Given that, one would expect there to be many projects with the same focus.
It looks like duplication of effort is a part of human nature. Of course, in any case, my effort is worth more than your effort. Or, wanting another saying, "if you want something done right, you have to do it yourself." Sad, but true via empirical evidence.
I've been following this technology with great interest. There seems to be a fundamental problem: it is point to point. Its applications will be fairly limited.
It seems to me, at least in terms of networks, that this would really be used to secure lines between networks, clusters, or individual computers. But on today's public Internet, this isn't really an issue. Of course, I would rather use this technology than to not have lines protected with quantum indeterminism.
Most security people are more concerned about platform security than link security. If this technology can be used to reinforce something used for platform security, then boo yeah! Otherwise, this is cool, but I'm not going to get a heart condition over it.
The only platform benefit I see is reducing the need to perform expensive computations to encrypt and decrypt data. Let the link take care of that and thus increase performance. Of course, how many nodes on the Internet only want to talk to their nearest neighbor? And how many routers and such are between them and their nearest neighbor? It might not even be possible to secure the link between a node and its nearest neighbor in most cases.
I doubt this technology will impact current Internet infrastructure all that much. We'll see.
For artillery shells without an explosive payload, I would imagine if you could melt the tip, it would throw off the aerodynamics to throw the shell off course. That is assuming, of course, that you didn't vaporize it.
:)
And for ones with an explosive payload, the obvious would happen in flight.
Since a lot of you are having DNS problems, it might be a good time to switch to OpenNIC DNS servers. I did a week ago and it is very cool. You'll be able to resolve legacy DNS zones, such as .com, .net, and .org, but you'll get the cool, open zones as well.
.geek domain! Don't worry if you can't go to the .geek NIC yet, you'll have to set up the open DNS servers for your machine or network.
There is a list of public servers, but please use the tier 2 DNS servers. Find the lowest latency servers and follow the directions if you don't know how to set up DNS.
Then, if you get into it, get a
P.S.
My AT&T@Home came back up two days ago (Seattle).
Since a lot of you are having DNS problems, it might be a good time to switch to OpenNIC DNS servers. I did a week ago and it is very cool. You'll be able to resolve legacy DNS zones, such as .com, .net, and .org, but you'll get the cool, open zones as well.
.geek domain! Don't worry if you can't go to the .geek NIC yet, you'll have to set up the open DNS servers for your machine or network.
There is a list of public servers, but please use the tier 2 DNS servers. Find the lowest latency servers and follow the directions if you don't know how to set up DNS.
Then, if you get into it, get a
You're missing the underlying point. If I share my cable internet connection with my neighbors, they may be getting service for free, but at the cost of my bandwidth. Every time they view a page, or play a game, I suffer and lose some of my bandwidth. Therefore, I'm paying for them to use my connection. It's not stealing from the cable company, even if you share with your neighbor. I'm paying for bandwidth and I can do whatever I want with it.
That's what lept to my mind. Unlike cable TV, where service is, for all purposes, unlimited for sharing, internet service is very limited. In other words, if I buy a certain amount of bandwidth and choose to share it with my neighbors, I am depriving myself of that bandwidth.
I am not "stealing" anything from the ISP by sharing bandwidth. I am taking no more than my allotted amount of bandwidth when sharing with my neighbors.
What they are doing here is changing the rules. They are no longer providing 2.5 Mb/s down and 128 Kb/s up, they are providing connections to individuals. They are doing this for the sole purposes of increasing their profits. Now this might be acceptable, if they rewrote their contract, but right now, at least for my ISP, they are selling bandwidth.
And as long as they are selling bandwidth, and I abide by the AUP, I can do whatever I flipping well please with my bandwidth, including sharing it with my neighbors.
Your counter argument to my point is well taken, but there is one fatal assumption that hasn't been addressed: that the keycard number is supposed to be able to address millions of doors. In the face of pure fantasy, where we just accept that there are doors such as those to alternate dimentions, we purport to completely understand what those keycard numbers represent and how they are properly used. In this case, suspension of disbelief also applies to the keycard numbers, as well as the doors themselves. Questioning the use of six digits for what is assumed to be an address space of greater than one million doors is just as silly as questioning how the magical doors work. Since they never really showed any more than them using the keycard to call up a numbered door, it is still in the fantasy domain.
For those still craving to satisfy logical continuity, did it occur to anyone that the keycard number might not be a simple sequential index, but might be a hash of some other reference value? Sort of like a PGP fingerprint?
I agree, instituting a mandatory identification system is just the beginning. How it is used or abused comes later.
We already have identifcation systems, they are inherent to sophisticated organisms. The problem is that as our society becomes more detached and automated, artifical identification systems have to be put into place. The reason? Good question. We tend to construct systems that prerequesite inescapable identification.
Social security accounts are trying to fill that role, however depressingly inadequate they are. Of course, more often than not, social security accounts serve merely to keep records straight rather than identify someone. However, I have always treated incidents involving social security accounts as a glimpse into the future.
One root of abuses is the requirement that the binding between entities and certificates are inescapable and unforgable when they're not. This leads to two problems, which you already pointed out: identity theft, and the mistaken assumption that the lack of a certificate proves the negation of what the certificate is supposed to show. And I also agree with you that former is much less dangerous than the latter.
Also, the certificate is just a small portion of the system. So, the question becomes how to construct the system such that those two problems are minimized.
The problem here is that these problems exist in the current system. So anything that adds convienence to the current system is going to simple exacerbate the current problem.
I think it might be necessary to institute a new system, and make the existing system interface with it, as opposed to extending what we have now. Then, at some later point, we can retire the old system. That way, we don't have to carry along flawed assumptions and ideas that don't scale or lend themselves to automation.
Wait, wait, wait. So, let me get this straight... You're criticizing the key-card scheme, but ignoring magic doors where you can step through alternate dimensions simply by having a wooden door?
Of course, the movie doesn't explain how they got the doors in the first place, or whether there are doors that go to other parts of the monster world. Please, it's just a movie, and a movie for kids at that.
That wasn't a national ID card, it was an access card for the child's door. How else would you solve that particular problem? Imagine trying to explain to a child how monsters can access their door. There's nothing sinister here.
My last job, I ended up bringing in my own computer. It was nicer to work off my own laptop instead of the provided development box, and I had total control over what I could or could not do on it. I used it for all my development and it worked out just fine.
If presented with a locked-down environment, I would simply use my own equipment.
Does the date and approximate time bother anyone?
I'll be very upset if it was known by various intelligence gathering agencies that something was going to take place today and we did nothing about it.
Just like Pearl Harbor.
And so the NSA's trick is to convince the world that it is running a cluster of 8088s. :)
The devil is a rejected Quake 3 monster.
Not to say that they're the devil, but remember the devil's greatest trick?
WEP, from current analysis, is a reasonable protection from causal and low-resource snooping. If someone with a laptop happens by your house and tries to get onto your network, then you're probably okay with WEP. However, if they have one of the tools being published to compromise your WEP keys and decides to park themselves within radio range and gather enough data to do this, then WEP would not be sufficient.
Your physical mailbox and receipts thrown away in the garbage at stores expose your financial resources to a greater degree than copying Quicken files over your 802.11b network using WEP. Given that the scope of exposure is limited to local physicality, and thus not exposed to the script kiddies of the world, the chances of having a skilled and resourced attack against your network is much smaller than someone trying to carry out credit transactions from a receipt recovered from the trash of a store.
In short, change your WEP keys every week or two and use a higher level cryptographic protocol when possible. I am not familiar with AppleTalk's cryptographic capabilities. If it provides some mechanisms for authentication and confidentiality, then I would feel okay with that setup.
Also, monitor your network. Try to configure any resources accessible on your network to generate logs and review them periodically. Most of the time, attackers will spend quite a bit of time casing and probing your network before breaching integrity of your resources and data. Unfortunately, with WEP, a passive attack is usually sufficient. However, it does take time, so if you change your keys frequently enough, you're frustrating them to the point where all but the most persistent attackers will go away.
Remember the cardinal rule of crime: attack the easy targets. As long as there are lots of 802.11b networks wide open, then your WEP enabled network is, in all likelyhood, going to be skipped over.
It takes less than 1000 packets to crack the cryptographic protocols in 802.11b WEP, regardless of key strength. Even those 802.11b networks with so-called security probably aren't very secure against someone casing the network. Use a higher-level protocol such as Kerberos or IPSec on top of the WEP.
How do you get into the cube?
This is what happens when anyone envisions a society. They find that their design must be enforced, or the vision will fracture, evolve, and maybe die. This is a consequence of a society, and of organic systems in general. Of course, the society is more powerful than the creator, and the society will eventually win. No amount of force can constrain the society to the model indefinitely.
The vision Stallman has will not be reality, no matter how much Stallman kicks and screams. He created something wonderful, but now that other people are involved, it is something else than what he originally envisioned and he is fighting that. He can't fight it forever. It is not his anymore.
Show yourself coward! What kind of loser reads articles at a threshold that includes 0?
Maybe I'll change the displayed version of 2.4.9 back to 2.4.8 just for my gratification.
I agree that software defects shouldn't always be flung out to the wind as soon as they are discovered. I believe they should be released, after the community that it impacts is able to remedy the problem, or at least some time has passed to give the community a chance to remedy the problem.
It's not a philosophical question, but merely a pragmatic, logistical reality. Unfortunately, companies love to try to keep a problem quiet rather than fix it, gambling that it won't get out of hand. Of course, this is bad for security, so in some cases, immediate disclosure is the only way to get companies to do something.
With Code Red X, in the immediate sense, it's not Microsoft's fault that it spread so far, they did their part this time. You can always blame the architecture, but it's not just Microsoft's problem. It's a systemic problem that faces all software distributions. The patch was out for at least a month before Code Red showed up. People simply didn't apply the patch. A lot of people didn't even know they were running a web server, or even what that means.
Of course, I don't want to be forced to apply patches, nor am I very comfortable with my machine visiting microsoft.com autonomously. But there has to be a channel through which information about patches can be pushed or polled.
Microsoft has done a lot of good with http://windowsupdate.microsoft.com and I hope the trend continues. I would like to see every new Microsoft distribution go out and check for updates at regular intervals, but have the ability to turn that off if I dun like it.
*cough*IIS*cough*Exchange*cough*BSOD*cough*Registr yCorruption*cough*DailyReboots*cough*IPStackHolesL ikeNuke*cough*