What they hope to accomplish is more like a muffler on car exhaust. Plugging the exhaust pipe doesn't work the way you want, letting it out unimpeded is too loud, so you let it out but only through a maze of twisty passages all alike. A muffler produces some backpressure but not enough to blow holes in the rest of the exhaust system.
Which is not to say that it will work. Mother Nature is quite capable of hearing both of us out and then saying "Analogies are like goldfish -- sometimes they don't illuminate the discussion" and creating an earth shattering kaboom.
You don't need a breakthrough, just a continuation of the high-speed progress of the last few years.
Compact fluorescents are 50+ lumens per watt, with 75 being really good. Last year, the pre-production state of the art was 131 lumens per watt in a white LED. LEDs were shipping (mass production) at 40 lumens per watt in 2004 and are now more like 60.
The cost of LEDs is crashing. The bulb over my stairs which I paid $32 for is now available for $12. A compact fluorescent is more cost-effective today, but if the bulb is difficult or dangerous to change then an LED is already the right choice.
Recently, Fred Meyer was *still* selling Lights of America bulbs. Research what you're getting before you install it. I hope Lights of America has improved since the last time I bought any, at which time I saw one premature failure after another sometimes accompanied by alarming smoke output. More Lights of America comments.
What he said. There are several reasons the situation is this bad.
Insurance companies can tell you how likely a fire is and how much it costs to clean up and rebuild after one. They have the numbers to justify "loss prevention programs" and to justify giving you discounts for alarm systems. Finance people know all about this.
For security incidents those numbers simply aren't available. It's hard to cover up a fire, but lots of places hush up security events. The costs are partly intangible (how do you put a number on winding up in the newspaper for leaking 50,000 Social Security numbers?). Unless you're a huge company collecting data internally and using separate charge numbers for incident responese, you have to guess at the numbers that would go into ROI. Finance people can spot guesses from a mile off. Talk security ROI to them and they'll know not to believe you.
The approach some people are taking, at least in my part of the world, is to build a believable estimate of worst-case costs (fumigate and rebuild servers, pay for credit reports for all the customers) and then make the budget case to the level of management that would have to authorize funding the cleanup expenses.
Imagine carrying this around in your pocket in Latveria with a shared directory "Police Brutality Videos/" or "Victor is a loser.gif". You'd be hard to catch: the hardest part of radio direction finding is the last few meters, you could stand near RF-reflective surfaces, and you could simply move on when someone shows up with direction finding equipment. The storm troopers might resort to slamming everyone in the area to the pavement and searching them, so wear an expensive suit and carry a card that says "Please extend the bearer every courtesy --VvD". If another dissident comes within range, you've passed along your samizdat without the risk of an actual meeting: neither of you needs to know the other. And talk about easy to conceal... Just seal it in a blister pack and put it at the back of the rack at Best Buy.
>When the first spam messages went out back in the 90s, they didn't try to be as deceptive or fraudulent as they are today.
They weren't really legitimate either. Canter and Siegel were selling information that the government made availble for free. Cyber Promotions crashed people's email servers.
>If these people think that advertising shouldn't have a place in our society
That would be an argument about AdBlock users, not about anti-spam activists. There's no hypocrisy in accepting ads that are paid for and useful (Google context ads for example) and condemning advertisers who use use other people's resources without paying. Remember the phrase "Postage Due marketing"?
Capitalism is about exchanging value for value. Spammers are trying to get a free ride. That's why "if it's spam, it's a scam".
>This extends the police's right to examine a crime scene, only.
It extends their power beyond examining a crime scene, permitting them to examine anything that might be a crime scene.
Unless the full-pipe records are held in escrow by someone independent of law enforcement, and unless courts enforce restrictions on what queries law enforcement can make of the escrow agent, then this is exactly the kind of driftnet surveillance that a free society won't allow.
>BS red tape
Nope: just a fundamental human right recognized for centuries. The US founding fathers didn't invent it, it was part of English legal thought already.
And with mandatory station identification, a blanket ban on commercial traffic, and a subset of people who make a sport out of locating rogue transmitters, spam can be suppressed.
Description of the legislation she (her staff really) is drafting:
This legislation not only provides clear privacy rules, but it gives you clear protections for your most private information; the right to sue when those rules have been violated, the right to protect your phone records, the right to freeze your credit when your identity has been stolen, the right to know what businesses are doing with your credit and credit reports, and the right to expect the government to use the best privacy practices itself with your information.
She also mentioned
Last year I proposed the SAFE-ID bill which ensures that customers will be notified when their personal data is sent abroad, and they should have the right to opt out.
The USSR used to leave entire towns off of maps altogether, and they weren't that friendly about making any maps available. They remembered having been invaded, and were afraid that maps might be useful to invaders.
Google is doing much less damage to information flow than the USSR's cartographers did. They're probably doing an equal amount of good.
then they should insist on the chance to argue it before the Justices.
This pattern of hyping a security threat and forgetting about it when challenged has come up before. Yaser Esam Hamdi was supposedly too dangerous ever to be set free, allowing him to see a lawyer was somehow supposed to endanger our national security, and when he finally did get to meet an attorney the military recorded the entire meeting.
So, when the Supreme Court ruled that a US citizen was entitled to say "put up or shut up" when imprisoned, did the government build up a prosecution based on the Qala-e-Jangi prison riot? No -- they cut him loose and shipped him to Saudi Arabia. Pretty much the last thing anyone who cared about the country would do if they really thought he were a terrorist.
We already knew that it wasn't a national security issue whether a security-cleared patriotic judge saw the wiretap applications beforehand (even after the fact if the government so chose). Now we know that the Administration didn't even think it was a national security issue.
Give it a realistic test. Create a Word document with the file name "Arson Confession" and type out something about how you set fire to an orphanage. Make a few revisions. Run Firefox with an extension that leaks memory, leave it up for a day or two so that it forces everything else to be swapped out. Simulate a crash by doing an End Process on Word from the task manager once.
Then boot from a Linux live CD and do something like "strings/dev/hda | fgrep -e Arson Confession orphanage > leaks.txt".
Document names in MRU lists in the registry, temp files, and the swap file might not be covered by the encryption. A file name could be a pretty damaging thing to leak. Consider also that Windows may store the file name as Unicode in some places that wouldn't show on fgrep.
Vast majority? I haven't seen the sort of statistics that could support a claim like that. Put together the drive-by downloads with the results of Microsoft's failure until recently to enforce the industry-standard practice of running as a limited user. Add the number of open ports in most versions. Consider the amount of time any system up to and including XP SP1 could spend connected to the internet *without user interaction* before getting infected (minutes: not long enough to download security updates).
Slammer and Code Red did enough damage all by themselves to occupy a law firm, and neither one involved a user downloading animated cursors.
Microsoft's defense might be to point to the way they send out free patches (want to think about their bandwidth bill for that?) and their record of continuing improvement.
There's software to rewrite web pages on the fly, which could be used to splice in an IE exploit (if, hypothetically, you knew of one that hadn't been patched:-)). Or just redirect to a site that does driveby downloads for your business associates.
What better way to prepare for scholarship than to research something, publish it, and have it torn to shreds by people who know more than you do and by people who know less than you do?
"Update and correct the Wikipedia article on how mystery plays influenced Marlowe and Shakespeare" would be a great assignment."Evaluate and discuss the ensuing edits" would be a great followup.
"Security through obscurity" means trying to depend on indefensible secrets. The classic example from 19th century crypto theory is that it's stupid to try to keep your crypto algorithm secret, so you should keep keys secret instead.
Security through obscurity leads to worldwide breaks when it fails.
The existing secure hashes have nothing obscure about them. The algorithms are published and open for review. The fact that they're vulnerable to brute force is not being hidden and is the same problem that all the workhorse encryption algorithms have.
"Security through obscurity" would be trying to hide the fact that there's a work factor reduction attack and hoping that nobody rediscovered it.
Slashdot Mirror
What they hope to accomplish is more like a muffler on car exhaust. Plugging the exhaust pipe doesn't work the way you want, letting it out unimpeded is too loud, so you let it out but only through a maze of twisty passages all alike. A muffler produces some backpressure but not enough to blow holes in the rest of the exhaust system.
Which is not to say that it will work. Mother Nature is quite capable of hearing both of us out and then saying "Analogies are like goldfish -- sometimes they don't illuminate the discussion" and creating an earth shattering kaboom.
>We don't even need terrorists anymore. All it takes to shut down a city is cowering, whimpering, losers afraid of their own shadow.
"No one can terrorize a whole nation, unless we are all his accomplices" -- Edward R. Murrow
You don't need a breakthrough, just a continuation of the high-speed progress of the last few years.
Compact fluorescents are 50+ lumens per watt, with 75 being really good. Last year, the pre-production state of the art was 131 lumens per watt in a white LED. LEDs were shipping (mass production) at 40 lumens per watt in 2004 and are now more like 60.
The cost of LEDs is crashing. The bulb over my stairs which I paid $32 for is now available for $12. A compact fluorescent is more cost-effective today, but if the bulb is difficult or dangerous to change then an LED is already the right choice.
>many companies (Lowes, Fred Meyer)
Recently, Fred Meyer was *still* selling Lights of America bulbs. Research what you're getting before you install it. I hope Lights of America has improved since the last time I bought any, at which time I saw one premature failure after another sometimes accompanied by alarming smoke output. More Lights of America comments.
What he said. There are several reasons the situation is this bad.
Insurance companies can tell you how likely a fire is and how much it costs to clean up and rebuild after one. They have the numbers to justify "loss prevention programs" and to justify giving you discounts for alarm systems. Finance people know all about this.
For security incidents those numbers simply aren't available. It's hard to cover up a fire, but lots of places hush up security events. The costs are partly intangible (how do you put a number on winding up in the newspaper for leaking 50,000 Social Security numbers?). Unless you're a huge company collecting data internally and using separate charge numbers for incident responese, you have to guess at the numbers that would go into ROI. Finance people can spot guesses from a mile off. Talk security ROI to them and they'll know not to believe you.
The approach some people are taking, at least in my part of the world, is to build a believable estimate of worst-case costs (fumigate and rebuild servers, pay for credit reports for all the customers) and then make the budget case to the level of management that would have to authorize funding the cleanup expenses.
Imagine carrying this around in your pocket in Latveria with a shared directory "Police Brutality Videos/" or "Victor is a loser.gif". You'd be hard to catch: the hardest part of radio direction finding is the last few meters, you could stand near RF-reflective surfaces, and you could simply move on when someone shows up with direction finding equipment. The storm troopers might resort to slamming everyone in the area to the pavement and searching them, so wear an expensive suit and carry a card that says "Please extend the bearer every courtesy --VvD". If another dissident comes within range, you've passed along your samizdat without the risk of an actual meeting: neither of you needs to know the other. And talk about easy to conceal... Just seal it in a blister pack and put it at the back of the rack at Best Buy.
>When the first spam messages went out back in the 90s, they didn't try to be as deceptive or fraudulent as they are today.
They weren't really legitimate either. Canter and Siegel were selling information that the government made availble for free. Cyber Promotions crashed people's email servers.
>If these people think that advertising shouldn't have a place in our society
That would be an argument about AdBlock users, not about anti-spam activists. There's no hypocrisy in accepting ads that are paid for and useful (Google context ads for example) and condemning advertisers who use use other people's resources without paying. Remember the phrase "Postage Due marketing"?
Capitalism is about exchanging value for value. Spammers are trying to get a free ride. That's why "if it's spam, it's a scam".
>This extends the police's right to examine a crime scene, only.
It extends their power beyond examining a crime scene, permitting them to examine anything that might be a crime scene.
Unless the full-pipe records are held in escrow by someone independent of law enforcement, and unless courts enforce restrictions on what queries law enforcement can make of the escrow agent, then this is exactly the kind of driftnet surveillance that a free society won't allow.
>BS red tape
Nope: just a fundamental human right recognized for centuries. The US founding fathers didn't invent it, it was part of English legal thought already.
>an image of C.S. Lewis's Alice tumbling down a hole
Both the author attribution, and the content of the article, belong to the wrong century.
>Porn to me, replicates what happens in real life...in the real world.
How often have you seen someone in a porn film use a condom or say "I love you"?
And with mandatory station identification, a blanket ban on commercial traffic, and a subset of people who make a sport out of locating rogue transmitters, spam can be suppressed.
Justice Brandeis called it "... the right to be let alone -- the most comprehensive of rights and the one most valued by civilized men. "
The USSR used to leave entire towns off of maps altogether, and they weren't that friendly about making any maps available. They remembered having been invaded, and were afraid that maps might be useful to invaders.
Google is doing much less damage to information flow than the USSR's cartographers did. They're probably doing an equal amount of good.
then they should insist on the chance to argue it before the Justices.
This pattern of hyping a security threat and forgetting about it when challenged has come up before. Yaser Esam Hamdi was supposedly too dangerous ever to be set free, allowing him to see a lawyer was somehow supposed to endanger our national security, and when he finally did get to meet an attorney the military recorded the entire meeting.
So, when the Supreme Court ruled that a US citizen was entitled to say "put up or shut up" when imprisoned, did the government build up a prosecution based on the Qala-e-Jangi prison riot? No -- they cut him loose and shipped him to Saudi Arabia. Pretty much the last thing anyone who cared about the country would do if they really thought he were a terrorist.
We already knew that it wasn't a national security issue whether a security-cleared patriotic judge saw the wiretap applications beforehand (even after the fact if the government so chose). Now we know that the Administration didn't even think it was a national security issue.
It is easier when you can acquire data any time you wnat and drill for geological records going back thousands of years.
Is that enough to provide confidentiality?
/dev/hda | fgrep -e Arson Confession orphanage > leaks.txt".
Give it a realistic test. Create a Word document with the file name "Arson Confession" and type out something about how you set fire to an orphanage. Make a few revisions. Run Firefox with an extension that leaks memory, leave it up for a day or two so that it forces everything else to be swapped out. Simulate a crash by doing an End Process on Word from the task manager once.
Then boot from a Linux live CD and do something like "strings
Document names in MRU lists in the registry, temp files, and the swap file might not be covered by the encryption. A file name could be a pretty damaging thing to leak. Consider also that Windows may store the file name as Unicode in some places that wouldn't show on fgrep.
It's good thinking and sound practice to wonder whether the gadget does what it claims, but a huge number of security problems come from threats that were outside what the security designers were thinking about. "Security is like an analogy. It only works up until the point that someone considers an angle or aspect that you haven't previously considered and accounted for."
Vast majority? I haven't seen the sort of statistics that could support a claim like that. Put together the drive-by downloads with the results of Microsoft's failure until recently to enforce the industry-standard practice of running as a limited user. Add the number of open ports in most versions. Consider the amount of time any system up to and including XP SP1 could spend connected to the internet *without user interaction* before getting infected (minutes: not long enough to download security updates).
Slammer and Code Red did enough damage all by themselves to occupy a law firm, and neither one involved a user downloading animated cursors.
Microsoft's defense might be to point to the way they send out free patches (want to think about their bandwidth bill for that?) and their record of continuing improvement.
Department of Justice advice to law enforcement officers investigating crimes where computers are involved
(Blog plug warning)My review of the DOJ computer crime advisory.
Law enforcement has an easier time being clueful now than they did ten or fifteen years ago.
There's software to rewrite web pages on the fly, which could be used to splice in an IE exploit (if, hypothetically, you knew of one that hadn't been patched :-)). Or just redirect to a site that does driveby downloads for your business associates.
>The only way this sort of thing can be stopped is by government regulation, unfortunately.
Or by business interference lawsuits, or whatever legal theory an actual lawyer would find that fits.
The French registrar is Gandi, as opposed to Ghandi. This is meant to assist people in finding them and is not intended as a spelling flame.
What better way to prepare for scholarship than to research something, publish it, and have it torn to shreds by people who know more than you do and by people who know less than you do?
"Update and correct the Wikipedia article on how mystery plays influenced Marlowe and Shakespeare" would be a great assignment."Evaluate and discuss the ensuing edits" would be a great followup.
The minimum altitude for auroras is around 80 km.
>This is what a hash is by design: obscurity.
"Security through obscurity" means trying to depend on indefensible secrets. The classic example from 19th century crypto theory is that it's stupid to try to keep your crypto algorithm secret, so you should keep keys secret instead.
Security through obscurity leads to worldwide breaks when it fails.
The existing secure hashes have nothing obscure about them. The algorithms are published and open for review. The fact that they're vulnerable to brute force is not being hidden and is the same problem that all the workhorse encryption algorithms have.
"Security through obscurity" would be trying to hide the fact that there's a work factor reduction attack and hoping that nobody rediscovered it.