>Would is really be so hard to require that new credit accounts can only be issued with a notarized signature?
Credit is a drug. Drug pushers don't want anything to slow down their chance to get money from a desperate customer.
Credit issuers make lots of money from both legal instant credit and from lending to crooks and collecting from fraud victims.
Your suggestion is good security, good policy, and will be blocked by intense lobbying. (Also vulnerable to the forged ID problem, since that's what notaries check).
Door locks, armored cars, fences and alarms don't prevent crime, they raise the cost (including risk) above the benefit.
Same here. An SSN has some market value. Cheap automated harvesting is profitable. Driving to a courthouse and copying by hand almost certainly isn't. No profit, no mass crime. The threat is then reduced to stalkers and private detectives.
Finding: good Fixing: good Reporting to maintainers: vital Reporting to the public: depends on many things all of which are hotly disputed. To the extent there's a consensus, it's to make public announcements after there's been time to code, test and release a patch. If the supplier hasn't used that time to fix the product, well, their customers deserve to be warned before a black hat discovers the same thing and uses it for evil.
Reporting to the whole world simultaneously only makes sense if you believe all information should be free at all times regardless of the effect, or if you're sure that the software supplier will never fix anything, or if all the users are technically sophisticated enough and have enough free time to fix it themselves.
It's more complicated than that, of course. Another variable is whether the announcement is a description or whether it contains kiddie-scriptable exploit code.
Isn't the state of the art in DDoS to have each zombie make plausible requests at some reasonable rate?
A big botnet (60K zombies) could have each one fire once a minute and request some graphics-heavy 300KB page on your site. 300 KB * 8 bits/byte * 1000 downloads/sec = one OC-48 (as if your server could handle it). Move the graphics, and if the botnet is under realtime control it will start hitting the new location. Remove the graphics, and in some markets your site is out of business.
>The solution is to nix net-neutrality legislation and allow the consumer and the producer to come to terms on need versus price.
That *is* net neutrality.
What the telcos want is to prevent the consumer and producer from reaching their own commercial understanding, but instead to stand in the middle and demand a cut in exchange for not interfering.
This whole discussion was happening a lifetime ago.
Everyone who had service with The Phone Company was paying for a dial tone and the ability to place calls on demand. Except even that network was oversubscribed. It was nowhere near the capacity to offer simultaneous dialtone to everyone who was paying for it.
What The Phone Company did that ISPs don't seem to handle as well was accurate demand forecasting and investment to the point that they could handle anything short of a regional disaster or Mother's Day.
>Modern Islam is owed no credit for any discoveries
We have a partial unified field theory, explaining the weak interaction and electromagnetism as part of the same thing. Its codiscover was Abdus Salam, a devout Muslim who saw his work as a form of worship. He saw it as a duty and a privilege to study the works of God, which of course includes both the Quran and the material universe.
Abdus Salam is known to be a devout Muslim, whose religion does not occupy a separate compartment of his life; it is inseparable from his work and family life. He once wrote: "The Holy Quran enjoins us to reflect on the verities of Allah's created laws of nature; however, that our generation has been privileged to glimpse a part of His design is a bounty and a grace for which I render thanks with a humble heart."
The whole reason it's allowed is so you can compel people and organizations to identify the defendant, at which point you can move on to establishing liability and trying to collect.
There has been a polling effort about attitudes toward terrorism worldwide.
One question was about attitudes toward "bombing and other attacks intentionally aimed at civilians". Here are percentages of people who considered such things "never justified", in the most populous Muslim countries: Indonesia, 74% Pakistan, 86% (and that's home to some high-profile crazies) Bangladesh, 81%.
Do you see a problem in those numbers not being higher? Compare them to another nation in the survey. Guess Where, 46%
Where is this place, where 54% think terrorism can be justified? Is it Iran? Saudi Arabia?
There are 1.5 billion Muslims. If something about their religion caused people to blow themselves up in crowds we'd see far more of that particular crime.
No -- Skype was quite explicit that this would be for subscribers to a voice and/or data plan. This is about phone customers being able to run Skype over their paid-for connections.
Elsewhere in the comments people have correctly pointed out that it isn't encryption at all and that it is fundamentally incompatible with any router, switch, bridge or even repeater.
There's also the limit of 5.5 kbps, though that might be improved.
The issue that should have killed this idea ten years ago when Shamir pointed it out is that an attacker who has spliced the fiber can read the polarizer without ever looking at a single one of the transmitted photons.
Send the $#$@! key material by bonded courier in a tamper-evident package if it's that important. If for some reason that's not enough then split (e.g. Blakely-Shamir) the key material into shares, send each separately, and recombine when needed.
>IBM has a big stake in LINUX continuing as it is.
Exactly as it is?
What's to stop IBM from executing a cross-license with Microsoft, and then having IBM Linux be the only kind anyone could distribute without getting sued? They'd lose the advantages of getting free community development, but IBM could afford to compensate by offering salaries to developers of key pieces they really need,
Safer than giving up and running as Administrator is to use Filemon and Regmon to find out what exactly the broken application is doing that it shouldn't, then changing the ACL for just those files or registry keys.
>Instead, you could use the verified IDs from certs/keys to look up information from a master DB, much like Brands and dozens of other interchangable knuckleheads are proposing.
That is the exact opposite of what Dr. Brands is proposing, and the existence of a central database full of sensitive information is precisely the problem he's trying to prevent. How anyone could read his PhD thesis without understanding that is beyond my imagination.
>you're still trusting a third party to only give out a piece of your total profile at a time.
Not if they don't *have* your complete profile and see only a signed assertion of your age, or your blood type, or whatnot. Even cooler, you can disclose the result of a Boolean without disclosing the terms inside it: with a Brands credential you could assert "either over 18 or an emancipated minor", for example.
>What is the chance that VISA/MC/AMEX will re-engineer their systems to be privacy-preserving?
Pretty high, but only if they are on the hook legally for privacy breaches, or if their customer start swinging business based on privacy concerns. Otherwise nil.
Slashdot Mirror
It could have some PR value if done right, and if a 2009 judge or jury heard about the 2007 put-up-or-shut-up challenge it nmight influence them.
That's near infrared (only ~30% outside the visible range), and everyone working with lasers in that range wears goggles because they need them.
>leave the social security numbers on the documents, please
Believe me, that muncipality is going to be even more cash-strapped if and when they have to pay for all the damage they cause by publishing SSNs.
>Would is really be so hard to require that new credit accounts can only be issued with a notarized signature?
Credit is a drug. Drug pushers don't want anything to slow down their chance to get money from a desperate customer.
Credit issuers make lots of money from both legal instant credit and from lending to crooks and collecting from fraud victims.
Your suggestion is good security, good policy, and will be blocked by intense lobbying. (Also vulnerable to the forged ID problem, since that's what notaries check).
Door locks, armored cars, fences and alarms don't prevent crime, they raise the cost (including risk) above the benefit.
Same here. An SSN has some market value. Cheap automated harvesting is profitable. Driving to a courthouse and copying by hand almost certainly isn't. No profit, no mass crime. The threat is then reduced to stalkers and private detectives.
Finding: good
Fixing: good
Reporting to maintainers: vital
Reporting to the public: depends on many things all of which are hotly disputed. To the extent there's a consensus, it's to make public announcements after there's been time to code, test and release a patch. If the supplier hasn't used that time to fix the product, well, their customers deserve to be warned before a black hat discovers the same thing and uses it for evil.
Reporting to the whole world simultaneously only makes sense if you believe all information should be free at all times regardless of the effect, or if you're sure that the software supplier will never fix anything, or if all the users are technically sophisticated enough and have enough free time to fix it themselves.
It's more complicated than that, of course. Another variable is whether the announcement is a description or whether it contains kiddie-scriptable exploit code.
Like, say, paying for security bug reports>
Isn't the state of the art in DDoS to have each zombie make plausible requests at some reasonable rate?
A big botnet (60K zombies) could have each one fire once a minute and request some graphics-heavy 300KB page on your site. 300 KB * 8 bits/byte * 1000 downloads/sec = one OC-48 (as if your server could handle it). Move the graphics, and if the botnet is under realtime control it will start hitting the new location. Remove the graphics, and in some markets your site is out of business.
>The solution is to nix net-neutrality legislation and allow the consumer and the producer to come to terms on need versus price.
That *is* net neutrality.
What the telcos want is to prevent the consumer and producer from reaching their own commercial understanding, but instead to stand in the middle and demand a cut in exchange for not interfering.
Howard vs. AOL went up to the 9th Circuit, which decided AOL was not a common carrier.
For whatever it's worth, Wikipedia agrees with you: "Internet Service Providers have argued against being classified as a "common carrier" and, so far, have managed to do so. "
They do get some immunities similar to those of common carriers under section 230 of the otherwise odious CDA.
This whole discussion was happening a lifetime ago.
Everyone who had service with The Phone Company was paying for a dial tone and the ability to place calls on demand. Except even that network was oversubscribed. It was nowhere near the capacity to offer simultaneous dialtone to everyone who was paying for it.
What The Phone Company did that ISPs don't seem to handle as well was accurate demand forecasting and investment to the point that they could handle anything short of a regional disaster or Mother's Day.
We have a partial unified field theory, explaining the weak interaction and electromagnetism as part of the same thing. Its codiscover was Abdus Salam, a devout Muslim who saw his work as a form of worship. He saw it as a duty and a privilege to study the works of God, which of course includes both the Quran and the material universe.from Abdus Salam's Nobel Prize biography
Also, it's interesting to look up the etymology of "algebra" and "algorithm".
>Of course, it could just be that the design held some spiritual significance. A lot of trouble to go through, however.
There are cathedrals that took centuries to build. Don't underestimate what people will invest in religious expression.
The whole reason it's allowed is so you can compel people and organizations to identify the defendant, at which point you can move on to establishing liability and trying to collect.
Or compare to average sentences for violent crimes such as rape and kidnapping.
There has been a polling effort about attitudes toward terrorism worldwide.
m l
One question was about attitudes toward "bombing and other attacks intentionally aimed at civilians". Here are percentages of people who considered such things "never justified", in the most populous Muslim countries:
Indonesia, 74%
Pakistan, 86% (and that's home to some high-profile crazies)
Bangladesh, 81%.
Do you see a problem in those numbers not being higher? Compare them to another nation in the survey.
Guess Where, 46%
Where is this place, where 54% think terrorism can be justified? Is it Iran? Saudi Arabia?
http://www.csmonitor.com/2007/0223/p09s01-coop.ht
There are 1.5 billion Muslims. If something about their religion caused people to blow themselves up in crowds we'd see far more of that particular crime.
It sounds like they weren't at all sure they could do it. Double coolness that the results were surprising.
No -- Skype was quite explicit that this would be for subscribers to a voice and/or data plan. This is about phone customers being able to run Skype over their paid-for connections.
Elsewhere in the comments people have correctly pointed out that it isn't encryption at all and that it is fundamentally incompatible with any router, switch, bridge or even repeater.
There's also the limit of 5.5 kbps, though that might be improved.
The issue that should have killed this idea ten years ago when Shamir pointed it out is that an attacker who has spliced the fiber can read the polarizer without ever looking at a single one of the transmitted photons.
Send the $#$@! key material by bonded courier in a tamper-evident package if it's that important. If for some reason that's not enough then split (e.g. Blakely-Shamir) the key material into shares, send each separately, and recombine when needed.
>IBM has a big stake in LINUX continuing as it is.
Exactly as it is?
What's to stop IBM from executing a cross-license with Microsoft, and then having IBM Linux be the only kind anyone could distribute without getting sued? They'd lose the advantages of getting free community development, but IBM could afford to compensate by offering salaries to developers of key pieces they really need,
Research prototypes of capability-based OS designs. HP Labs even put one together as a retrofit for Windows.
You're exactly right: time to stop pretending that it's still 1970 and that the code is more trustworthy than the users are.
Safer than giving up and running as Administrator is to use Filemon and Regmon to find out what exactly the broken application is doing that it shouldn't, then changing the ACL for just those files or registry keys.
Windows non-administrator LUA/UAC advice, tips and tricks.
>Instead, you could use the verified IDs from certs/keys to look up information from a master DB, much like Brands and dozens of other interchangable knuckleheads are proposing.
That is the exact opposite of what Dr. Brands is proposing, and the existence of a central database full of sensitive information is precisely the problem he's trying to prevent. How anyone could read his PhD thesis without understanding that is beyond my imagination.
>you're still trusting a third party to only give out a piece of your total profile at a time.
Not if they don't *have* your complete profile and see only a signed assertion of your age, or your blood type, or whatnot. Even cooler, you can disclose the result of a Boolean without disclosing the terms inside it: with a Brands credential you could assert "either over 18 or an emancipated minor", for example.
>What is the chance that VISA/MC/AMEX will re-engineer their systems to be privacy-preserving?
Pretty high, but only if they are on the hook legally for privacy breaches, or if their customer start swinging business based on privacy concerns. Otherwise nil.