Correcting apo'strophe error's on 'Slashdot i's, in the word's of Martin 'Sheen in Apocalyp'se Now, like handing out 'speeding ticket's at the Indy 500.
Then export and distribute the redacted documents as bitmaps or plaintext or any of a dozen other file formats which do not store all of of the hidden (but easily found) metadata as word or pdf.
I agree with you, but how is the end user to know what these file formats are?
I've seen people who wanted to write a quick note of a phone number fire up Word to do it.
Instead of a 10 byte text file, they end up with a 50K or so word document, with all sorts of extra crap in it, and they have no idea. As far as the user is concerned, they're both text.
Truecrypt offers the best solution to this, allowing you to have one password you can give up that loads a normal OS with some legal but embarrassing pics or something on it and a second password that gets into another secret OS. There is no way to prove the existence of a second password so you can't be convicted for not handing it over.
The only problem with this that I've found is that both encrypted and hidden OS must be the same OS, and I think - although I don't remember for sure - both have to be Windows. So you can't have an encrypted Windows XP and a hidden FreeBSD, for instance, or even a hidden Windows XP on encrypted Windows 7.
I'm working on an experiment right now that may allow hidden *nix on encrypted Windows, but I haven't finished messing around yet, so I don't know if it'll work.
Hilarious. Really. My ass is somewhere on the floor. Seriously.
Ok...now... If you're afraid of someone being able to read your email when it's hosted somewhere out of your direct control, then host it yourself. A combination of fetchmail, Apache, and Squirrelmail/Horde/GroupwareOfChoice, along with a free dyndns.com account, and you've got all your mail completely under your control, and still available anywhere. Assuming you use Linux, when you set it up, make sure you use encrypted LVM, and even if the government/police seize your equipment, they still can't read your email. You can also set it up to use SSL exclusively, which makes things even safer.
Yeah...PAM is one of those acronyms that - because it's a common non-acronym word - in order to know what to type into Google to find out what it means, you already have to know what it means....
It has nothing to do with OSes (or for that matter anything that's not a web site / ISP) nor anything to do with hashes.
Actually, Windows lets you set up a website with authentication provided by the local Windows user/password database. It'd be moronic to use for most things, because it's the equivalent of giving every webmail user a shell account on *nix, but it's possible. If any web company uses this functionality, then it does concern OSes.
Incidentally, you can also do this same thing on Linux....
You should also add in the time it takes to install that cert on every device.
If it's a small company that doesn't have the money to set up their own CA, which was the initial basis of your argument, then they also won't have hundreds or thousands of devices to import the CA cert into. If they have a dozen employees, then it'll take all of 45 minutes to install the cert on an iPhone for all of them.
There are 2 basic attitudes I see here:
1. Who cares if the user gets errors, they should have installed the cert
2. Just set it up according to Microsoft's recommendations and not have users complain.
#1 will result in numerous calls to whatever helpdesk is available. In the extreme, you get the owner/ceo/exec/etc... barking at you because they don't understand the error message. Or, you use an internal CA and have to manually manage all devices. What do you tell the owner when they get a new phone on Sunday morning and ask you why they can't just set it up.
The user shouldn't have installed the cert. If the user can install certs, then you've got much bigger security issues than an error message in the browser. The IT person/department/support company should install the cert. You also don't have to manually manage all devices. I love these people that think they know enterprise IT, because they can plug in a printer and share it between their two home PCs.
Most devices allow some type of remote, group policy based management. If they don't, they really don't end up in businesses. Windows machines can have the cert added by group policy from the domain controller. Blackberry devices have a management platform that allows for similar group control. iPhones have it, too, from what I understand, although I don't support them myself, so I have to go on input from others.
And when the owner gets his new phone, and wants to set it up to check his email on Sunday morning? You tell him that unauthorized devices aren't allowed to connect, to protect his executive bonus from being rerouted to a cracker's swiss bank account. You can relax the security measures, if he puts in writing that he's ok with losing his bonus to crackers. Otherwise, you can set up the phone for him first thing Monday morning when he gets to work.
#2 results in no errors for the end user...it just plain works. The only ones who seem to have a problem are engineers/techs that don't seem to care what the end-user experience is.
You can go about this either way. It's your choice.
I prefer to setup systems so that users don't need to call me every time they get a new device, computer,etc. That is what the autodiscover service is for!
A good end user experience for wireless networks is for any user-provided device to just be able to connect to the network with a click or two, and immediately be able to access anything they need. Of course, this means that your wireless has to be completely unencrypted, with no firewalls protecting anything at all, no passwords required for access, or what have you. Because if there was even a slight impediment to the end user, it would be a bad user experience. Is that seriously what you're recommending?
Security practices are there for a reason. Sometimes you get overbearing idiots who want a 78 character alphanumericspecial password with no repeated characters, no writing it down, and you have to change it every week, true. Overreaching "security by rulebook" is sometimes counterproductive.
But having "legitimate" CA providers giving out certs for "mailserver" and equally generic hostnames, is downright dangerous. You can do that kind of thing safely with your own CA, because after you've imported the CA cert into your devices, your "mailserver" cert will be allowed, but not some MITM cracker's "mailserver" cert, because it wasn't generated by your CA. Your CA is only recognized within your organization, on your own devices. When Comodo, Verisign, or anybody else is generating "mailserver" certs, then absolutely anybody with a browser is at risk of their "mailserver" being impersonated by anybody else's "mailserver" cert, because the CA is publicly recognized.
Moreso, 24 out of 42 of the scanners on virustotal detect it at the moment.
Maybe the fake AV itself, but yesterday I downloaded (using wget, of course) the script file that redirects you to the malware site, and sent it to virustotal. Zero detections.
The "x" comes from computer "B", which is shown on a display. A human operator types "x" into server "A", which has no network connection at all. Server "A" then displays f(x), which the human operator types into a different keyboard connected to computer "B".
In order for this to work truly securely, though, several things have to be true:
- The operator has to have no chance to enter incorrect information by accident, or enter the information in the wrong place. That means this cannot be a general purpose computer, or the operator cannot have access to anything other than the input field for the data. Preferably both. - The operator has to be completely trusted, otherwise incorrect information could be coded into what should be the f(x) result, by the operator typing in f2(source_code_for_f(x)) instead. This means, basically, the operator has to be you. - something else I haven't thought of yet, in this idle intellectual exercise.
So, yes, it can be done. But it's certainly not practical.
Someone might suggest having computer "C" in between, which monitors network traffic and only allows x to flow one way, and f(x) to flow the other. But there are problems with this:
- what if computer "C" gets compromised? It could be modified to allow other data to flow from server "A" to computer "B". - how does computer "C" know that f(x) is _actually_ f(x)? Could it be other data disguised to look like f(x)? The only method guaranteed to work is for computer "C" to know the source for f(), by which it could compare its own f(x) result to that flowing over the network from A to B. If they match, let it pass. This, however, obviously makes hiding the source of f(x) that much more difficult, since it can now be compromised on two different computers, rather than one.
This is why 100% security is impossible. Not because we don't want it, but because there will always be another way to get in, regardless of what has been locked down.
Yes, because if you're not already working in a given industry, you couldn't possibly know anything about it.
Well, from the frame of reference that most politicians have, this is probably quite logical.
I get the impression that most of them are the type that need 3 years of schooling on any subject before they have a decent grasp of it. That's why they can't understand backyard mechanics, why it's now illegal for farmers to administer medications to their own animals, and a bunch of other stupid shit.
And make sure you clear the router DHCP and wireless logs before you leave.
Or really, make sure you connect with a fake MAC address. Preferably a different one every time. Otherwise you could have just been honeypotted.
Imagine this:
Someone runs a honeypot open/WEP wireless point, looking for people trying to break in and do illegal shit.
The WAP logs all connection attempts from unknown MAC addresses. When one pops up, it starts silently monitoring all traffic from that MAC. Analysis of traffic finds terrorist emails, CP, or whatever. So script is set up to run whenever this MAC address connects. This script sets off a warning signal on honeypotter's computer, and they immediately call the cops.
Cops show up, you're sitting in your car two doors down with a laptop. Busted.
I've thought about doing something similar to this as a PoC, but I'd need to buy some new wireless hardware to get it to work, which I'm not about to do right now.
But, there's no reason to assume that an open WiFi signal is untraceable back to you, just because it's open WiFi. Sure, your local cops would have no clue how to trace you, but they're not the ones you'd need to worry about.
2k-3k RPM when cruising? That's ridiculously high. My 3.4 Impala, at 60MPH, is doing 1560 RPM in top gear.
There have been plenty of studies showing that cruising RPM over 2000 increases fuel usage, increases oil burning, decreases oil life, and more. Why would you want that kind of gearing?
But, since I have 90% of my torque available at 1800 RPM, I'm only 250 RPM off the power band when cruising at 60 MPH. Even at 3000 RPM, with an engine that needs gearing like that, I bet you don't get serious torque until close to 4000 RPM, or higher. That puts you over 1000 RPM away from decent power when you need it.
Regardless of transmission type, it still takes time for the engine to spool up this much speed. That's the delay.
As an aside: speaking of engine RPM at speed; my car has a top speed governor, due to the tires it came with. Biggest annoyance for me with it, but really pointless, as the 107 MPH rated tires are faster than I ever need to go on a road, anyway. But, at this top speed, in top gear, my engine is only turning over at 2790 RPM. That's in the same range as yours at cruising speed.
if they can change the terms of a contract without notice or agreement from my side, why can't I!
If you're in Ontario, they can't. Ontario Consumer Protection Act. Look it up. Specifically the parts about "material change" and "unsolicited goods and services."
I've seen i3 - i7 laptops at my suppliers for 6 months or more. I suppose if you shop at big box consumer stores, you might not, because their selection sucks. But if you can't find them, it means you haven't looked.
Now as far as there being no product differentiation in laptops? This couldn't be further from the truth. There are entry level models good for basic work, there are high memory models good for running lots of programs at once, there are models with high end graphics for gaming. And this doesn't even get into the manufacturers who have had class action lawsuits against them for terrible hardware quality (HP dv6000 series, for instance.)
To say they're all the same is like saying all cars are the same, because they all have an engine, 4 wheels, and a windshield.
Slashdot Mirror
Correcting apo'strophe error's on 'Slashdot i's, in the word's of Martin 'Sheen in Apocalyp'se Now, like handing out 'speeding ticket's at the Indy 500.
If you're going to do it, do it right.
Let me guess:
State secrets are made unreadable by font colour changes, whereas slashdot comments are made unreadable by fucked up javascript and CSS?
Then export and distribute the redacted documents as bitmaps or plaintext or any of a dozen other file formats which do not store all of of the hidden (but easily found) metadata as word or pdf.
I agree with you, but how is the end user to know what these file formats are?
I've seen people who wanted to write a quick note of a phone number fire up Word to do it.
Instead of a 10 byte text file, they end up with a 50K or so word document, with all sorts of extra crap in it, and they have no idea.
As far as the user is concerned, they're both text.
Truecrypt offers the best solution to this, allowing you to have one password you can give up that loads a normal OS with some legal but embarrassing pics or something on it and a second password that gets into another secret OS. There is no way to prove the existence of a second password so you can't be convicted for not handing it over.
The only problem with this that I've found is that both encrypted and hidden OS must be the same OS, and I think - although I don't remember for sure - both have to be Windows. So you can't have an encrypted Windows XP and a hidden FreeBSD, for instance, or even a hidden Windows XP on encrypted Windows 7.
I'm working on an experiment right now that may allow hidden *nix on encrypted Windows, but I haven't finished messing around yet, so I don't know if it'll work.
This is what I get for pointing out that our 'anonymous' submitter here is a company troll grasping for page hits.
Errm...
There's no link in the posting. How exactly would this generate page hits?
Hilarious.
Really.
My ass is somewhere on the floor.
Seriously.
Ok...now...
If you're afraid of someone being able to read your email when it's hosted somewhere out of your direct control, then host it yourself.
A combination of fetchmail, Apache, and Squirrelmail/Horde/GroupwareOfChoice, along with a free dyndns.com account, and you've got all your mail completely under your control, and still available anywhere.
Assuming you use Linux, when you set it up, make sure you use encrypted LVM, and even if the government/police seize your equipment, they still can't read your email.
You can also set it up to use SSL exclusively, which makes things even safer.
And the easiest end user experience is inevitably the one with zero security.
So yes, that is what you're advocating. You just don't want to admit it, or maybe don't even realize it yourself.
Yeah...PAM is one of those acronyms that - because it's a common non-acronym word - in order to know what to type into Google to find out what it means, you already have to know what it means....
It has nothing to do with OSes (or for that matter anything that's not a web site / ISP) nor anything to do with hashes.
Actually, Windows lets you set up a website with authentication provided by the local Windows user/password database. It'd be moronic to use for most things, because it's the equivalent of giving every webmail user a shell account on *nix, but it's possible.
If any web company uses this functionality, then it does concern OSes.
Incidentally, you can also do this same thing on Linux....
The only thing CAs check before issuing a certificate is whether the cheque has cleared.
Of course. Why else do you think the CAs say they have to do "verification cheques"?
You should also add in the time it takes to install that cert on every device.
If it's a small company that doesn't have the money to set up their own CA, which was the initial basis of your argument, then they also won't have hundreds or thousands of devices to import the CA cert into. If they have a dozen employees, then it'll take all of 45 minutes to install the cert on an iPhone for all of them.
There are 2 basic attitudes I see here:
1. Who cares if the user gets errors, they should have installed the cert
2. Just set it up according to Microsoft's recommendations and not have users complain.
#1 will result in numerous calls to whatever helpdesk is available. In the extreme, you get the owner/ceo/exec/etc... barking at you because they don't understand the error message. Or, you use an internal CA and have to manually manage all devices. What do you tell the owner when they get a new phone on Sunday morning and ask you why they can't just set it up.
The user shouldn't have installed the cert. If the user can install certs, then you've got much bigger security issues than an error message in the browser. The IT person/department/support company should install the cert. You also don't have to manually manage all devices. I love these people that think they know enterprise IT, because they can plug in a printer and share it between their two home PCs.
Most devices allow some type of remote, group policy based management. If they don't, they really don't end up in businesses. Windows machines can have the cert added by group policy from the domain controller. Blackberry devices have a management platform that allows for similar group control. iPhones have it, too, from what I understand, although I don't support them myself, so I have to go on input from others.
And when the owner gets his new phone, and wants to set it up to check his email on Sunday morning? You tell him that unauthorized devices aren't allowed to connect, to protect his executive bonus from being rerouted to a cracker's swiss bank account. You can relax the security measures, if he puts in writing that he's ok with losing his bonus to crackers. Otherwise, you can set up the phone for him first thing Monday morning when he gets to work.
#2 results in no errors for the end user...it just plain works. The only ones who seem to have a problem are engineers/techs that don't seem to care what the end-user experience is.
You can go about this either way. It's your choice.
I prefer to setup systems so that users don't need to call me every time they get a new device, computer,etc. That is what the autodiscover service is for!
A good end user experience for wireless networks is for any user-provided device to just be able to connect to the network with a click or two, and immediately be able to access anything they need. Of course, this means that your wireless has to be completely unencrypted, with no firewalls protecting anything at all, no passwords required for access, or what have you. Because if there was even a slight impediment to the end user, it would be a bad user experience.
Is that seriously what you're recommending?
Security practices are there for a reason. Sometimes you get overbearing idiots who want a 78 character alphanumericspecial password with no repeated characters, no writing it down, and you have to change it every week, true. Overreaching "security by rulebook" is sometimes counterproductive.
But having "legitimate" CA providers giving out certs for "mailserver" and equally generic hostnames, is downright dangerous. You can do that kind of thing safely with your own CA, because after you've imported the CA cert into your devices, your "mailserver" cert will be allowed, but not some MITM cracker's "mailserver" cert, because it wasn't generated by your CA. Your CA is only recognized within your organization, on your own devices.
When Comodo, Verisign, or anybody else is generating "mailserver" certs, then absolutely anybody with a browser is at risk of their "mailserver" being impersonated by anybody else's "mailserver" cert, because the CA is publicly recognized.
Moreso, 24 out of 42 of the scanners on virustotal detect it at the moment.
Maybe the fake AV itself, but yesterday I downloaded (using wget, of course) the script file that redirects you to the malware site, and sent it to virustotal. Zero detections.
Since when have the masses read /.?
What if the "database" is an Excel file?
Then RSA needs to be nuked from orbit, as it's the only way to be sure....
Yes.
It's called sneakernet.
The "x" comes from computer "B", which is shown on a display. A human operator types "x" into server "A", which has no network connection at all. Server "A" then displays f(x), which the human operator types into a different keyboard connected to computer "B".
In order for this to work truly securely, though, several things have to be true:
- The operator has to have no chance to enter incorrect information by accident, or enter the information in the wrong place. That means this cannot be a general purpose computer, or the operator cannot have access to anything other than the input field for the data. Preferably both.
- The operator has to be completely trusted, otherwise incorrect information could be coded into what should be the f(x) result, by the operator typing in f2(source_code_for_f(x)) instead. This means, basically, the operator has to be you.
- something else I haven't thought of yet, in this idle intellectual exercise.
So, yes, it can be done. But it's certainly not practical.
Someone might suggest having computer "C" in between, which monitors network traffic and only allows x to flow one way, and f(x) to flow the other. But there are problems with this:
- what if computer "C" gets compromised? It could be modified to allow other data to flow from server "A" to computer "B".
- how does computer "C" know that f(x) is _actually_ f(x)? Could it be other data disguised to look like f(x)? The only method guaranteed to work is for computer "C" to know the source for f(), by which it could compare its own f(x) result to that flowing over the network from A to B. If they match, let it pass. This, however, obviously makes hiding the source of f(x) that much more difficult, since it can now be compromised on two different computers, rather than one.
This is why 100% security is impossible. Not because we don't want it, but because there will always be another way to get in, regardless of what has been locked down.
Sar-chasm: n: The gulf between a speaker of a sarcastic comment, and those who don't get it...
Meh.
Not bad. But can it do the robot?
Yes, because if you're not already working in a given industry, you couldn't possibly know anything about it.
Well, from the frame of reference that most politicians have, this is probably quite logical.
I get the impression that most of them are the type that need 3 years of schooling on any subject before they have a decent grasp of it. That's why they can't understand backyard mechanics, why it's now illegal for farmers to administer medications to their own animals, and a bunch of other stupid shit.
And make sure you clear the router DHCP and wireless logs before you leave.
Or really, make sure you connect with a fake MAC address. Preferably a different one every time.
Otherwise you could have just been honeypotted.
Imagine this:
Someone runs a honeypot open/WEP wireless point, looking for people trying to break in and do illegal shit.
The WAP logs all connection attempts from unknown MAC addresses. When one pops up, it starts silently monitoring all traffic from that MAC. Analysis of traffic finds terrorist emails, CP, or whatever. So script is set up to run whenever this MAC address connects. This script sets off a warning signal on honeypotter's computer, and they immediately call the cops.
Cops show up, you're sitting in your car two doors down with a laptop. Busted.
I've thought about doing something similar to this as a PoC, but I'd need to buy some new wireless hardware to get it to work, which I'm not about to do right now.
But, there's no reason to assume that an open WiFi signal is untraceable back to you, just because it's open WiFi. Sure, your local cops would have no clue how to trace you, but they're not the ones you'd need to worry about.
Imagine if someone had patented the 4-chord progression used by most pop songs.
And that is precisely why stupidly long copyrights are...well....stupid.
I've heard of people being sued for songs that "sounded like" some other song, using copyright. This proves it's actually the way the industry works.
2k-3k RPM when cruising? That's ridiculously high.
My 3.4 Impala, at 60MPH, is doing 1560 RPM in top gear.
There have been plenty of studies showing that cruising RPM over 2000 increases fuel usage, increases oil burning, decreases oil life, and more. Why would you want that kind of gearing?
But, since I have 90% of my torque available at 1800 RPM, I'm only 250 RPM off the power band when cruising at 60 MPH.
Even at 3000 RPM, with an engine that needs gearing like that, I bet you don't get serious torque until close to 4000 RPM, or higher. That puts you over 1000 RPM away from decent power when you need it.
Regardless of transmission type, it still takes time for the engine to spool up this much speed. That's the delay.
As an aside: speaking of engine RPM at speed; my car has a top speed governor, due to the tires it came with. Biggest annoyance for me with it, but really pointless, as the 107 MPH rated tires are faster than I ever need to go on a road, anyway.
But, at this top speed, in top gear, my engine is only turning over at 2790 RPM. That's in the same range as yours at cruising speed.
if they can change the terms of a contract without notice or agreement from my side, why can't I!
If you're in Ontario, they can't. Ontario Consumer Protection Act. Look it up. Specifically the parts about "material change" and "unsolicited goods and services."
How many tries did it take to get your DMCA passed?
They've tried 3 times to get it through here, and all three times it's failed; the first two because of citizen backlash.
The third time was because the government was just brought down in a non-confidence vote.
<sarcasm>Another election! Yay!! </sarcasm>
I've seen i3 - i7 laptops at my suppliers for 6 months or more. I suppose if you shop at big box consumer stores, you might not, because their selection sucks. But if you can't find them, it means you haven't looked.
Now as far as there being no product differentiation in laptops? This couldn't be further from the truth. There are entry level models good for basic work, there are high memory models good for running lots of programs at once, there are models with high end graphics for gaming. And this doesn't even get into the manufacturers who have had class action lawsuits against them for terrible hardware quality (HP dv6000 series, for instance.)
To say they're all the same is like saying all cars are the same, because they all have an engine, 4 wheels, and a windshield.
I got a similar deal, but mine wasn't the student discount, so it was a little more expensive.
$40 from ch3apdownlo@dsoftz.com.
Oh.....wait.