There is a questionable assumption implicit in your first question, which is that a small number of QA people working full-time is equivalent to a large number of people working part time. I think there's a strong argument to be made that when searching for security bugs it's important to use a large variety of approaches. One grad student or independent researcher may well come up with an angle that none of the QA team members would ever have come up with -- not because he's necessarily smarter, but because he just happened to look at the problem a different way. That individual may be able to reap great financial benefit from applying his idea across a wide variety of applications from different vendors, but that doesn't mean that any one QA team necessarily wants him on staff, because that may be the only really brilliant idea he'll have this year.
In fact, if you look around the independent and academic security research landscape, this is a pretty much what it looks like. You have lots of individuals or small groups who have one really good idea, plus lots of incremental refinements they make over time. One researcher specializes in fuzzing, and is much cleverer at it than nearly anyone else out there. Another creates some truly excellent static analysis tools that operate on code, yet another develops a fascinating binary analysis tool. Etc., etc. Microsoft can't employ all of these people, and further doesn't really want to, because after a few weeks each of them would have exhausted what they can find with their current approach and tools. And there are all sorts of practical, legal and PR problems with turning them loose on the software of Microsoft's competitors.
So I think there's a strong argument to be made for it being both more effective for Microsoft (or any other software vendor) and more financially rewarding (for the researcher) for them to exchange value via bounties. Short-term consulting contracts would be another way, but those have the disadvantage that success and failure are approximately equally-rewarded, which is bad both for talented researchers and for the vendors they find bugs for.
This scenario is probably valid true for other sorts of bugs than for security bugs, and even for security bugs it doesn't mean there's no value in having on-staff QA. You need someone doing the gruntwork of identifying all the common, easy mistakes. But you also need to cast a much wider net than any corporate QA staff is going to be able to achieve.
As for your second question, I couldn't care less. We're talking about very bright people who don't need anyone to manage their lives or their business relationships for them.
What you describe hasn't been my experience. I see TWO orders of magnitude more bugs reported by Microsoft's QA than by external parties
So you're saying that more bugs are reported by people who get paid to report them than by people who don't. Obviously that has to make us wonder what would happen if non-employees could get paid for reporting bugs.
Hold your horses. He's not reducing the number of claims because he thinks the claims themselves are ridiculous. He's reducing the number of claims because the number is ridiculous and not able to be tried reasonably.
Yeah, on the one hand it's kind of arbitrary and capricious. I mean, if they really have 132 valid claims it seems inappropriate for the court system to refuse to allow them to be asserted. On the other hand trying all of those claims and all of the prior art would just be impractical.
On the gripping hand, I suspect that the real root of the problem is that most of these patents should never have been issued in the first place, because they are invalid due to prior art, and/or obviousness. But our broken patent system leaves that for the courts to sort out in what's arguably the most expensive and least efficient way possible.
You forgot the most important feature of my phone: I always have it with me. The battery life issue is irrelevant, since I need the phone for so many other things that I always keep it charged.
I actually have an RPN calculator app for it that has all of the features of a 15C (BTW, I'm very familiar with the 15C; I owned one for years before upgrading to a 48SX). I still own a 48SX, and it's a great calculator which does nothing but gather dust. When I'm really doing math, I use Mathematica on my laptop. When I need to do some quick calculations I use my phone.
I have great feelings of nostalgia for my 15C. I especially enjoyed programming it. I wish I still had it (it was stolen). But if I still had it, I have no doubt it would be collecting dust right next to my 48SX while I used my laptop and my phone.
I actually did some work on my (former) employer's response to several Dutch government requests for proposal, focusing on how to deploy and secure all of the GPS tracking devices that were going to be placed in vehicles in order to compute the usage taxes.
Then a new government came into power and shelved the whole thing. If we're smart, we wont' even start. It's hugely expensive and invasive. Much better to meter the fuel and tax the vehicles, with extra taxes imposed on large commercial vehicles (as is done now). Yes, this is going to get a little harder when electric vehicles are common and people plug their cars into the power grid rather than filling them at gas stations, but I still think it'll be a lot better to start taxing electricity more -- particularly electricity that might be used to power vehicles -- than to install tracking devices in all our vehicles.
I know I really do not understand the need to be using your smart phone that much. I see people sitting in hot tubes at my gym using them, and it's like do you really need to be connected so much you can't be away from your phone for 30 min?
Keep in mind that a smartphone isn't just a phone. They may very well not be "connected" at all, just doing something else. I sometimes play games or read a book on my phone while relaxing in the hot tub or steam room, and if I'm not doing that I almost always have my headphones on listening to music or an audio book.
But I have a waterproof case for my phone (and waterproof headphones), so I don't need this nose stylus. I just use my wet finger.
But would you call WordPerfect an "app" today? Would you refer to Word as an "app" in an official document?
Sure I would. I'd call it a desktop app, as opposed to a web app (which is the common nomenclature for web-based applications, and the engines that run them are usually called "app servers"). I've also been hearing a lot of discussion lately about cloud apps -- though the truth is that they're generally just web apps.
App is widely used to refer to any application software package, in many contexts, and has been for decades.
the money has to come from some where so the credit card companies end up taking a hit and they raise their rates
It doesn't really change your point, but the "credit card companies" (AKA banks) normally don't take the hit. The merchant who accepted the fraudulent payment usually ends up having to eat the loss.
Besides if you know your card number might have been stolen and don't report it, you might end up having to pay for fraudulent charges since at that point it's basically your fault for not telling the credit card company.
It might be "basically your fault", but you're still only liable for at most $50, by law (in the US). In practice, you won't pay a penny.
Answers to secret questions can only really be stored as hashes if you insist on people reproducing spelling, capitalization, and punctuation accurately and you don't intend to use the secret questions for over-the-phone authentication.
Spelling - yes; but capitalization and punctuation can just be ignored. Strip punctuation, convert to all-lowercase, then hash.
If you really wanted to, you could even help with spelling. Hash multiple variations of the word and see if any of them match.
That doesn't work. It makes the password the hash, and means that an observer of the transaction can replay it later.
Have the client concatenate a server-provided nonce with the password, hash the result and send the hash to the server. If you want to get really fancy there are even zero-knowledge proofs that can be used.
There's no legitimate reason to store plaintext passwords.
But while few people regularly referred to Microsoft PowerPoint as an "app,"
I disagree. I know I heard many discussions about, for example, which was the best "word processing app" back in the days when it was unclear if MS Word was going to have any luck unseating WordPerfect. "App" has been used as a shorthand for application for 20 years, if not more.
Sadly the patent system have been overrun with vaguely worded defensive patents set up not because some corporation or individual plans to implement said patent, but to catch others that happens to make something similar enough to the vague words used to describe the patent claim.
Yep. That's one of the many reasons they system is broken.
And good luck trying to search for those patents without paying some patent lawyer for several months of reading time.
This I don't agree with. Patents aren't that hard to read, and in fact the meat of them is the part that lawyers really aren't equipped to understand anyway -- you need a skilled practitioner. Lawyers have asked me to read patents to figure out whether or not my company was infringing.
Huh? What are you talking about? This subthread has gone off on a patent discussion. Copyrights and patents have virtually nothing to do with each other.
... and then it turns out that the inventor wants a licensing fee of ten times the entire project budget, and the project is sunk.
Well, that's a possibility, but it doesn't really leave the engineer any worse off than before. It's rare that there's only one way to do something, and he was going to have to do all of the work to invent his own method anyway.
However, your comment is a reason why if we had a well-functioning patent system there would also need to be a system of statutory licensing rates, perhaps similar to those used in music though I suspect they'd have to be more sophisticated. However, it's a moot point, because managers and attorneys don't tell engineers to search the patent database for ideas... most patents aren't sufficiently well-researched or documented to actually be useful to solve problems, and most of them are far too obvious to need looking up.
My point is that the system is badly broken; it's a rare accident when the system actually does foster innovation. 99.99% of the time it just causes innovation to be crushed by ravening hordes of lawyers, who are the ones who truly benefit from patent law. If it did work, we'd see people using the patent database in the manner I describe. The fact that my little scene is so preposterous just shows how badly broken our patent system is.
Companies only do the last step of research because it is only at the last step that it becomes clear what the profitable outcome is going to be.
That's pretty much the norm these days, but it hasn't always been and it doesn't need to be. There have been plenty of corporations involved in basic research over the last century. Perhaps the most notable was AT&T's Bell Labs. Though I guess you could argue that they were part of the "public option" as well, given their monopoly status. IBM still does a non-trivial amount of basic research, most of it vaguely related to computing, but lots of it has no clear application. As do many of the other big technology companies.
Of course corporate investment in basic research is dwarfed by academic and government-funded research, but it's not accurate to say that corporations don't do basic research.
I think one of the central issues is whether a patent stops progress or creates progress. It only creates progress in the incentive for new work to be done.
The purpose of patents is not to create an incentive for new work to be done. The purpose is to enable new work to build on older (patented) work, by convincing inventors to publish their inventions rather than keeping them secret.
The way to tell if a patent system is working is to look at how many inventors are making use of the patent database to get ideas, or to find solutions to problems they're struggling with. A really good patent system would make the following interaction commonplace (but with real content rather than technobabble):
Engineer: Hey, boss, I've been trying to come up with a way to reverse the polarity in the tachyon waveform inducer and I'm having some trouble. I have some ideas about how to solve it, but I think it's going to take me at least six months to work out the details.
Manager: Hmm. We had planned to have that done by the end of the quarter. Have you done a patent search to see if this is a solved problem?
Engineer: Not yet, but it's on my list of things to do. You really think someone has already got this figured out, and published it?
Manager: Heck if I know, but with millions of new patents being filed every year, I'd say it's worth at least a couple of hours searching.
Engineer: I'll get right on that.
[A couple of hours pass]
Engineer: Hey, boss! Good idea on the patent search. It turns out that an inventor in Okeechobee filed a patent for a really slick tachyon induction polarity inverter just last year. It's exactly what we need and she's already solved a bunch of problems I hadn't even considered. I think I can have a working prototype integrated within a few days after we get a license to the patent.
Mangaer: Great! Send me the patent number and I'll have our attorney get a letter to her right away. I'll bet we can get a license within the week. This will cut a month -- maybe two! -- off the time to market for our new product. Thank goodness for patents!
I haven't really researched WMT as an investment and can't comment intelligently on either its market position or its future. I was just countering your statement that companies must either grow or die.
Also, 5.8% is a very acceptable return for many income investors in a non-inflationary economic climate, as long as it's a reliable return.
How is this acceptable to the myriad people who expected privacy from setting the secure bit on their routers?
The information obtainable from the unencrypted headers is meaningless. It's useful only to other people who are in range of the same access point, and they're able to retrieve it as well! It does provide value to people who want to use it to guesstimate their physical location and who didn't bother to bring their own GPS receiver along, don't want to use cell tower triangulation, can't read an address, etc.
I'm not saying Google should have recorded it (though I really don't believe there is *any* reasonable expectation of privacy for data that is broadcast), but it's pretty hard to call SSIDs and MAC addresses "private" information. It's not personally-identifiable (unless the user chose to put PII in the SSID) and its disclosure has no privacy impact.
Since the law in some countries classifies it as protected information, Google should have been more careful about what they recorded. I'm sure that now, having screwed up and had it called to their attention, they are more careful. But we're really just talking about failure to obey a pretty silly law. Yes, it should have been obeyed. No, the failure didn't do any actual harm.
(Note that as of two months ago I'm a Google employee, but not only am I not speaking for Google, I don't know anything about any of this beyond what I've read on slashdot, etc., and all of this represents only my own personal opinion. And it's exactly what I would have said back when I was an IBM employee.)
In business there is growth and death. If you aren't doing 1, you are doing the other. Go ask your employer if he would like to grow or shrink. If he says he wants to remain the same size you need to find a new employer.
Nonsense. Do some research on dividend stocks. There are plenty of businesses out there that aren't growing and aren't dying. Instead they're returning steady, solid profits year after year. People with income rather than growth as an investment goal actively seek out these companies.
Are you dense? The Wi-Fi standard allows for the encryption of payload, while the headers are always sent in the clear, regardless of whether users secured their networks or not.
[...]
Google took advantage of this fact and logged SSID's, MAC and IP addresses of every wireless network it encountered
Google couldn't have gotten IP address from encrypted networks. The link layer uses MAC addresses for specifying source and destination; IP addresses are meaningless at that level. The entire IP packet (or ARP packet) is encrypted.
There is a questionable assumption implicit in your first question, which is that a small number of QA people working full-time is equivalent to a large number of people working part time. I think there's a strong argument to be made that when searching for security bugs it's important to use a large variety of approaches. One grad student or independent researcher may well come up with an angle that none of the QA team members would ever have come up with -- not because he's necessarily smarter, but because he just happened to look at the problem a different way. That individual may be able to reap great financial benefit from applying his idea across a wide variety of applications from different vendors, but that doesn't mean that any one QA team necessarily wants him on staff, because that may be the only really brilliant idea he'll have this year.
In fact, if you look around the independent and academic security research landscape, this is a pretty much what it looks like. You have lots of individuals or small groups who have one really good idea, plus lots of incremental refinements they make over time. One researcher specializes in fuzzing, and is much cleverer at it than nearly anyone else out there. Another creates some truly excellent static analysis tools that operate on code, yet another develops a fascinating binary analysis tool. Etc., etc. Microsoft can't employ all of these people, and further doesn't really want to, because after a few weeks each of them would have exhausted what they can find with their current approach and tools. And there are all sorts of practical, legal and PR problems with turning them loose on the software of Microsoft's competitors.
So I think there's a strong argument to be made for it being both more effective for Microsoft (or any other software vendor) and more financially rewarding (for the researcher) for them to exchange value via bounties. Short-term consulting contracts would be another way, but those have the disadvantage that success and failure are approximately equally-rewarded, which is bad both for talented researchers and for the vendors they find bugs for.
This scenario is probably valid true for other sorts of bugs than for security bugs, and even for security bugs it doesn't mean there's no value in having on-staff QA. You need someone doing the gruntwork of identifying all the common, easy mistakes. But you also need to cast a much wider net than any corporate QA staff is going to be able to achieve.
As for your second question, I couldn't care less. We're talking about very bright people who don't need anyone to manage their lives or their business relationships for them.
I quite like it. Not only does it nicely label a third possibility, it also implies that it's a more compelling option than the other two.
What you describe hasn't been my experience. I see TWO orders of magnitude more bugs reported by Microsoft's QA than by external parties
So you're saying that more bugs are reported by people who get paid to report them than by people who don't. Obviously that has to make us wonder what would happen if non-employees could get paid for reporting bugs.
a tenant of the US judicial system
Just a nitpick: You mean "tenet", not "tenant".
Hold your horses. He's not reducing the number of claims because he thinks the claims themselves are ridiculous. He's reducing the number of claims because the number is ridiculous and not able to be tried reasonably.
Yeah, on the one hand it's kind of arbitrary and capricious. I mean, if they really have 132 valid claims it seems inappropriate for the court system to refuse to allow them to be asserted. On the other hand trying all of those claims and all of the prior art would just be impractical.
On the gripping hand, I suspect that the real root of the problem is that most of these patents should never have been issued in the first place, because they are invalid due to prior art, and/or obviousness. But our broken patent system leaves that for the courts to sort out in what's arguably the most expensive and least efficient way possible.
You forgot the most important feature of my phone: I always have it with me. The battery life issue is irrelevant, since I need the phone for so many other things that I always keep it charged.
I actually have an RPN calculator app for it that has all of the features of a 15C (BTW, I'm very familiar with the 15C; I owned one for years before upgrading to a 48SX). I still own a 48SX, and it's a great calculator which does nothing but gather dust. When I'm really doing math, I use Mathematica on my laptop. When I need to do some quick calculations I use my phone.
I have great feelings of nostalgia for my 15C. I especially enjoyed programming it. I wish I still had it (it was stolen). But if I still had it, I have no doubt it would be collecting dust right next to my 48SX while I used my laptop and my phone.
I actually did some work on my (former) employer's response to several Dutch government requests for proposal, focusing on how to deploy and secure all of the GPS tracking devices that were going to be placed in vehicles in order to compute the usage taxes.
Then a new government came into power and shelved the whole thing. If we're smart, we wont' even start. It's hugely expensive and invasive. Much better to meter the fuel and tax the vehicles, with extra taxes imposed on large commercial vehicles (as is done now). Yes, this is going to get a little harder when electric vehicles are common and people plug their cars into the power grid rather than filling them at gas stations, but I still think it'll be a lot better to start taxing electricity more -- particularly electricity that might be used to power vehicles -- than to install tracking devices in all our vehicles.
Can you put your small personal computer running Mathematica in your pocket?
My phone has Wolfram Alpha.
I know I really do not understand the need to be using your smart phone that much. I see people sitting in hot tubes at my gym using them, and it's like do you really need to be connected so much you can't be away from your phone for 30 min?
Keep in mind that a smartphone isn't just a phone. They may very well not be "connected" at all, just doing something else. I sometimes play games or read a book on my phone while relaxing in the hot tub or steam room, and if I'm not doing that I almost always have my headphones on listening to music or an audio book.
But I have a waterproof case for my phone (and waterproof headphones), so I don't need this nose stylus. I just use my wet finger.
Nope... predictions are that mainstream encryption (eg. AES256) will be trivially crackable within 5-10 years
Cite?
But would you call WordPerfect an "app" today? Would you refer to Word as an "app" in an official document?
Sure I would. I'd call it a desktop app, as opposed to a web app (which is the common nomenclature for web-based applications, and the engines that run them are usually called "app servers"). I've also been hearing a lot of discussion lately about cloud apps -- though the truth is that they're generally just web apps.
App is widely used to refer to any application software package, in many contexts, and has been for decades.
the money has to come from some where so the credit card companies end up taking a hit and they raise their rates
It doesn't really change your point, but the "credit card companies" (AKA banks) normally don't take the hit. The merchant who accepted the fraudulent payment usually ends up having to eat the loss.
Besides if you know your card number might have been stolen and don't report it, you might end up having to pay for fraudulent charges since at that point it's basically your fault for not telling the credit card company.
It might be "basically your fault", but you're still only liable for at most $50, by law (in the US). In practice, you won't pay a penny.
Answers to secret questions can only really be stored as hashes if you insist on people reproducing spelling, capitalization, and punctuation accurately and you don't intend to use the secret questions for over-the-phone authentication.
Spelling - yes; but capitalization and punctuation can just be ignored. Strip punctuation, convert to all-lowercase, then hash.
If you really wanted to, you could even help with spelling. Hash multiple variations of the word and see if any of them match.
That doesn't work. It makes the password the hash, and means that an observer of the transaction can replay it later.
Have the client concatenate a server-provided nonce with the password, hash the result and send the hash to the server. If you want to get really fancy there are even zero-knowledge proofs that can be used.
There's no legitimate reason to store plaintext passwords.
But while few people regularly referred to Microsoft PowerPoint as an "app,"
I disagree. I know I heard many discussions about, for example, which was the best "word processing app" back in the days when it was unclear if MS Word was going to have any luck unseating WordPerfect. "App" has been used as a shorthand for application for 20 years, if not more.
Sadly the patent system have been overrun with vaguely worded defensive patents set up not because some corporation or individual plans to implement said patent, but to catch others that happens to make something similar enough to the vague words used to describe the patent claim.
Yep. That's one of the many reasons they system is broken.
And good luck trying to search for those patents without paying some patent lawyer for several months of reading time.
This I don't agree with. Patents aren't that hard to read, and in fact the meat of them is the part that lawyers really aren't equipped to understand anyway -- you need a skilled practitioner. Lawyers have asked me to read patents to figure out whether or not my company was infringing.
Which is why I suggested statutory licensing. But really, we have much, much bigger problems to address first.
Huh? What are you talking about? This subthread has gone off on a patent discussion. Copyrights and patents have virtually nothing to do with each other.
... and then it turns out that the inventor wants a licensing fee of ten times the entire project budget, and the project is sunk.
Well, that's a possibility, but it doesn't really leave the engineer any worse off than before. It's rare that there's only one way to do something, and he was going to have to do all of the work to invent his own method anyway.
However, your comment is a reason why if we had a well-functioning patent system there would also need to be a system of statutory licensing rates, perhaps similar to those used in music though I suspect they'd have to be more sophisticated. However, it's a moot point, because managers and attorneys don't tell engineers to search the patent database for ideas... most patents aren't sufficiently well-researched or documented to actually be useful to solve problems, and most of them are far too obvious to need looking up.
My point is that the system is badly broken; it's a rare accident when the system actually does foster innovation. 99.99% of the time it just causes innovation to be crushed by ravening hordes of lawyers, who are the ones who truly benefit from patent law. If it did work, we'd see people using the patent database in the manner I describe. The fact that my little scene is so preposterous just shows how badly broken our patent system is.
Companies only do the last step of research because it is only at the last step that it becomes clear what the profitable outcome is going to be.
That's pretty much the norm these days, but it hasn't always been and it doesn't need to be. There have been plenty of corporations involved in basic research over the last century. Perhaps the most notable was AT&T's Bell Labs. Though I guess you could argue that they were part of the "public option" as well, given their monopoly status. IBM still does a non-trivial amount of basic research, most of it vaguely related to computing, but lots of it has no clear application. As do many of the other big technology companies.
Of course corporate investment in basic research is dwarfed by academic and government-funded research, but it's not accurate to say that corporations don't do basic research.
I think one of the central issues is whether a patent stops progress or creates progress. It only creates progress in the incentive for new work to be done.
The purpose of patents is not to create an incentive for new work to be done. The purpose is to enable new work to build on older (patented) work, by convincing inventors to publish their inventions rather than keeping them secret.
The way to tell if a patent system is working is to look at how many inventors are making use of the patent database to get ideas, or to find solutions to problems they're struggling with. A really good patent system would make the following interaction commonplace (but with real content rather than technobabble):
Engineer: Hey, boss, I've been trying to come up with a way to reverse the polarity in the tachyon waveform inducer and I'm having some trouble. I have some ideas about how to solve it, but I think it's going to take me at least six months to work out the details.
Manager: Hmm. We had planned to have that done by the end of the quarter. Have you done a patent search to see if this is a solved problem?
Engineer: Not yet, but it's on my list of things to do. You really think someone has already got this figured out, and published it?
Manager: Heck if I know, but with millions of new patents being filed every year, I'd say it's worth at least a couple of hours searching.
Engineer: I'll get right on that.
[A couple of hours pass]
Engineer: Hey, boss! Good idea on the patent search. It turns out that an inventor in Okeechobee filed a patent for a really slick tachyon induction polarity inverter just last year. It's exactly what we need and she's already solved a bunch of problems I hadn't even considered. I think I can have a working prototype integrated within a few days after we get a license to the patent.
Mangaer: Great! Send me the patent number and I'll have our attorney get a letter to her right away. I'll bet we can get a license within the week. This will cut a month -- maybe two! -- off the time to market for our new product. Thank goodness for patents!
I haven't really researched WMT as an investment and can't comment intelligently on either its market position or its future. I was just countering your statement that companies must either grow or die.
Also, 5.8% is a very acceptable return for many income investors in a non-inflationary economic climate, as long as it's a reliable return.
How is this acceptable to the myriad people who expected privacy from setting the secure bit on their routers?
The information obtainable from the unencrypted headers is meaningless. It's useful only to other people who are in range of the same access point, and they're able to retrieve it as well! It does provide value to people who want to use it to guesstimate their physical location and who didn't bother to bring their own GPS receiver along, don't want to use cell tower triangulation, can't read an address, etc.
I'm not saying Google should have recorded it (though I really don't believe there is *any* reasonable expectation of privacy for data that is broadcast), but it's pretty hard to call SSIDs and MAC addresses "private" information. It's not personally-identifiable (unless the user chose to put PII in the SSID) and its disclosure has no privacy impact.
Since the law in some countries classifies it as protected information, Google should have been more careful about what they recorded. I'm sure that now, having screwed up and had it called to their attention, they are more careful. But we're really just talking about failure to obey a pretty silly law. Yes, it should have been obeyed. No, the failure didn't do any actual harm.
(Note that as of two months ago I'm a Google employee, but not only am I not speaking for Google, I don't know anything about any of this beyond what I've read on slashdot, etc., and all of this represents only my own personal opinion. And it's exactly what I would have said back when I was an IBM employee.)
In business there is growth and death. If you aren't doing 1, you are doing the other. Go ask your employer if he would like to grow or shrink. If he says he wants to remain the same size you need to find a new employer.
Nonsense. Do some research on dividend stocks. There are plenty of businesses out there that aren't growing and aren't dying. Instead they're returning steady, solid profits year after year. People with income rather than growth as an investment goal actively seek out these companies.
Are you dense? The Wi-Fi standard allows for the encryption of payload, while the headers are always sent in the clear, regardless of whether users secured their networks or not.
[...]
Google took advantage of this fact and logged SSID's, MAC and IP addresses of every wireless network it encountered
Google couldn't have gotten IP address from encrypted networks. The link layer uses MAC addresses for specifying source and destination; IP addresses are meaningless at that level. The entire IP packet (or ARP packet) is encrypted.