If you're a company that is not a CA, then the intermediate key signed by the CA is pretty much your root key.
If you're a company that is not a CA, then a CA is not supposed to be issuing you a certificate that subordinate certificates can be chained under in any circumstances, in the first place.
For each certificate you need, you apply to your CA and present the Certificate Signing Request to be validated and completed.
The myth that the 'security' industry is at the root of the problem
I would argue: not entirely a myth; while it may be unintentional on the part of players in the security industry
(at least ethical ones). Much of security researchers' work can enable and facilitate attackers.
Some researchers even SELL exploits, AND attackers may be the buyers.
In many cases... they share too much information with attackers that attackers can use to improve their processes.
They also in some cases PROVIDE motive. By giving a media channel for the discussion of the results of
their exploits --- this can give publicity to an attack or an attacker, which results in bragging rights or "pride"
as a reward for the malicious acts that would otherwise provide negative social connotation to their activities.
6). Revoke the old intermediate certificates as soon as 5 is complete.
I believe the CA/Browser forum and Mozilla program rules require you to do this immediately.
You don't get to wait until you've reissued all customer certs;
time is of the essence, with regards to the revocation, and failing to do it promptly can get BOTH your intermediate AND your Root permanently removed from the browser trust stores..
Because, if you publicize how you caught their error, they can fix it.
Exactly. They publicized the methods solely for marketing purposes -- so they could write a "ME TO" article, showing how their "researchers" are "On top" of security, and stealing thunder from the developer of the free Decryption software.
Because we're big Symantec, and we can't have third parties scooping us on antimalware techniques.
It also helps their product by making sure the authors of ransomware learn from mistakes,
so future ransomware is more robust, AND therefore, users will have greater damage by ransomware in the future, increasing the demand for Symantec's products.
While the proof of concept exploit used an unencrypted attack,
the vulnerability can still be exploited AFTER the session is encrypted.
Since the IDS probably cannot decrypt the SSL connection... it is unlikely to detect
an attack that occured after encryption was negotiated, and the extension message
is invisible to the IDS
I'm not sure how you think safety problems could be fixed *before* they are discovered.
Through defensive design. By requiring that system design promotes safety; therefore, there are unlikely to be serious safety issues. The key is to design systems that are anti-fragile, AND that are robust such that random safety issues aren't emerging after product release.
Not only is fixing safety problems *after* they are discovered reasonable, it's really the only possibility.
This is not a valid excuse for designing and releasing or using systems with inherent vulnerabilities that are therefore likely to have safety impacting issues later, and therefore: incurring this extra liability.
It is useful to people who refrain from doing certain things they might benefit from because they are *not* 100% safe.
As you mentioned.... the benefit is minimal or uncertain, BUT the risk is real.
Everything that there is a risk of happening, eventually happens given enough time!
Most people drive their car less than 2 hours a day, BUT rely on their smoke detector to help protect their lives 10+ hours a day.
The fact that your automobile is very dangerous, is no reason for engaging in reckless behavior, in other areas: however --- it just adds to the probability of random death.
You are about 14 times as likely to die in a car accident as a house fire. Every day you drive a car is as dangerous as going 14 days without any smoke detector at all.
This assumes you are an average driver. But perhaps I am a far-safer-than-average driver driving a far-safer-than-average car.
Maybe your roads aren't as dangerous as the average. There is plenty of room for outliers here.
You can't possibly be sure that you are X times as likely to die in a car accident.
You claim to have calculated risks which are actually impossible for you to have calculated, which is the reason, that I know your claim about the relative likelihood is definitely false (That which cannot be true due to an absolute condition, is guaranteed to be false.).
Maybe you will die in a car accident and I can say "I told you so". It's all about balancing risk vs. reward. I want my house nice and toasty when I come home.
The Idea "I want my house to be nice and toasty when I come home; even if there is this substantial chance that some Chinese hacker can kill me"; is a bit of a depraved notion. The fact is it's not possible to calculate the "risk" part of risk/reward. The fact is any danger of incalculable risk is not worth it, if the danger is great enough. The reward has to be such that: the absence of the reward is as bad or nearly as bad as the maximum potential negative impact of potential hazards that may exist.
However, it would probably drive the companies bankrupt.
It should suffice to retain copyright but make publicly available: complete machine-readable compilable corresponding source code, with a grant of permission for any third party to publish patches, compile binaries,
and redistribute them after taking reasonable steps to ensure they distribute them only to lawful possessors of a copy of the original software.
During hydrostatic testing with water, there were two pipeline bursts. One caused a landslide that blocked parts of I-280 at Woodside CA. No fire, of course; just water and mud, since this happened during testing.
!
They should make it mandatory that they do all that testing every 6 months.
I realized before I signed up with comcast that break even point on buy/rent modem is 2 years.
Chances are, if there are any problems --- the technician will blame your non cable-co provided modem.
Otherwise i'd go grab an Arris Surfboard sb6141 for $80 instead of paying the $8 a month rental fee.
In my experience... the cable co. overcharges for buying a modem also... like $200 to buy the modem; which is not brand new, but has been in use for over 4 years.
Also... the ISP's website only lists a small number of modems, and their representatives explicitly stated must use one of their modem's -- can't use your own: it's not supported by us and won't work, they say.
What ICANN say you can't do is hold a domain to ransom because the customer owes you money - for hosting fees for instance - you have to transfer the domain and pursue the debt through normal means.
What the ICANN rules say is the losing registrar can't hold the domain hostage for any fee-based reason at all, with two narrowly defined exceptions, that do not include "failure to pay a transfer out fee".
ICANN do not forbid a registrar from charging a transfer-out fee; However, the losing registrar cannot stop the transfer based on failure or refusal to pay a transfer-out fee.
The losing rergistrar has to immediately accept the transfer upon authorization of the admin contact.
If they want to charge a "transfer out" fee, they can bill the fee and try debt collection procedures (Which you can dispute) --- the losing registrar cannot hold up your transfer due to your failure to pay or due to your dispute.
Obviously... if you want to fight the transfer fee, authorizing a CC payment and then hoping to do a chargeback is the wrong thing ---- Don't authorize a payment for a charge you dispute -- giving a CC number to authorize payment for an otherwise disputed charge is tantamount to admitting you owed the fee; applying for chargeback after authorizing could be considered an act of fraud.
You'd rather save $30 and risk your life to some script kiddie.
No. It's not necessary, because you are just lumping on additional requirements --- most people will not pay the costs to get a certified central system professionally installed with a 24x7 monitoring company watching their alarm, AND this is not required or recommended for the average residence anyways. It's quite possible to design a smoke detector so that it has a monitoring module that is completely isolated from the alarm and has no ability to interfere with the action of the alarm, BUT can use a network connection to give you a remote heads up about the status of the alarm when you are not at home.
It's this little piece of marvelous technology, you have apparently never heard of called a Dry contact relay output. Which can provide an isolated digital input to a monitoring module, which you connect to the internet.
Of course an alarm monitoring company can also quickly call the fire department for you, before you notice you have a message from the 'alarm app' if you want, BUT you are not at home (Or else you would hear the audible alarm).
The point of having the remote notification is to keep you more informed when you otherwise wouldn't be, of alarm conditions when you're not there, BECAUSE most people don't get certified central alarm systems installed: you wouldn't know about an alarm when you were not at home, anyways.
It wasn't agreed to... so just transfer your domains out and refuse to pay.
A registrar cannot decline to transfer your domain due to refusal to pay or due to a dispute over payment.
The Registrar of Record must not refuse to release an "AuthInfo Code" to the Registered Name Holder solely because there is a dispute between the Registered Name Holder and the Registrar over payment.....
Instances when the requested change of Registrar may not be denied include, but are not limited to:
Nonpayment for a pending or future registration period ....
General payment defaults between Registrar and business partners / affiliates in cases where the Registered Name Holder for the domain in question has paid for the registration.
...
The Registrar of Record has other mechanisms available to collect payment from the Registered Name Holder that are independent from the Transfer process. Hence, in the event of a dispute over payment, the Registrar of Record must not employ transfer processes as a mechanism to secure payment for services from a Registered Name Holder.
When he tried to close the web browser, the pop-unders were displayed, and it forced me to talk to him about keeping his workspace visitor safe.
That's nice.... in many organizations; browser accessing a porn site would have to be reported to HR,
and it would generally be grounds for immediate termination.
OH yeah.... even if it did happen to be Adware that caused the porn to be displayed while they were operating it,
b/c the user got their computer infected...
Nothing is 100% safe. And this is an impossible standard to meet. Everything we do in life is a calculated risk. I think fixing safety issues as they are discovered is a perfectly reasonable course of action.
No... it's not a reasonable course of action. When safety issues are "discovered" the hard way, lives are lost.
It is a true, but a useless fact that nothing is 100% safe.
Do you really think you can compare the "safety" of Driving to Work, against the
"safety" of connecting a thermostat or smoke detector to the internet?
Traditional smoke detectors are highly reliable life protecting devices.
Making them microprocessor-controlled and wiring up to the internet transforms the detector
from a robust device you should be able to bet your life on, even during the
apocalypse -- come hell or high water, into this fragile piece where one misplaced line
of code, or one n'er'do'well who hacked in --- can put your life at risk: due to reliance on a safety
device that doesn't work.
You want to get notified your smoke detector went off?
FINE. Don't connect the smoke detector to the internet ---- use a smoke detector
that provides optically isolated Dry contacts.
Connect your contact closure monitoring device to the internet.
No excuses for making safety systems fragile!
It's an unequal tradeoff in the first place: so you drive to work. The "next best thing" to driving to work, is likely to have tremendously greater cost, or force you to move house.
Not having an internet connected thermostat, most likely means -- just enduring a few minutes of discomfort, while you have to manually kick on your A/C unit.
The outgoing phone line is to the alarm company, not your cell phone.
So you want to pay $30 extra a month for a 3rd party monitoring company, instead of
using the existing internet connection to directly send the message to your smartphone?
If you're a company that is not a CA, then the intermediate key signed by the CA is pretty much your root key.
If you're a company that is not a CA, then a CA is not supposed to be issuing you a certificate that subordinate certificates can be chained under in any circumstances, in the first place.
For each certificate you need, you apply to your CA and present the Certificate Signing Request to be validated and completed.
The myth that the 'security' industry is at the root of the problem
I would argue: not entirely a myth; while it may be unintentional on the part of players in the security industry (at least ethical ones). Much of security researchers' work can enable and facilitate attackers. Some researchers even SELL exploits, AND attackers may be the buyers.
In many cases... they share too much information with attackers that attackers can use to improve their processes. They also in some cases PROVIDE motive. By giving a media channel for the discussion of the results of their exploits --- this can give publicity to an attack or an attacker, which results in bragging rights or "pride" as a reward for the malicious acts that would otherwise provide negative social connotation to their activities.
6). Revoke the old intermediate certificates as soon as 5 is complete.
I believe the CA/Browser forum and Mozilla program rules require you to do this immediately. You don't get to wait until you've reissued all customer certs; time is of the essence, with regards to the revocation, and failing to do it promptly can get BOTH your intermediate AND your Root permanently removed from the browser trust stores..
That intermediate signing key should be treated with the same level of security you would treat a root key with.
No... the Root key should be designed with physical security safeguards and an airgap requiring multiple authorized humans to conduct each signing.
The intermediates should be used for automated signing needs. When an end user requests a certificate, they require a prompt turnaround.
Because, if you publicize how you caught their error, they can fix it.
Exactly. They publicized the methods solely for marketing purposes -- so they could write a "ME TO" article, showing how their "researchers" are "On top" of security, and stealing thunder from the developer of the free Decryption software.
Because we're big Symantec, and we can't have third parties scooping us on antimalware techniques.
It also helps their product by making sure the authors of ransomware learn from mistakes, so future ransomware is more robust, AND therefore, users will have greater damage by ransomware in the future, increasing the demand for Symantec's products.
Someone secretly replaced the circle with an ellipsoid
While the proof of concept exploit used an unencrypted attack, the vulnerability can still be exploited AFTER the session is encrypted.
Since the IDS probably cannot decrypt the SSL connection... it is unlikely to detect an attack that occured after encryption was negotiated, and the extension message is invisible to the IDS
Using NaCl as you describe to make the water conductive also results in the evolution of Cl - chlorine gas - more than oxygen.
Use Sulphuric acid, or Sodium Hydroxide instead of NaCl.
4th grader in what country? Your USA-centrism is showing.
In other first world countries; any 2nd grader should know this.
I'm not sure how you think safety problems could be fixed *before* they are discovered.
Through defensive design. By requiring that system design promotes safety; therefore, there are unlikely to be serious safety issues. The key is to design systems that are anti-fragile, AND that are robust such that random safety issues aren't emerging after product release.
Not only is fixing safety problems *after* they are discovered reasonable, it's really the only possibility.
This is not a valid excuse for designing and releasing or using systems with inherent vulnerabilities that are therefore likely to have safety impacting issues later, and therefore: incurring this extra liability.
It is useful to people who refrain from doing certain things they might benefit from because they are *not* 100% safe.
As you mentioned.... the benefit is minimal or uncertain, BUT the risk is real. Everything that there is a risk of happening, eventually happens given enough time!
Most people drive their car less than 2 hours a day, BUT rely on their smoke detector to help protect their lives 10+ hours a day.
The fact that your automobile is very dangerous, is no reason for engaging in reckless behavior, in other areas: however --- it just adds to the probability of random death.
You are about 14 times as likely to die in a car accident as a house fire. Every day you drive a car is as dangerous as going 14 days without any smoke detector at all.
This assumes you are an average driver. But perhaps I am a far-safer-than-average driver driving a far-safer-than-average car.
Maybe your roads aren't as dangerous as the average. There is plenty of room for outliers here.
You can't possibly be sure that you are X times as likely to die in a car accident.
You claim to have calculated risks which are actually impossible for you to have calculated, which is the reason, that I know your claim about the relative likelihood is definitely false (That which cannot be true due to an absolute condition, is guaranteed to be false.).
Maybe you will die in a car accident and I can say "I told you so". It's all about balancing risk vs. reward. I want my house nice and toasty when I come home.
The Idea "I want my house to be nice and toasty when I come home; even if there is this substantial chance that some Chinese hacker can kill me"; is a bit of a depraved notion. The fact is it's not possible to calculate the "risk" part of risk/reward. The fact is any danger of incalculable risk is not worth it, if the danger is great enough. The reward has to be such that: the absence of the reward is as bad or nearly as bad as the maximum potential negative impact of potential hazards that may exist.
However, it would probably drive the companies bankrupt.
It should suffice to retain copyright but make publicly available: complete machine-readable compilable corresponding source code, with a grant of permission for any third party to publish patches, compile binaries, and redistribute them after taking reasonable steps to ensure they distribute them only to lawful possessors of a copy of the original software.
During hydrostatic testing with water, there were two pipeline bursts. One caused a landslide that blocked parts of I-280 at Woodside CA. No fire, of course; just water and mud, since this happened during testing.
!
They should make it mandatory that they do all that testing every 6 months.
I realized before I signed up with comcast that break even point on buy/rent modem is 2 years.
Chances are, if there are any problems --- the technician will blame your non cable-co provided modem.
Otherwise i'd go grab an Arris Surfboard sb6141 for $80 instead of paying the $8 a month rental fee.
In my experience... the cable co. overcharges for buying a modem also... like $200 to buy the modem; which is not brand new, but has been in use for over 4 years.
Also... the ISP's website only lists a small number of modems, and their representatives explicitly stated must use one of their modem's -- can't use your own: it's not supported by us and won't work, they say.
$0.99 - Convert box rental (Equipment fee)
$18.99 - Converter box software update and 30-day license installation (Service fee)
What ICANN say you can't do is hold a domain to ransom because the customer owes you money - for hosting fees for instance - you have to transfer the domain and pursue the debt through normal means.
What the ICANN rules say is the losing registrar can't hold the domain hostage for any fee-based reason at all, with two narrowly defined exceptions, that do not include "failure to pay a transfer out fee".
ICANN do not forbid a registrar from charging a transfer-out fee; However, the losing registrar cannot stop the transfer based on failure or refusal to pay a transfer-out fee.
The losing rergistrar has to immediately accept the transfer upon authorization of the admin contact.
If they want to charge a "transfer out" fee, they can bill the fee and try debt collection procedures (Which you can dispute) --- the losing registrar cannot hold up your transfer due to your failure to pay or due to your dispute.
Obviously... if you want to fight the transfer fee, authorizing a CC payment and then hoping to do a chargeback is the wrong thing ---- Don't authorize a payment for a charge you dispute -- giving a CC number to authorize payment for an otherwise disputed charge is tantamount to admitting you owed the fee; applying for chargeback after authorizing could be considered an act of fraud.
Left is a generic term.
Ah.... but Turn is also a generic term, and one component's left may be another component's up/down or right :)
What do you mean the left signal isn't supposed to be "flip vehicle counterclockwise about vertical axis" ?
though I'm sure it'd take little more than an editing of the hosts file
Not if you use the Windows Defender that comes with Windows 8: Windows 8 has been confirmed to not only ignore, but also modify the hosts file. As soon as a website that should be blocked is accessed, the corresponding entry in the hosts file is removed, even if the hosts file is read-only.
You'd rather save $30 and risk your life to some script kiddie.
No. It's not necessary, because you are just lumping on additional requirements --- most people will not pay the costs to get a certified central system professionally installed with a 24x7 monitoring company watching their alarm, AND this is not required or recommended for the average residence anyways. It's quite possible to design a smoke detector so that it has a monitoring module that is completely isolated from the alarm and has no ability to interfere with the action of the alarm, BUT can use a network connection to give you a remote heads up about the status of the alarm when you are not at home.
It's this little piece of marvelous technology, you have apparently never heard of called a Dry contact relay output. Which can provide an isolated digital input to a monitoring module, which you connect to the internet.
Of course an alarm monitoring company can also quickly call the fire department for you, before you notice you have a message from the 'alarm app' if you want, BUT you are not at home (Or else you would hear the audible alarm).
The point of having the remote notification is to keep you more informed when you otherwise wouldn't be, of alarm conditions when you're not there, BECAUSE most people don't get certified central alarm systems installed: you wouldn't know about an alarm when you were not at home, anyways.
Of course the gaining registrar charges a fee for transfer -- which covers the domain registration.
The issue is with losing registrars attempting to tack on a fee for customers selecting a competing registrar.
If this is just on the .UK domain... then be sensible, and register a .COM or a .NET in the first place.
It wasn't agreed to... so just transfer your domains out and refuse to pay.
A registrar cannot decline to transfer your domain due to refusal to pay or due to a dispute over payment.
The Registrar of Record has other mechanisms available to collect payment from the Registered Name Holder that are independent from the Transfer process. Hence, in the event of a dispute over payment, the Registrar of Record must not employ transfer processes as a mechanism to secure payment for services from a Registered Name Holder.
When he tried to close the web browser, the pop-unders were displayed, and it forced me to talk to him about keeping his workspace visitor safe.
That's nice.... in many organizations; browser accessing a porn site would have to be reported to HR, and it would generally be grounds for immediate termination.
OH yeah.... even if it did happen to be Adware that caused the porn to be displayed while they were operating it, b/c the user got their computer infected...
No.... when they don't pay the fee to Microsoft. Microsoft wants to control all the advertising on the Start Screen and the Desktop alike.
Of course if you use Microsoft approved advertising methods, and pay Microsoft the relevant fees, you'll get a pass.
Nothing is 100% safe. And this is an impossible standard to meet. Everything we do in life is a calculated risk. I think fixing safety issues as they are discovered is a perfectly reasonable course of action.
No... it's not a reasonable course of action. When safety issues are "discovered" the hard way, lives are lost.
It is a true, but a useless fact that nothing is 100% safe.
Do you really think you can compare the "safety" of Driving to Work, against the "safety" of connecting a thermostat or smoke detector to the internet?
Traditional smoke detectors are highly reliable life protecting devices. Making them microprocessor-controlled and wiring up to the internet transforms the detector from a robust device you should be able to bet your life on, even during the apocalypse -- come hell or high water, into this fragile piece where one misplaced line of code, or one n'er'do'well who hacked in --- can put your life at risk: due to reliance on a safety device that doesn't work.
You want to get notified your smoke detector went off? FINE. Don't connect the smoke detector to the internet ---- use a smoke detector that provides optically isolated Dry contacts. Connect your contact closure monitoring device to the internet. No excuses for making safety systems fragile!
It's an unequal tradeoff in the first place: so you drive to work. The "next best thing" to driving to work, is likely to have tremendously greater cost, or force you to move house.
Not having an internet connected thermostat, most likely means -- just enduring a few minutes of discomfort, while you have to manually kick on your A/C unit.
which can happen if someone thinks that you've said or done something that the leader clique doesn't like.
Or if someone thinks a member of your family, or one of your well-known friends or neighbors said or did something the leader clique didn't like?
Better be part of the leader clique, or leave.....
The outgoing phone line is to the alarm company, not your cell phone.
So you want to pay $30 extra a month for a 3rd party monitoring company, instead of using the existing internet connection to directly send the message to your smartphone?