It doesn't completely exclude a man in the middle attack. Here's an example: seerver.com (notice the second e) gets a Verisign cert. You mistakenly connect to it. Your client happily says "Trusted cert found, okay?". If you don't look very well and say "okay", then seerver.com can start a connection to server.com, and read all the data in between. This isn't hard to do, after all, what's the server? jabberserver.com? maybe.net or.org? It's quite possible to catch at least a few people this way. For an example of this, see whitehouse.org. Verisign would sign their cert just fine.
While this is all true, it doesn't for a moment have anything to do with the issue at hand, whether or not you the CA signing a cert must be trusted. I never asserted that the signing CA was the *only* thing that must be trusted. It is, however, part of the chain.
In your example, the user must also be trusted to connect to who they want to. seerver.com was correctly identified and the user errored in his typing. The user can still trust that seerver.com is who versign says it is.
A second option is that you break into my jabber server, take the cert, and use that for your attack.
Yes, this is a point where PKI is weaker than some other approaches. It too, however, is orthogonal to whether or not the CA must be trusted.
A self-signed cert isn't completely vulnerable to man in the middle either. There's nothing that stops me from remembering what cert was used by the server.
Strictly speaking I claim that the CA must be trusted. I've also argued that there should be a system by which people can more easily gage whether or not to trust a CA. I've not said that a signed cert was, a priori, untrustable. In fact, as in one of you examples I think, a self-signed cert *can* be better because you know that no one spoofed verisign. If they spoof you, however, then the issue remains the same. The CA must be trusted.
While I finally understood what you were saying, I still think that a signed cert doesn't offer an absolute guarantee everything is fine
Agreed. It is, as I say above, an essential building block. Without faith in the CA the entire foundation crumbles.
For people to be able to read your IM stream, one of these things should happen: The encryption is broken, the encryption is brute forced, the server's private key is compromised. That last option is the most likely, and is archieved by breaking into the server, or the owner giving his private key to somebody else. Verisign's signature doesn't matter at all for this.
This isn't true. There is a third option, I've mentioned it a few times. A man in the middle attack. This is why the trustworthiness of the CA is important.
If you can't trust the CA then I can get a cert signed (or sign one myself with my CA) and position myself between you and your jabber server. When you try to connect to the jabber server you instead connect to me, I see the text in plaintext because the channel was encrypted using the cert that I provided you. I then turn around and contact the real jabber server and forward the traffic. Thus, to you it looks like you've connected directly, but I've managed to read the entire stream. This occured because the CA wasn't trustworthy and you trusted it anyway.
You keep focusing on the stream after it's been established. I agree, any cert, signed or not by any CA is sufficient to encrypt a channel. It is not, however, enough to *secure* a channel. For that you need to better identify the holder, which is were trusting the CA comes in.
Ok, I see what you're saying. But you're talking about something different.
Trusting the cert does matter. Because it is an identification of a policy. You acknowledge as much when you say that Verisign was presented with "documentation that identified him as John Doe".
I agree that this matters for commerce. But I disagree with your comment that it doesn't matter for much else.
You, for example, use a self-signed cert to talk with your SSL based Jabber server. Why do you do this? Because you trust the cert. You trust that it was signed by someone that won't let your Jabber server be spoofed by a man in the middle. In this case, that person is you.
But do you think that anyone should trust that unknown CA? Should I, when presented with a CA that I don't know the policy of simply accept the cert? No, of course not, to do so would allow people to read my IM stream. Do I care about this less than my back account, sure, but not a ton less. My credit cards are insured against fraud, so what do I care if someone steals them. Heck, that happened to me just last year.
I agree that your self-signed cert protects you against people snooping your connection. I just don't agree that trust isn't an issue. It is an issue, and you've chosen to trust yourself as a CA.
Sure. The point of encryption is to secure a connection. If you can't trust the cert, then you can't trust the encryption. Ergo, you may as well be using plaintext.
For other things, like a mail server, this makes little sense. If you log into your SSL IMAP server, it accepts your password, and that's actually not your server and somebody managed to set up an alternate server with a copy of all your mail in it, then trust isn't going to help.
Huh? I don't follow this. Are you saying that because they copied your mail the security doesn't matter? What of a man in the middle attack?
A promising young NASA aerospace engineer was killed in a horrific car accident and arrived in Heaven, protesting to St. Peter at the pearly gates. "St. Peter, I'm only 35. I'm much too young to die. I have a wonderful wife and family, so much to live for. Why in the world am I here?"
FWIW this started out, and is much funnier, with a lawyer not a NASA engineer. Heck, I wasn't even aware that NASA engineers were famous for timesheet inflation, the critical element of this joke.
People will complain about this measurement being subjective, but it isn't nearly as much as you might think. There are common features that statistically significant numbers of men are attracted to. I hate Julia Roberts, for example, but I'm willing to admit that most men find her hot. I love Salma Hayek, but realize that there are a handful of insane males that don't.
So, folks, don't whine about the options here, Mr. Roboto will serve you well when you send him bar hopping to scout out the one with the hottest chicks.
It is not trust that they have. It is the fact that they are installed in browsers out of the box.
They have the trust of the browser vendors. You say this yourself. This is no small bit of trust.
What the hell? Verisign is a company. That is, Verisign is a bunch of people, operating in the form of a bureaucracy.
That's right. And, regardless of whether you accept a Randian world view or not, each of those people are looking out for their own best interest. That means that security on the systems is likely to have been designed well, the audits to find holes are likely to have been done properly, the customer service has provided feedback to make it more likely that their product is used properly. On and on and on.
Verisign has done a mostly excellent job of providing a robust service.
Point A: people tend to get stupider in large numbers.
This is simply false. People without common goals tend to do stupid things while sniping at each other. But to say that, for example, GE is doomed because people get stupider in large number is, well, stupid. It's not even a recent phenomena for heavens sake, the great wall of china was built by a large number of people, so were the pyramids. Those two are examples of engineering that is far from stupid.
Point B: Verisign has demonstrated on more than one occasion, and in more than one manner that they are careless and/or generally untrustworthy
I disagree with this. Showing me one example (the microsoft one) doesn't show that they are 'generally' untrustworthy. And more to the point, it certainly doesn't come close to the level of proof needed to show me that they are less trustworthy than having 100 million net users manage their own private keys.
Besides; we are not talking about "people" in general here... I gave myself as a specific example; you know nothing of my security practices, how can you even begin to back up a statement that general?
I didn't say *you* couldn't, though I doubt you can unless you work in security. I work on the fringes of security everyday and am glad that kerberos, and the professional security types at my lab, are managing my keys instead of me.
My only disadvantage is that my visitors have to trust that I am me
Kind of a big disadvantage one might think...
Calling it extortion is innacurate, they have trust and that's a big thing. If it were easy to duplicate someone would have done so and competition would drive prices down.
Arguably, since my CA private cert is in a safe, I am *more* secure
You can argue that, but it's a loser. People are far, far more lax about security than verisign is.
Look, you can see by my sig that I'm as into a good political mud slinging contest as anyone, but less face the facts here. This is not a big deal. Things could be better, but it would be a.1% improvement, not a huge earth-shaking event.
Let's concentrate on the things that really matter folks.
It's important the people understand how to do this, but what is missing is some way to understand whether or not to trust a CA. Until your grandma can trivially decide to trust rw2's CAnonical Enterprises, Inc. signing by anyone but the handful of big boys is the most reasonable thing to do.
I suggest that we wait a few days. I'm sure Craig and Justin will let us know how they stand.
This is indeed the salient advice. I've not once, but twice in the last week been overcome by fear and paranoia when sitting back and being calm appears to be the correct behavior. What Craig and Justin have said publically at this point is that they both anticipate continuing there active involvement in the OS project.
Sorry Susano, but I shouldn't have to "slashdot them with complaints" to get good service.
I should be able to shut off the ads in quickbooks. I shouldn't have to pay $75 for technical service that I never recieved. I shouldn't have to pay $149 a year for tax tables when the gross margin must be 98%. I shouldn't have to call and explain to them who I am to reinstall my 1999 tax software If I have to call them, they should be open 24/7 not just when it's convenient for them.
Just the ads in quickbooks alone are reeediculous. I generate an invoice, intuit wants to sell me a service to check if the customer will pay. I write a check, they want to sell me checks. I quit quickbooks, they want to sell me back-up services.
I shouldn't have to get 200K of my closest/. friends to harass them to get this stuff fixed...
They aren't devoted to customer satisfaction, they are devoted to squeezing the absolute most they can out of their customers. I think just a few google searches will be enough to demonstrate that they have squeezed too hard and will therefore, like they have with me and many others in on this article, lose business due to an almost complete disinterest in customer satisfaction.
Oh, and I've written them about all of these issues. Not even the courtesy of a reply. They couldn't be bothered to lift a pen, much less fix the issue. Customer service indeed.
Mod the parent down, he highlighted the wrong portion.
The highlighted portion should have been:
The SpamAssassin open source project will continue and will be maintained by its current authors including Justin Mason and Craig Hughes. Mason and Hughes will be employees of Network Associates and will devote their energies to the development of the proprietary McAfee product.
Now having said that, Justin has posted saying that even for the last four months he's been working for Deersoft and still working on OS so there is some reason to hope. Craig's been pretty busy though and difficult to contact, so I wouldn't bet on him being able to spend much time on the OS portion going forward and Matt has officially dropped out.
With apologies to the many who have contributed to SA in the past, Spamassassin was basically the work of three people. Craig, Justin and Matt. Between the three of them that's the *vast* majority of the work that was done on that project.
Here's the troubling part.
Craig and Justin owned the trademark and now work for NAI on the proprietary version (to be named "SpamKiller" apparently) and Matt's company has pulled him off because there is a conflict of interest in having him work on open source being fed back into NAI.
So the three captains of this project are now gone. This doesn't bode well for the future of SA.
His point was that they make them for laptops, why don't they package them for desktop use.
Personally, I prefer the 19" 1600x1200 display, but I understand the beef at least.
Or, you could just buy the laptop and use it as a display. It won't cost you much more than the lcd would have anyway! (FWIW, i'd buy toshiba, my dell 1600x1200 had to go back twice, but my tosh is running like a champ. YMMV)
Exactly the problem I had with the first movie. What the hell do the battery-people have to look forward to? If the Matrix was as smart as it should be, why not make the lives of all of the people in the Matrix even more glamorous than they already are? Let them all fly, leap buildings, etc. Then when Neo and the gang decide throw red pills down their throats, and they wake up nearly drowning in their own goopy food and feces, they'll beg to be strapped back in.
Which is exactly why microsoft is the leading software company and the US political system is run by two nearly identicaly clone parties.
The point of the movie is the value of freedom people.
Finally we have someone who, upon seeing Marcelo throw down the gauntlet and declare his interview to be unbeatably bad, take the baton and run with it.
It's funny, if you think about it: Video games cost quite a bit more than movies. You'd think that the industry would be all over trying to get things like P2P shut down. But they don't. They understand that people are willing to pay for games, they just need reassurance that the game will do what they want.
There's also that little bit about having a unique key to open your game. That slows down the pirates enough to make it easier to pay the money than to spend the time getting the game free.
There is a truth to what you say though. I would much rather get Neverwinter for $50 which I know I'll play for many many hours than Eminem which I suspect I'll listen to a few times, rip to ogg and then not put on a playlist because I'm already weary of it.
That's not all, either. Starving deer do a lot of damage to the forest, chewing all the bark off of trees from ground level up to as high as they can reach (5-6 feet), eating the tips of tree branches and ripping up meadows as they paw at the snow trying to get to what grass lies beneath. This hurts other animals and slows the herds' recovery as well.
This is an important point. I have a small farm in the eradication zone in Wisconsin and, despite the seriousness of the questions at hand, would definitely not support this mechanism for getting the herd size down. As it is we have very very few small trees that survive the winter grazing well and end up with a lot of Oak bushses.
Re:Green geeks
on
Green Geeks?
·
· Score: 4, Insightful
I've found that most computer and science people are pro-technology and anti-mysticism and so have little interest in "issues" such as environmentalism.
Since when is environmentalism mystic? Seems like common sense that one would prefer drinkable water, rivers that don't burn and air that makes the sky look blue instead of brown.
Unless your claim is that technology will be sufficiently strong to counter the negative health benefits of those things...;-)
Slashdot Mirror
It doesn't completely exclude a man in the middle attack. Here's an example: .net or .org? It's quite possible to catch at least a few people this way. For an example of this, see whitehouse.org. Verisign would sign their cert just fine.
seerver.com (notice the second e) gets a Verisign cert. You mistakenly connect to it. Your client happily says "Trusted cert found, okay?". If you don't look very well and say "okay", then seerver.com can start a connection to server.com, and read all the data in between. This isn't hard to do, after all, what's the server? jabberserver.com? maybe
While this is all true, it doesn't for a moment have anything to do with the issue at hand, whether or not you the CA signing a cert must be trusted. I never asserted that the signing CA was the *only* thing that must be trusted. It is, however, part of the chain.
In your example, the user must also be trusted to connect to who they want to. seerver.com was correctly identified and the user errored in his typing. The user can still trust that seerver.com is who versign says it is.
A second option is that you break into my jabber server, take the cert, and use that for your attack.
Yes, this is a point where PKI is weaker than some other approaches. It too, however, is orthogonal to whether or not the CA must be trusted.
A self-signed cert isn't completely vulnerable to man in the middle either. There's nothing that stops me from remembering what cert was used by the server.
Strictly speaking I claim that the CA must be trusted. I've also argued that there should be a system by which people can more easily gage whether or not to trust a CA. I've not said that a signed cert was, a priori, untrustable. In fact, as in one of you examples I think, a self-signed cert *can* be better because you know that no one spoofed verisign. If they spoof you, however, then the issue remains the same. The CA must be trusted.
While I finally understood what you were saying, I still think that a signed cert doesn't offer an absolute guarantee everything is fine
Agreed. It is, as I say above, an essential building block. Without faith in the CA the entire foundation crumbles.
For people to be able to read your IM stream, one of these things should happen: The encryption is broken, the encryption is brute forced, the server's private key is compromised. That last option is the most likely, and is archieved by breaking into the server, or the owner giving his private key to somebody else. Verisign's signature doesn't matter at all for this.
This isn't true. There is a third option, I've mentioned it a few times. A man in the middle attack. This is why the trustworthiness of the CA is important.
If you can't trust the CA then I can get a cert signed (or sign one myself with my CA) and position myself between you and your jabber server. When you try to connect to the jabber server you instead connect to me, I see the text in plaintext because the channel was encrypted using the cert that I provided you. I then turn around and contact the real jabber server and forward the traffic. Thus, to you it looks like you've connected directly, but I've managed to read the entire stream. This occured because the CA wasn't trustworthy and you trusted it anyway.
You keep focusing on the stream after it's been established. I agree, any cert, signed or not by any CA is sufficient to encrypt a channel. It is not, however, enough to *secure* a channel. For that you need to better identify the holder, which is were trusting the CA comes in.
Ok, I see what you're saying. But you're talking about something different.
Trusting the cert does matter. Because it is an identification of a policy. You acknowledge as much when you say that Verisign was presented with "documentation that identified him as John Doe".
I agree that this matters for commerce. But I disagree with your comment that it doesn't matter for much else.
You, for example, use a self-signed cert to talk with your SSL based Jabber server. Why do you do this? Because you trust the cert. You trust that it was signed by someone that won't let your Jabber server be spoofed by a man in the middle. In this case, that person is you.
But do you think that anyone should trust that unknown CA? Should I, when presented with a CA that I don't know the policy of simply accept the cert? No, of course not, to do so would allow people to read my IM stream. Do I care about this less than my back account, sure, but not a ton less. My credit cards are insured against fraud, so what do I care if someone steals them. Heck, that happened to me just last year.
I agree that your self-signed cert protects you against people snooping your connection. I just don't agree that trust isn't an issue. It is an issue, and you've chosen to trust yourself as a CA.
Care to explain that?
Sure. The point of encryption is to secure a connection. If you can't trust the cert, then you can't trust the encryption. Ergo, you may as well be using plaintext.
For other things, like a mail server, this makes little sense. If you log into your SSL IMAP server, it accepts your password, and that's actually not your server and somebody managed to set up an alternate server with a copy of all your mail in it, then trust isn't going to help.
Huh? I don't follow this. Are you saying that because they copied your mail the security doesn't matter? What of a man in the middle attack?
A promising young NASA aerospace engineer was killed in a horrific car accident and arrived in Heaven, protesting to St. Peter at the pearly gates. "St. Peter, I'm only 35. I'm much too young to die. I have a wonderful wife and family, so much to live for. Why in the world am I here?"
FWIW this started out, and is much funnier, with a lawyer not a NASA engineer. Heck, I wasn't even aware that NASA engineers were famous for timesheet inflation, the critical element of this joke.
People will complain about this measurement being subjective, but it isn't nearly as much as you might think. There are common features that statistically significant numbers of men are attracted to. I hate Julia Roberts, for example, but I'm willing to admit that most men find her hot. I love Salma Hayek, but realize that there are a handful of insane males that don't.
So, folks, don't whine about the options here, Mr. Roboto will serve you well when you send him bar hopping to scout out the one with the hottest chicks.
It is not trust that they have. It is the fact that they are installed in browsers out of the box.
... I gave myself as a specific example; you know nothing of my security practices, how can you even begin to back up a statement that general?
They have the trust of the browser vendors. You say this yourself. This is no small bit of trust.
What the hell? Verisign is a company. That is, Verisign is a bunch of people, operating in the form of a bureaucracy.
That's right. And, regardless of whether you accept a Randian world view or not, each of those people are looking out for their own best interest. That means that security on the systems is likely to have been designed well, the audits to find holes are likely to have been done properly, the customer service has provided feedback to make it more likely that their product is used properly. On and on and on.
Verisign has done a mostly excellent job of providing a robust service.
Point A: people tend to get stupider in large numbers.
This is simply false. People without common goals tend to do stupid things while sniping at each other. But to say that, for example, GE is doomed because people get stupider in large number is, well, stupid. It's not even a recent phenomena for heavens sake, the great wall of china was built by a large number of people, so were the pyramids. Those two are examples of engineering that is far from stupid.
Point B: Verisign has demonstrated on more than one occasion, and in more than one manner that they are careless and/or generally untrustworthy
I disagree with this. Showing me one example (the microsoft one) doesn't show that they are 'generally' untrustworthy. And more to the point, it certainly doesn't come close to the level of proof needed to show me that they are less trustworthy than having 100 million net users manage their own private keys.
Besides; we are not talking about "people" in general here
I didn't say *you* couldn't, though I doubt you can unless you work in security. I work on the fringes of security everyday and am glad that kerberos, and the professional security types at my lab, are managing my keys instead of me.
The parent is a brilliant example of how a little knowledge can be a bad thing.
Dude, unless you *trust* the cert your 'encryption' is worthless.
My only disadvantage is that my visitors have to trust that I am me
Kind of a big disadvantage one might think...
Calling it extortion is innacurate, they have trust and that's a big thing. If it were easy to duplicate someone would have done so and competition would drive prices down.
Arguably, since my CA private cert is in a safe, I am *more* secure
You can argue that, but it's a loser. People are far, far more lax about security than verisign is.
But I don't see how to do this unless the existing entity is a bank. From what I understand, becoming a bank is no trivial task.
Well, you could always become a bank without becoming a bank... <cough>paypal</cough>
Look, you can see by my sig that I'm as into a good political mud slinging contest as anyone, but less face the facts here. This is not a big deal. Things could be better, but it would be a .1% improvement, not a huge earth-shaking event.
Let's concentrate on the things that really matter folks.
It's important the people understand how to do this, but what is missing is some way to understand whether or not to trust a CA. Until your grandma can trivially decide to trust rw2's CAnonical Enterprises, Inc. signing by anyone but the handful of big boys is the most reasonable thing to do.
I suggest that we wait a few days. I'm sure Craig and Justin will let us know how they stand.
This is indeed the salient advice. I've not once, but twice in the last week been overcome by fear and paranoia when sitting back and being calm appears to be the correct behavior. What Craig and Justin have said publically at this point is that they both anticipate continuing there active involvement in the OS project.
Sorry Susano, but I shouldn't have to "slashdot them with complaints" to get good service.
/. friends to harass them to get this stuff fixed...
I should be able to shut off the ads in quickbooks.
I shouldn't have to pay $75 for technical service that I never recieved.
I shouldn't have to pay $149 a year for tax tables when the gross margin must be 98%.
I shouldn't have to call and explain to them who I am to reinstall my 1999 tax software
If I have to call them, they should be open 24/7 not just when it's convenient for them.
Just the ads in quickbooks alone are reeediculous. I generate an invoice, intuit wants to sell me a service to check if the customer will pay. I write a check, they want to sell me checks. I quit quickbooks, they want to sell me back-up services.
I shouldn't have to get 200K of my closest
They aren't devoted to customer satisfaction, they are devoted to squeezing the absolute most they can out of their customers. I think just a few google searches will be enough to demonstrate that they have squeezed too hard and will therefore, like they have with me and many others in on this article, lose business due to an almost complete disinterest in customer satisfaction.
Oh, and I've written them about all of these issues. Not even the courtesy of a reply. They couldn't be bothered to lift a pen, much less fix the issue. Customer service indeed.
Mod the parent down, he highlighted the wrong portion.
The highlighted portion should have been:
The SpamAssassin open source project will continue and will be maintained by its current authors including Justin Mason and Craig Hughes. Mason and Hughes will be employees of Network Associates and will devote their energies to the development of the proprietary McAfee product.
Now having said that, Justin has posted saying that even for the last four months he's been working for Deersoft and still working on OS so there is some reason to hope. Craig's been pretty busy though and difficult to contact, so I wouldn't bet on him being able to spend much time on the OS portion going forward and Matt has officially dropped out.
Read further down the threads. Matt has pulled out for at least the time being.
With apologies to the many who have contributed to SA in the past, Spamassassin was basically the work of three people. Craig, Justin and Matt. Between the three of them that's the *vast* majority of the work that was done on that project.
Here's the troubling part.
Craig and Justin owned the trademark and now work for NAI on the proprietary version (to be named "SpamKiller" apparently) and Matt's company has pulled him off because there is a conflict of interest in having him work on open source being fed back into NAI.
So the three captains of this project are now gone. This doesn't bode well for the future of SA.
Sucks.
His point was that they make them for laptops, why don't they package them for desktop use.
Personally, I prefer the 19" 1600x1200 display, but I understand the beef at least.
Or, you could just buy the laptop and use it as a display. It won't cost you much more than the lcd would have anyway! (FWIW, i'd buy toshiba, my dell 1600x1200 had to go back twice, but my tosh is running like a champ. YMMV)
Exactly the problem I had with the first movie. What the hell do the battery-people have to look forward to? If the Matrix was as smart as it should be, why not make the lives of all of the people in the Matrix even more glamorous than they already are? Let them all fly, leap buildings, etc. Then when Neo and the gang decide throw red pills down their throats, and they wake up nearly drowning in their own goopy food and feces, they'll beg to be strapped back in.
Which is exactly why microsoft is the leading software company and the US political system is run by two nearly identicaly clone parties.
The point of the movie is the value of freedom people.
Most unique thing I can think of is to cat /dev/urandom or whatever that command is, then tack the output on the door.
Hold it, don't take this dudes advice, that's how I managed to end up with a machine named 6962abc6-fc2b-453c-9558-e0764a99cef2
.sending your rant to them, instead of /.?
I have. Several times.
They don't give a shit.
Finally we have someone who, upon seeing Marcelo throw down the gauntlet and declare his interview to be unbeatably bad, take the baton and run with it.
Well done Bill. Well done.
It's funny, if you think about it: Video games cost quite a bit more than movies. You'd think that the industry would be all over trying to get things like P2P shut down. But they don't. They understand that people are willing to pay for games, they just need reassurance that the game will do what they want.
There's also that little bit about having a unique key to open your game. That slows down the pirates enough to make it easier to pay the money than to spend the time getting the game free.
There is a truth to what you say though. I would much rather get Neverwinter for $50 which I know I'll play for many many hours than Eminem which I suspect I'll listen to a few times, rip to ogg and then not put on a playlist because I'm already weary of it.
That's not all, either. Starving deer do a lot of damage to the forest, chewing all the bark off of trees from ground level up to as high as they can reach (5-6 feet), eating the tips of tree branches and ripping up meadows as they paw at the snow trying to get to what grass lies beneath. This hurts other animals and slows the herds' recovery as well.
This is an important point. I have a small farm in the eradication zone in Wisconsin and, despite the seriousness of the questions at hand, would definitely not support this mechanism for getting the herd size down. As it is we have very very few small trees that survive the winter grazing well and end up with a lot of Oak bushses.
I've found that most computer and science people are pro-technology and anti-mysticism and so have little interest in "issues" such as environmentalism.
;-)
Since when is environmentalism mystic? Seems like common sense that one would prefer drinkable water, rivers that don't burn and air that makes the sky look blue instead of brown.
Unless your claim is that technology will be sufficiently strong to counter the negative health benefits of those things...