I don't want to fund research on gun violence either.
The problem ISN'T guns. It's the culture of people.... Without that culture, the interest in guns would decrease with the exception of those who use them as intended -- as tools and defense. And without guns, the violence would change adjust.
See, figuring out whether or not that's true is what the research is for.
Given the history we have with things like thalidomide, DDT, leaded gasoline, fen-phen, etc it is not unreasonable that people be genuinely concerned about GMO crops...
You realize that you've cast a very wide net with your examples -- about forty years and a wide variety of applications and you have four examples? I'm sure there are more, but consider the vast amount of chemical engineering in that time period that has turned out to be entirely safe -- to say nothing of beneficial.
...given how widespread they've become with such little public notice.
In what sense do you mean "account for"? Do you mean, could the drive controller overcome the hysteresis to minimize it?
Possibly, but that's a lot more work, and it turns out not to be necessary. Note that the idea people have in their heads about drives -- that there is some little region of the drive that is magnetized one way for a one and one way for a zero and is "just one" bit -- is no longer accurate. The magnetic patterns on disk are rather complicated. (This is a major contributor to why recovering anything from the hysteresis effect just doesn't work any more.)
You cannot. Or rather: * Nobody has ever demonstrated success of recovering data from a modern hard drive (anything more recent than MFM) that has been overwritten even one time. * The person who wrote the paper on recovering data from drives after erasure, Gutmann, has said there is no reason to believe that it is possible with modern drives. * Other people have a quite sound theoretical arguments that it is impossible. (That is, there is a hysteresis effect, but it is so small compared to noise that the statistical probability of getting correct data instead of random data is much, much too small to be of any practical use even in a best-case scenario.)
This is a myth in computer forensics and security that needs to die.
It's almost certainly AES, since that's what's used in almost every encryption product out there. AES is government-proof.
The algorithm's not the problem. It's every other aspect of security that someone (usually the vendor or the user) manages to screw up, rendering the encryption useless to an attacker.
Since they tried for "months" to decrypt it, either he had a very good password or it's something that uses a many-round PBKDF (combined with a good password).
Yes, that annoys the hell out of me too, but it's always "GDP in a year" vs debt when people make that comparison. Which really means that what they're fundamentally doing is measuring the debt in units of "years of GDP", which is an entirely legitimate unit. (It's like measuring your personal debt -- or, say, a potential mortgage loan -- in years of income.)
If you're hosting the mail server yourself, it doesn't work. They're only absolved from the need for a warrant when a third party is storing the data on your behalf.
If you followed the procedures for storing classified information to store your personal communications, you would have a reasonable expectation of privacy and the government would need warrants to read your e-mail. Just encrypt any electronic data in transit or stored on publicly-accessible systems, keep paper documents and unencrypted electronic systems (which never connect to the Internet) under lock and key, and only send data to people who agree to follow the same procedures. Even better if you only ever let your data onto publicly-accessible systems when it's absolutely necessary, rather than when it's convenient.
Using a default of '1234' is a great way of reminding even minimally competent people that the password needs to be changed from default *right now.* Unfortunately, there are enough people out there not even minimally competent about security that this continues to be a problem.
Clearly you've both identified and failed to identify the problem. Minimally-competent people *don't* recognize "1234", or other static passwords, as a flag that they need to change the password. You either need to *make* them do it or supply a unique password from the get-go.
All the companies using non-trivial "default" passwords use unique passwords anyway.
It's actually, from my limited, anecdotal experience, pretty effective. The people that don't know to change the password are the same ones that just look up the password on the bottom of the router -- the one or two times (ever) they need it. For the cost of a single sticker, you can force them to (once) use an arbitrarily secure password.
In a sane world, it *would* be a lot better. It would spell the end for a lot of stupid and inconsistently-enforced laws.
It's a problem, of course, because a number of laws are intentionally vague so that they can be evaluated by either an "expert" (a cop) or by the "common man" (a jury). Because hard-and-fast rules don't deal well with... well, most situations.
It's not useful. Speeding is a psychological requirement. In most speed-limit situations, you could follow the speed limit and get to your destination in qualitatively the "same" amount of time. If you're not driving and focusing your attention elsewhere, robot cars could follow the speed limit slavishly and you wouldn't care a bit.
Honestly, I have to agree with this. Let the technology usher in a world of continual, absolute enforcement. It's going to happen anyway. That technological capability isn't going to magically disappear. Banning it because it's not the same model as our old model of real, human police officers pulling us over is no better than insisting on buggy whips and flagmen for automobiles. There'll be consequences, yes. Maybe we'll stop speeding, maybe the speed limits will go up, maybe our robot cars will simply not speed and we won't give a shit, or they'll change the laws to be more lenient on speeders. Some adjustment is bound to happen. Fighting technological progress because it's inconvenient in the context of what we're used to is a stupid way to approach things.
That's just disk caching. I don't know to what extent Android does it, but most modern operating systems do as much disk caching as they can afford. It's often reported as free RAM, though, because it essentially is.
But if he does, hiding out in the UK was a pretty odd strategy.
He's not hiding out in the UK, he's hiding out in the sovereign territory of Ecuador, namely their embassy. The reason that he's still there is that the UK has made it clear that if he tries to leave the embassy and go to Ecuador they will violate whatever diplomatic rights Ecuador's embassy vehicles have in order to capture Assange.
So you're right, hiding in the UK was a bad strategy.
I said "was" for a reason. He was remaining in the UK, without hiding in an embassy, and trying to avoid extradition to Sweden. His claim was that he didn't want Sweden to turn around and extradite him to the US. That's a very strange claim, since the UK will extradite him to the US just as readily as Sweden.
Now it's a different situation, as the UK courts decided that would extradite him to Sweden anyway, so he's hiding out in an embassy. That would have been a very reasonable strategy from the beginning if he thought he was going to be surrendered to the US. It's at least plausible. But for the entire time he was simply living in the UK, trying to keep them from sending him to Sweden, and claiming the "real reason" was that he didn't want to be turned over to the US, it was nonsense.
You should also mention Julian Assange, who has never stepped foot in the United States and has never been subject to its laws. The reason that Assange isn't going to Sweden to face the "sex-by-surprise" charges is that he could not get a guarantee that the Swedes would not immediately turn him over to the US, and he also couldn't get a guarantee from the US that he would receive anything remotely similar to a fair trial.
That's certainly his claim. Maybe he even believes it. But if he does, hiding out in the UK was a pretty odd strategy. It's not like the UK has some history of refusing to extradite suspects on request by the US; he's no safer there than in Sweden.
Of course Sweden doesn't want to promise they won't extradite him to the US. He's asking for an unconditional, perpetual guarantee that he won't be extradited. There's no way they're going to make that kind of guarantee, because the US could request extradition some time in the future.
It's not. The legal standard of "insanity" under which you can be declared not guilty of a crime is a different standard than being mentally competent to stand trial.
They don't. In general, you need a warrant to seize a computer just like you need a warrant to seize anything else. There are currently two major exceptions to this, neither of which is really solidified yet. One is data about you or held on your behalf by a third party. This is murky in the real world, too, but it tends to be less common, whereas digital data held by a third party is very common (e-mail residing on your ISP's servers, for example). The other exception is the search of cell phones when you're arrested. There is already a general physical-world rule that you and your immediate possessions can be searched when you're arrested (recall that an arrest often requires a warrant already); that's a search incident to an arrest. However, if one of those possessions is a cell phone or, worse, a smart phone, there's no clear delineation of how extensively its contents can be searched. In this situation, if you had a paper phonebook, it could be searched. By extension, some argue that any contents of your phone can be searched, but with smartphones, that's giving access to a lot of data.
That might be useful, if only watches stored evidence. They don't, but computers do.
The gist of it is that, in investigating a crime, you need to look where the evidence is. More often today, a lot of this evidence is bits on a computing device or stored with an online service. So, police need to be equipped to actually be able to do that and to be able to do it correctly.
Because the people managing the distribution of your tax dollars haven't decided that publication of results in a free journal is a goal. Which to an extent is reasonable -- the point isn't to educate the masses, the point is to advance the state of the art. So it needs to be available to other scientists, who, by and large, do have access to these journals. Requiring them to publish in a free journal has a nonzero cost that isn't fulfilling the primary goal of the research.
Convince your lawmakers that publication in open-access journals is important. Funding agencies can add that as a stipulation to their grants and it will get done. The NIH did it.
How about you read the comment to which I was replying? I quoted the relevant part in my comment, even.
Here, I'll do it again.
When forms are submitted, browsers should not allow "hidden" fields to be transmitted directly, and instead should have a default action of encrypting them with Bcrypt or SHA-256.... The default should be transmission of encrypted passwords, not plaintext.
They're talking about hashing before sending.
I agree that the article is about the actually-useful practice of hashing server-side. But my comment is rightfully about the useless suggestion of hashing client-side.
But we need to go further than that. When forms are submitted, browsers should not allow "hidden" fields to be transmitted directly, and instead should have a default action of encrypting them with Bcrypt or SHA-256. When building a website, many people will use defaults and follow the easiest path. The default should be transmission of encrypted passwords, not plaintext.
This is why security is often so terrible: people don't know what they're talking about when it comes to security, but they throw some encryption (or in this case, hashing) at the problem and hope it solves it, like pixie dust.
Hashing isn't encryption; encryption is reversible, while hashing isn't. There's already a system for encrypting transmissions between a browser and a Web server.
If you hash the password before transmitting it, then the hash is simply the password. Sure, it doesn't look like "password" or "123456", but it retains all of the security problems that a plaintext password does. It provides absolutely no security benefits, but it looks better (if you don't look too hard) because you've applied some crypto, somewhere!
Slashdot Mirror
I don't want to fund research on gun violence either.
The problem ISN'T guns. It's the culture of people. ...
Without that culture, the interest in guns would decrease with the exception of those who use them as intended -- as tools and defense. And without guns, the violence would change adjust.
See, figuring out whether or not that's true is what the research is for.
Given the history we have with things like thalidomide, DDT, leaded gasoline, fen-phen, etc it is not unreasonable that people be genuinely concerned about GMO crops...
You realize that you've cast a very wide net with your examples -- about forty years and a wide variety of applications and you have four examples? I'm sure there are more, but consider the vast amount of chemical engineering in that time period that has turned out to be entirely safe -- to say nothing of beneficial.
...given how widespread they've become with such little public notice.
It certainly seems like people have noticed.
In what sense do you mean "account for"? Do you mean, could the drive controller overcome the hysteresis to minimize it?
Possibly, but that's a lot more work, and it turns out not to be necessary. Note that the idea people have in their heads about drives -- that there is some little region of the drive that is magnetized one way for a one and one way for a zero and is "just one" bit -- is no longer accurate. The magnetic patterns on disk are rather complicated. (This is a major contributor to why recovering anything from the hysteresis effect just doesn't work any more.)
you can recover 1 overwrite actually....
You cannot. Or rather:
* Nobody has ever demonstrated success of recovering data from a modern hard drive (anything more recent than MFM) that has been overwritten even one time.
* The person who wrote the paper on recovering data from drives after erasure, Gutmann, has said there is no reason to believe that it is possible with modern drives.
* Other people have a quite sound theoretical arguments that it is impossible. (That is, there is a hysteresis effect, but it is so small compared to noise that the statistical probability of getting correct data instead of random data is much, much too small to be of any practical use even in a best-case scenario.)
This is a myth in computer forensics and security that needs to die.
It's almost certainly AES, since that's what's used in almost every encryption product out there. AES is government-proof.
The algorithm's not the problem. It's every other aspect of security that someone (usually the vendor or the user) manages to screw up, rendering the encryption useless to an attacker.
Since they tried for "months" to decrypt it, either he had a very good password or it's something that uses a many-round PBKDF (combined with a good password).
Yes, that annoys the hell out of me too, but it's always "GDP in a year" vs debt when people make that comparison. Which really means that what they're fundamentally doing is measuring the debt in units of "years of GDP", which is an entirely legitimate unit. (It's like measuring your personal debt -- or, say, a potential mortgage loan -- in years of income.)
If you're hosting the mail server yourself, it doesn't work. They're only absolved from the need for a warrant when a third party is storing the data on your behalf.
If you followed the procedures for storing classified information to store your personal communications, you would have a reasonable expectation of privacy and the government would need warrants to read your e-mail. Just encrypt any electronic data in transit or stored on publicly-accessible systems, keep paper documents and unencrypted electronic systems (which never connect to the Internet) under lock and key, and only send data to people who agree to follow the same procedures. Even better if you only ever let your data onto publicly-accessible systems when it's absolutely necessary, rather than when it's convenient.
Using a default of '1234' is a great way of reminding even minimally competent people that the password needs to be changed from default *right now.* Unfortunately, there are enough people out there not even minimally competent about security that this continues to be a problem.
Clearly you've both identified and failed to identify the problem. Minimally-competent people *don't* recognize "1234", or other static passwords, as a flag that they need to change the password. You either need to *make* them do it or supply a unique password from the get-go.
All the companies using non-trivial "default" passwords use unique passwords anyway.
It's actually, from my limited, anecdotal experience, pretty effective. The people that don't know to change the password are the same ones that just look up the password on the bottom of the router -- the one or two times (ever) they need it. For the cost of a single sticker, you can force them to (once) use an arbitrarily secure password.
In a sane world, it *would* be a lot better. It would spell the end for a lot of stupid and inconsistently-enforced laws.
It's a problem, of course, because a number of laws are intentionally vague so that they can be evaluated by either an "expert" (a cop) or by the "common man" (a jury). Because hard-and-fast rules don't deal well with... well, most situations.
It's not useful. Speeding is a psychological requirement. In most speed-limit situations, you could follow the speed limit and get to your destination in qualitatively the "same" amount of time. If you're not driving and focusing your attention elsewhere, robot cars could follow the speed limit slavishly and you wouldn't care a bit.
Honestly, I have to agree with this. Let the technology usher in a world of continual, absolute enforcement. It's going to happen anyway. That technological capability isn't going to magically disappear. Banning it because it's not the same model as our old model of real, human police officers pulling us over is no better than insisting on buggy whips and flagmen for automobiles. There'll be consequences, yes. Maybe we'll stop speeding, maybe the speed limits will go up, maybe our robot cars will simply not speed and we won't give a shit, or they'll change the laws to be more lenient on speeders. Some adjustment is bound to happen. Fighting technological progress because it's inconvenient in the context of what we're used to is a stupid way to approach things.
That's just disk caching. I don't know to what extent Android does it, but most modern operating systems do as much disk caching as they can afford. It's often reported as free RAM, though, because it essentially is.
But if he does, hiding out in the UK was a pretty odd strategy.
He's not hiding out in the UK, he's hiding out in the sovereign territory of Ecuador, namely their embassy. The reason that he's still there is that the UK has made it clear that if he tries to leave the embassy and go to Ecuador they will violate whatever diplomatic rights Ecuador's embassy vehicles have in order to capture Assange.
So you're right, hiding in the UK was a bad strategy.
I said "was" for a reason. He was remaining in the UK, without hiding in an embassy, and trying to avoid extradition to Sweden. His claim was that he didn't want Sweden to turn around and extradite him to the US. That's a very strange claim, since the UK will extradite him to the US just as readily as Sweden.
Now it's a different situation, as the UK courts decided that would extradite him to Sweden anyway, so he's hiding out in an embassy. That would have been a very reasonable strategy from the beginning if he thought he was going to be surrendered to the US. It's at least plausible. But for the entire time he was simply living in the UK, trying to keep them from sending him to Sweden, and claiming the "real reason" was that he didn't want to be turned over to the US, it was nonsense.
You should also mention Julian Assange, who has never stepped foot in the United States and has never been subject to its laws. The reason that Assange isn't going to Sweden to face the "sex-by-surprise" charges is that he could not get a guarantee that the Swedes would not immediately turn him over to the US, and he also couldn't get a guarantee from the US that he would receive anything remotely similar to a fair trial.
That's certainly his claim. Maybe he even believes it. But if he does, hiding out in the UK was a pretty odd strategy. It's not like the UK has some history of refusing to extradite suspects on request by the US; he's no safer there than in Sweden.
Of course Sweden doesn't want to promise they won't extradite him to the US. He's asking for an unconditional, perpetual guarantee that he won't be extradited. There's no way they're going to make that kind of guarantee, because the US could request extradition some time in the future.
It's not. The legal standard of "insanity" under which you can be declared not guilty of a crime is a different standard than being mentally competent to stand trial.
Maybe some kind of database that ties state-mandated labels on cars to the vehicle's owner.
They don't. In general, you need a warrant to seize a computer just like you need a warrant to seize anything else. There are currently two major exceptions to this, neither of which is really solidified yet. One is data about you or held on your behalf by a third party. This is murky in the real world, too, but it tends to be less common, whereas digital data held by a third party is very common (e-mail residing on your ISP's servers, for example). The other exception is the search of cell phones when you're arrested. There is already a general physical-world rule that you and your immediate possessions can be searched when you're arrested (recall that an arrest often requires a warrant already); that's a search incident to an arrest. However, if one of those possessions is a cell phone or, worse, a smart phone, there's no clear delineation of how extensively its contents can be searched. In this situation, if you had a paper phonebook, it could be searched. By extension, some argue that any contents of your phone can be searched, but with smartphones, that's giving access to a lot of data.
And there are forensic specialists that analyze shoeprints at a crime scene. Also fibers left behind by clothing and tire tracks.
That might be useful, if only watches stored evidence. They don't, but computers do.
The gist of it is that, in investigating a crime, you need to look where the evidence is. More often today, a lot of this evidence is bits on a computing device or stored with an online service. So, police need to be equipped to actually be able to do that and to be able to do it correctly.
Because the people managing the distribution of your tax dollars haven't decided that publication of results in a free journal is a goal. Which to an extent is reasonable -- the point isn't to educate the masses, the point is to advance the state of the art. So it needs to be available to other scientists, who, by and large, do have access to these journals. Requiring them to publish in a free journal has a nonzero cost that isn't fulfilling the primary goal of the research.
Convince your lawmakers that publication in open-access journals is important. Funding agencies can add that as a stipulation to their grants and it will get done. The NIH did it.
Microsoft could disable the key, which would then disable *Linux* systems.
Future Linux systems, until a new key is obtained. Unless you're suggesting that Secure Boot will connect to the Internet to obtain a CRL.
How about you read the comment to which I was replying? I quoted the relevant part in my comment, even.
Here, I'll do it again.
When forms are submitted, browsers should not allow "hidden" fields to be transmitted directly, and instead should have a default action of encrypting them with Bcrypt or SHA-256. ... The default should be transmission of encrypted passwords, not plaintext.
They're talking about hashing before sending.
I agree that the article is about the actually-useful practice of hashing server-side. But my comment is rightfully about the useless suggestion of hashing client-side.
But we need to go further than that. When forms are submitted, browsers should not allow "hidden" fields to be transmitted directly, and instead should have a default action of encrypting them with Bcrypt or SHA-256. When building a website, many people will use defaults and follow the easiest path. The default should be transmission of encrypted passwords, not plaintext.
This is why security is often so terrible: people don't know what they're talking about when it comes to security, but they throw some encryption (or in this case, hashing) at the problem and hope it solves it, like pixie dust.
Hashing isn't encryption; encryption is reversible, while hashing isn't. There's already a system for encrypting transmissions between a browser and a Web server.
If you hash the password before transmitting it, then the hash is simply the password. Sure, it doesn't look like "password" or "123456", but it retains all of the security problems that a plaintext password does. It provides absolutely no security benefits, but it looks better (if you don't look too hard) because you've applied some crypto, somewhere!