Independent of whoever programs the system you're only as safe as they are. And after that fiasco I'd sooner put my trust on RSA than most entities (quite sure they are paranoid-secure now).
if you sign something with your private key, whoever has your public key can check if it was you or someone else that did it or even if any of the two was altered. It's a property of the scheme.
Same if someone encrypts something with your public key you'll only be able to access the information if you have access to the private key.
I doubt the CEOs implemented the system, it was most likely an incompetent engineer. And you can't rely solely on the time based apps, you need to consider all the clients that still use phones from the 1990's. A hybrid system that supports both forms of identification would be ideal.
And please tell me what do they have to win with having an insecure system? Your whole speech was going great until you pointed the CEOs as the ones responsible..
The comment about RSA and AES was just to prove to you that because something is opensource, it doesn't mean you can simply break it by knowing the code.
Never said it was impossible, just improbable that someone from a remote shell would be able to do it in a reasonable amount of time. What you're saying is reverse engineering whatever part hides the key, then whatever part defines the algorithm that is used and then the remake very single hash that was done from the point you deleted a log upwards so that it checks out in the end. Then you have to deal with the database security and integrity. And all that without setting off any kind of bells monitoring the system.
When I said you'd be using a server farm I never though you were thinking about decompiling the kernel. Again, I highly doubt you'd be doing it remotely in feasible amount of time, but be my guest.
And all that can be avoided if a hybrid system (like the PS3's hypervisor) is used - and that's something I can see happening if you own a system sensitive enough.
And in the end, yes, it can be done, but you're comparing it to plain text log securiy where the password you already have (root) is enough to change anything you want? Really?
If you are extremely lucky, you can break RSA or 256bit AES. is it probable? No. The algorithms used in both are well known, and any security algorithm can be broken with enough time and horsepower, but banks rely on these, so I'd guess there is a reasonable amount of trust in both of them.
Do you even understand what I'm talking about? The algorithm used doesn't really matter, the security key does. The whole system can be opensource and the key can be unique. Can it be broken? Yes, it can, but is it feasible? Is it doable in a reasonable amount of time? Do you have 1 month to spare and a server farm just so you can go back and edit the logs (that by then have already generated thousands of new lines of code that need to be refactored).
No alternative would be perfect, but I'd say most of these would be more dependable that simple text files.
Not saying it can't be done, but that would involve reverse engineering the process in order to find a key and/or algorithm (or whatever would be used to sign) and I'd say that doing so remotely would be quite the challenge. In theory, you're right, it is possible, but I don't think it is probable.
I was thinking about a cumulative scheme, where the next signature would depend on the one before, that way if something goes missing in the middle, you could be sure you were tampered with.
As I said in the first post, I know you can tail and grep your database, but that's not comprehensive or efficient. Just because you can, doesn't mean you should, and with the amount of junk that gets produced each day I'd say it isn't really the right choice.
The one argument that I consider valid is that a text file is really hard to corrupt, even if a chunk of it goes missing, it'll still open anywhere. But databases aren't exactly known for being unreliable, so I don't think it is really that much of a problem.
There are ways to make your application (in this case, the linux kernel) aware of the tampering. And it's still way harder to crack into a database in order to delete a few entries than simply opening a text file and removing a few lines.
And as you just said, the database doesn't even have to be in the same computer...
Excuse me, it's true their logging facility might be good, but I was under the impression that the junk you see are the junk applications send, so I have no clue how QNX deals with that.
And sending them to a remote location is possible in linux already.
Never tried to use linux in a diskless system though, so I have no idea how syslog would react.
The problem is, they can be easily cleaned. I see where they are coming from with this, to be honest.
Instead of going binary they could just use a database system, with queries and whatnot. Each new application would bring a new table.
This would deal with two things: With proper access configuration it'd be safe from tampering, and it'd be easy to dig through. The amount of garbage that ends up in the logs is mind numbing. (yeah yeah, I know grep works and I still think this would be a better solution)
Because if they go their own way the next time you're trying to compile something a bit more complex it won't screw everything. I like red hat based distros because they tend to stay more or less the same over the years, leading to easily configurable systems. The moment they deviate it'll be their death.
Ok, I can see you're too far gone to try and reason with you.
Yes, you are wrong. Me and the thousands of people who are satisfied with this scheme and the success it's been having proves you are extremely wrong. The annoyances you keep repeating are unfounded and completely biased.
Amazon and steam aren't like apple or anything like that, where they try to be in total control of everything. They just include the DRM into something great (the experience). And I can't for the life of me understand why you'd ever want to take a book out of the kindle to another e-reader.
Obviously, I have no f..king clue about who you are. No idea why should I.
You can use amazon books if you remove the DRM. It requires a google search and 5 minutes. You can use your books anywhere.
Their app isn't shitty and for both android and iOS (iPad) is my proffered reader. A quick web search will also tell you they are, it is, in fact, the best reader app out there - even recommended for books not purchased via Amazon
And the clauses in the TOS you consider abusive are there for a reason. Amazon, as far as I know, only use that clause once and it was to remove a book they were selling that they didn't have the rights to. They actually gave the money back, so don't make it sound like armed robbery.
Steam can ban you - but it's kind of hard to get banned from steam. As far as I know you had to try and use a pirated CD key to register a steam game to get yourself banned, but that's so dumb that I wonder why would anyone do it. Either that or you stole a Credit Card. Since I've never done either, I really don't care.
No one is treating you like a criminal. They are just removing the possibility of you being able to behave like one easily (and in amazon's case they don't even try). And because of your pigheadedness you're missing out on two great platforms that get rave reviews worldwide.
And just on a sidenote, it's very much like Steam. True, it has DRM, but they made my steam experience so much better than going and buying in stores that I don't really mind. And I can just login into my account on any PC/mac and the games will be there. I call that good a good service.
But you'll never see me buying ubisoft software with their idiotic DRM scheme.
DRM only bothersome enough to avoid a direct copy and that requires a google search to know how to do it is perfectly acceptable in my book. For its purpose, Amazon's DRM is transparent for anything but the copying (and even that can be done to and from the devices you own without any kind of hassle (simply move all the files).
If freely copying with no hassle whatsoever is the reason you don't buy DRM books, then I'm sorry to say, maybe Amazon's ecosystem is not for you. Because even with all it's flaws, still provides a better experience (for me) than books, with superior devices (by far some of the best in their class) and access to books in a moment's notice anywhere in the world.
for most devices the kindle software is widely regarded as the best e-reader there is. You might not like it, but when they can make something that actually makes it enjoyable to read on a mobile phone, the software is far from "crap".
And if you hate the software so much, just remove the DRM and use that software you think it's awesome (but that I doubt exists). Believe me, I tried dozens of these.
For the hardcovers, kindle books are cheaper almost every time. I bought my dance with dragons for 14$ when the hardcover used to cost 23$, and even now you still save around 4$ if you buy the kindle version.
On the other hand, the mass market paperback pocket books are usually cheaper than the kindle books, but the quality of those books pales in comparison to the service you get on the kindle.
And in the end, you're not forced into buying e-books, if the paperback is cheaper, buy it (:
Slashdot Mirror
I don't think current battery technology lasts that long, especially store bought AA's.
Independent of whoever programs the system you're only as safe as they are. And after that fiasco I'd sooner put my trust on RSA than most entities (quite sure they are paranoid-secure now).
so, if someone gets access to your google account, won't that compromise you even further?
if you sign something with your private key, whoever has your public key can check if it was you or someone else that did it or even if any of the two was altered. It's a property of the scheme.
Same if someone encrypts something with your public key you'll only be able to access the information if you have access to the private key.
In the end you'll never reach them, only the bottom of the bottom that is handling the phones. You're making that guys day miserable...
It'b be fun if they ended up doing the same to you and spamm your home phone because you spammed theirs :P
I doubt the CEOs implemented the system, it was most likely an incompetent engineer. And you can't rely solely on the time based apps, you need to consider all the clients that still use phones from the 1990's. A hybrid system that supports both forms of identification would be ideal.
And please tell me what do they have to win with having an insecure system? Your whole speech was going great until you pointed the CEOs as the ones responsible..
The comment about RSA and AES was just to prove to you that because something is opensource, it doesn't mean you can simply break it by knowing the code.
Never said it was impossible, just improbable that someone from a remote shell would be able to do it in a reasonable amount of time. What you're saying is reverse engineering whatever part hides the key, then whatever part defines the algorithm that is used and then the remake very single hash that was done from the point you deleted a log upwards so that it checks out in the end. Then you have to deal with the database security and integrity. And all that without setting off any kind of bells monitoring the system.
When I said you'd be using a server farm I never though you were thinking about decompiling the kernel. Again, I highly doubt you'd be doing it remotely in feasible amount of time, but be my guest.
And all that can be avoided if a hybrid system (like the PS3's hypervisor) is used - and that's something I can see happening if you own a system sensitive enough.
And in the end, yes, it can be done, but you're comparing it to plain text log securiy where the password you already have (root) is enough to change anything you want? Really?
Ok, I'll say it this way:
If you are extremely lucky, you can break RSA or 256bit AES. is it probable? No. The algorithms used in both are well known, and any security algorithm can be broken with enough time and horsepower, but banks rely on these, so I'd guess there is a reasonable amount of trust in both of them.
Do you even understand what I'm talking about? The algorithm used doesn't really matter, the security key does. The whole system can be opensource and the key can be unique. Can it be broken? Yes, it can, but is it feasible? Is it doable in a reasonable amount of time? Do you have 1 month to spare and a server farm just so you can go back and edit the logs (that by then have already generated thousands of new lines of code that need to be refactored).
No alternative would be perfect, but I'd say most of these would be more dependable that simple text files.
Not saying it can't be done, but that would involve reverse engineering the process in order to find a key and/or algorithm (or whatever would be used to sign) and I'd say that doing so remotely would be quite the challenge. In theory, you're right, it is possible, but I don't think it is probable.
I was thinking about a cumulative scheme, where the next signature would depend on the one before, that way if something goes missing in the middle, you could be sure you were tampered with.
As I said in the first post, I know you can tail and grep your database, but that's not comprehensive or efficient. Just because you can, doesn't mean you should, and with the amount of junk that gets produced each day I'd say it isn't really the right choice.
The one argument that I consider valid is that a text file is really hard to corrupt, even if a chunk of it goes missing, it'll still open anywhere. But databases aren't exactly known for being unreliable, so I don't think it is really that much of a problem.
There are ways to make your application (in this case, the linux kernel) aware of the tampering. And it's still way harder to crack into a database in order to delete a few entries than simply opening a text file and removing a few lines.
And as you just said, the database doesn't even have to be in the same computer...
That's a viable option, like many others, but I still think that a very big and very long text log is something that could be optimized by a database.
Excuse me, it's true their logging facility might be good, but I was under the impression that the junk you see are the junk applications send, so I have no clue how QNX deals with that.
And sending them to a remote location is possible in linux already.
Never tried to use linux in a diskless system though, so I have no idea how syslog would react.
The problem is, they can be easily cleaned. I see where they are coming from with this, to be honest.
Instead of going binary they could just use a database system, with queries and whatnot. Each new application would bring a new table.
This would deal with two things: With proper access configuration it'd be safe from tampering, and it'd be easy to dig through. The amount of garbage that ends up in the logs is mind numbing. (yeah yeah, I know grep works and I still think this would be a better solution)
I would mod you up as funny if I hadn't already replied in this conversation :P
Because if they go their own way the next time you're trying to compile something a bit more complex it won't screw everything. I like red hat based distros because they tend to stay more or less the same over the years, leading to easily configurable systems. The moment they deviate it'll be their death.
Ok, I can see you're too far gone to try and reason with you.
Yes, you are wrong. Me and the thousands of people who are satisfied with this scheme and the success it's been having proves you are extremely wrong. The annoyances you keep repeating are unfounded and completely biased.
Amazon and steam aren't like apple or anything like that, where they try to be in total control of everything. They just include the DRM into something great (the experience). And I can't for the life of me understand why you'd ever want to take a book out of the kindle to another e-reader.
sorry for the typo mess, no time for reviewing
Obviously, I have no f..king clue about who you are. No idea why should I.
You can use amazon books if you remove the DRM. It requires a google search and 5 minutes. You can use your books anywhere.
Their app isn't shitty and for both android and iOS (iPad) is my proffered reader. A quick web search will also tell you they are, it is, in fact, the best reader app out there - even recommended for books not purchased via Amazon
And the clauses in the TOS you consider abusive are there for a reason. Amazon, as far as I know, only use that clause once and it was to remove a book they were selling that they didn't have the rights to. They actually gave the money back, so don't make it sound like armed robbery.
Steam can ban you - but it's kind of hard to get banned from steam. As far as I know you had to try and use a pirated CD key to register a steam game to get yourself banned, but that's so dumb that I wonder why would anyone do it. Either that or you stole a Credit Card. Since I've never done either, I really don't care.
No one is treating you like a criminal. They are just removing the possibility of you being able to behave like one easily (and in amazon's case they don't even try). And because of your pigheadedness you're missing out on two great platforms that get rave reviews worldwide.
And just on a sidenote, it's very much like Steam. True, it has DRM, but they made my steam experience so much better than going and buying in stores that I don't really mind. And I can just login into my account on any PC/mac and the games will be there. I call that good a good service.
But you'll never see me buying ubisoft software with their idiotic DRM scheme.
DRM only bothersome enough to avoid a direct copy and that requires a google search to know how to do it is perfectly acceptable in my book. For its purpose, Amazon's DRM is transparent for anything but the copying (and even that can be done to and from the devices you own without any kind of hassle (simply move all the files).
If freely copying with no hassle whatsoever is the reason you don't buy DRM books, then I'm sorry to say, maybe Amazon's ecosystem is not for you. Because even with all it's flaws, still provides a better experience (for me) than books, with superior devices (by far some of the best in their class) and access to books in a moment's notice anywhere in the world.
Is that extra step something that bothers you all that much?
why is the software crap?
for most devices the kindle software is widely regarded as the best e-reader there is. You might not like it, but when they can make something that actually makes it enjoyable to read on a mobile phone, the software is far from "crap".
And if you hate the software so much, just remove the DRM and use that software you think it's awesome (but that I doubt exists). Believe me, I tried dozens of these.
No.
For the hardcovers, kindle books are cheaper almost every time. I bought my dance with dragons for 14$ when the hardcover used to cost 23$, and even now you still save around 4$ if you buy the kindle version.
On the other hand, the mass market paperback pocket books are usually cheaper than the kindle books, but the quality of those books pales in comparison to the service you get on the kindle.
And in the end, you're not forced into buying e-books, if the paperback is cheaper, buy it (: