I assume that at least a few slashdot readers have had similar experiences. Is there any advice that you could offer regarding the experiences?
Can you not open the door, wake up, and then talk to the agent?
Is there any way of saying "STOP, let me understand this, then you can continue?"
I have been briefly questioned by two OSI(?) officers who apparently were investigating some neighbors related to a drug pusher on some military base. I was half awake, stared at the badges like a drunken idiot, and hadn't determined if the badges were real or not by the time that they had finished the questioning. They did not enter my apartment, they appared to be armed, and I ended up saying something to the effect of "I dunno, talk to the guy next door, he is the apartment supervisor."
Unless they have a search warrent, and even then maybe, the individual should have *some* rights. What can a person do if "the governement" shows up at your door?
Something else good did happen.
on
Apocalypse Not
·
· Score: 1
The good thing that the y2k scare did for us, other than helping us get the funding to fix the very real problems, is that people stopped to look at the world around them and saw that the engineers and computer people have affected their daily lives in a very dramatic way.
It isn't everyday that the world stops to notice the work of one segment of industry and look at the impact that it has on everyone else.
You might also consider just adding multiple scsi controllers and have as many drives as possible.
With each additional drive, you can access another unique piece of data simultaniously. While raid is nice and helps solve reliability and performance problems, it isn't the only solution.
It is a technique that newsgroup server admins used to use, and probably still do.
First, the goal of security in general is to make it more difficult to get at an item than someone is willing to pay.
If this is *STRICTLY* a communications system between the doctors and the patients *AND* messages are not stored in a long term manner, I would guess that the most value that could be gained is by media accessing information about famous people. This would probably be million to 10 million dollar information. (You might do your own analysis of this.)
Many people like potential employers would probably love to get the information, but would not want to be implicated in such illegalities. However, you will probably see a lot of probing hackers, much of the information could easily be used to extort money out of clients.
For a more secure plan, I would consider all of the following: 1. A username/password pair with password complexity checks. 2. SSL encryption, otherwise the passwords can be sniffed. 3. Record the IP address, browser details, etc and watch for changes that could indicate a break in. 4. Store a secondary password/authenticator in a cookie, yes it's insecure, but it raises the barrier for password guessers. 5. Consider using the iButton for authentication, especially for the doctors. 6. Depending on the users, with the small amount of information being sent I would consider sending each of the users a CD filled with random information with the same random information stored on one of your internal servers for use as a one-time-pad with a Java application that would encrypt the messages with the one-time-pad. If anyone sends 720 megs of messages, send them a new CD. 7. Consider using smart cards for authentication. 8. Consider your internal network configuration, it is much more likely that a forgotten service, misconfigured router, or vulnerable service could be used to gain access than evesdropping and cracking of your communications protocol. 9. Consider the following server scheme: A. One server for the SSL communication with the end user. It is connected to the net with an ethernet card. B. Another server connected via a second ethernet, serial, parallel, or something else unconventional. It is logged into the first system and it actually does the processing, but it does not allow network access, it configured as a client. C. A third system that system B is also connected to, this system is only connected to system B and it handles the encryption/decryption.
10. Consider forcing the doctors to use a specified list of computers, only allow login from those IP addresses and make sure your router is configured against IP spoofing.
You should also read:
Mailing lists: Risks, Bugtraq Books: Secure Computing by Summers, Applied Cryptography by Schneier
I appologize for the long post. Security is vitally important, make *SURE* you understand all of the implications of your decisions.
I'm glad that I have some old 386 cases that have 20 pounds of steel in them.
Now I just need to slap some ferrite cores on all of my cables, make sure all my power runs through an active UPS, and turn my computer room into a faraday cage.;)
Unfortunately, this is no laughing matter.
It is actually slightly frightening that the price of this technology is dropping, if anyone can save up and buy this type of device, nothing is safe.
I know that my bank does not use tempest resistant equipment. Here's a scenario: Thief leaves a tempest scanner in a lunchbox computer (mostly shielded of course) in his car that happens to be parked next to the bank or a vulnerable atm machine....a week later he records the acct#s to mag cards and writes a list of pins. Then in person, at an ATM that dosen't have a camera (yes there are a few of those still out here in rural america) and empties the machine.
Another scenario: Snoops watch neighborhood computer use and start extoring money out of people that look at naughty porn.
Another scenario: A small startup firm is cash strapped, but has developed a crucial piece of software for this new technology. Snoops lift the software, business plan, and pricing scheme out of the startup's computers. Well funded snoops beat the startup to the punch and the startup goes out of business.
A scenario that would be very likely: A competing local company pulls a customer list off of your computer, along with your price list, vendor list, and all of your other vital information.
It changes the picture completely. I can secure my computers to a reasonable extent, but can my Bank, ISP, Phone Company, Power Company, Credit Card company, etc.
Then again, we could just drive past microsoft and grab a copy of the source code for windows too!
Actually, in the finding of fact, the judge lists actions like pricing Win98 at $89 instead of $49 when $89 was the profit maximizing price and $49 was a competitive yet profitable price. Other actions like bullying other companies around also would seem to me that the Judge has already stated that Microsoft is a monopoly, and Microsoft is using that monopoly power to eliminate competitive pressure to their main products.
It dosen't really matter if Mr. Parish's analysis is correct or not. Many people have a large portion of their investments in Microsoft stock because it has performed so well.
A large portion of investors are individuals with E-trade type accounts, If just 10% of microsoft investors see his analysis and believe it, they don't have the ability to verify the data, many of them get scared.
Q: What happens if 5% microsoft investors get scared and pull their money out?
A: Microsoft stock drops by a few dollars, other people get scared, rinse, repeat.
I an sceptical enough to disbelieve this unless I see a few qualified independent audits of this analysis, but how sceptical are people when their money may be on the line?
Maybe the cs department that I attend is different from some others, but "it depends" is a correct answer for many questions. However, each prof in my cs department is doing research and is teaching, so that might make a difference too. I don't know.
The problem that I see is we seem to have many people drawn to the computers for the money, not for the desire. They don't have any passion for the field, and because of that, they probably won't succeed.
At the same time, many people and organizations seem to be substituting technology for intellegence. How many accounts of the salesperson who, when the cash register stops working, can't add $2.50 and $2.50 to give a total in a state with no sales tax. I have heard and have seen dozens of accounts like this.
The real danger is when we turn our brains off. Most of us are guilty of this. I probably have spelling and gramatical errors in this message because I normally rely on spell checkers too much.
Just remember, If we keep exercising our grey matter, it will serve us well, otherwise, we are zombies. Find a passion, follow that passion, and you will be happy and prosperous.
It appears that the real problem is that we are using domain names as a phonebook, or as a lookup. We just have too many repeating names, for example, who should get diamond.com? Diamond MultiMedia, the jewler's association, or one of the thousand other companies with diamond in the name? Even if we used a.ind for individuals, there are thousands of people in the country with the same name as me, how do we resolve that? Perhaps we should be civil and let everyone with a rational reason to need the domain name share it and have an index on that (page), then split off into sub-domains. There are already a number of sites that do something similar.
Slashdot Mirror
I assume that at least a few slashdot readers have had similar experiences. Is there any advice that you could offer regarding the experiences?
Can you not open the door, wake up, and then talk to the agent?
Is there any way of saying "STOP, let me understand this, then you can continue?"
I have been briefly questioned by two OSI(?) officers who apparently were investigating some neighbors related to a drug pusher on some military base. I was half awake, stared at the badges like a drunken idiot, and hadn't determined if the badges were real or not by the time that they had finished the questioning. They did not enter my apartment, they appared to be armed, and I ended up saying something to the effect of "I dunno, talk to the guy next door, he is the apartment supervisor."
Unless they have a search warrent, and even then maybe, the individual should have *some* rights. What can a person do if "the governement" shows up at your door?
The good thing that the y2k scare did for us,
other than helping us get the funding to fix
the very real problems, is that people stopped
to look at the world around them and saw that
the engineers and computer people have affected
their daily lives in a very dramatic way.
It isn't everyday that the world stops to notice the work of one segment of industry and look at the impact that it has on everyone else.
You might also consider just adding multiple scsi controllers and have as many drives as possible.
With each additional drive, you can access another unique piece of data simultaniously. While raid is nice and helps solve reliability and performance problems, it isn't the only solution.
It is a technique that newsgroup server admins used to use, and probably still do.
First, the goal of security in general is to make it more difficult to get at an item than someone is willing to pay.
If this is *STRICTLY* a communications system between the doctors and the patients *AND* messages are not stored in a long term manner, I would guess that the most value that could be gained is by media accessing information about famous people. This would probably be million to 10 million dollar information. (You might do your own analysis of this.)
Many people like potential employers would probably love to get the information, but would not want to be implicated in such illegalities. However, you will probably see a lot of probing hackers, much of the information could easily be used to extort money out of clients.
For a more secure plan, I would consider all of the following:
1. A username/password pair with password complexity checks.
2. SSL encryption, otherwise the passwords can be sniffed.
3. Record the IP address, browser details, etc and watch for changes that could indicate a break in.
4. Store a secondary password/authenticator in a cookie, yes it's insecure, but it raises the barrier for password guessers.
5. Consider using the iButton for authentication, especially for the doctors.
6. Depending on the users, with the small amount of information being sent I would consider sending each of the users a CD filled with random information with the same random information stored on one of your internal servers for use as a one-time-pad with a Java application that would encrypt the messages with the one-time-pad. If anyone sends 720 megs of messages, send them a new CD.
7. Consider using smart cards for authentication.
8. Consider your internal network configuration, it is much more likely that a forgotten service, misconfigured router, or vulnerable service could be used to gain access than evesdropping and cracking of your communications protocol.
9. Consider the following server scheme:
A. One server for the SSL communication with the end user. It is connected to the net with an ethernet card.
B. Another server connected via a second ethernet, serial, parallel, or something else unconventional. It is logged into the first system and it actually does the processing, but it does not allow network access, it configured as a client.
C. A third system that system B is also connected to, this system is only connected to system B and it handles the encryption/decryption.
10. Consider forcing the doctors to use a specified list of computers, only allow login from those IP addresses and make sure your router is configured against IP spoofing.
You should also read:
Mailing lists: Risks, Bugtraq
Books: Secure Computing by Summers,
Applied Cryptography by Schneier
I appologize for the long post. Security is vitally important, make *SURE* you understand all of the implications of your decisions.
I'm glad that I have some old 386 cases that have 20 pounds of steel in them.
;)
Now I just need to slap some ferrite cores on all of my cables, make sure all my power runs through an active UPS, and turn my computer room into a faraday cage.
Unfortunately, this is no laughing matter.
It is actually slightly frightening that the price of this technology is dropping, if anyone can save up and buy this type of device, nothing is safe.
I know that my bank does not use tempest resistant equipment. Here's a scenario: Thief leaves a tempest scanner in a lunchbox computer (mostly shielded of course) in his car that happens to be parked next to the bank or a vulnerable atm machine....a week later he records the acct#s to mag cards and writes a list of pins. Then in person, at an ATM that dosen't have a camera (yes there are a few of those still out here in rural america) and empties the machine.
Another scenario: Snoops watch neighborhood computer use and start extoring money out of people that look at naughty porn.
Another scenario: A small startup firm is cash strapped, but has developed a crucial piece of software for this new technology. Snoops lift the software, business plan, and pricing scheme out of the startup's computers. Well funded snoops beat the startup to the punch and the startup goes out of business.
A scenario that would be very likely: A competing local company pulls a customer list off of your computer, along with your price list, vendor list, and all of your other vital information.
It changes the picture completely. I can secure my computers to a reasonable extent, but can my Bank, ISP, Phone Company, Power Company, Credit Card company, etc.
Then again, we could just drive past microsoft and grab a copy of the source code for windows too!
Two suggestions that I have heard and like are:
1. Auction off all rights to each of Microsoft's products to the highest bidder.
2. Force Microsoft to open source all of their software for the next 20 years.
Each of these suggestions would definately level the playing field.
Actually, in the finding of fact, the judge lists actions like pricing Win98 at $89 instead of $49 when $89 was the profit maximizing price and $49 was a competitive yet profitable price. Other actions like bullying other companies around also would seem to me that the Judge has already stated that Microsoft is a monopoly, and Microsoft is using that monopoly power to eliminate competitive pressure to their main products.
It dosen't really matter if Mr. Parish's analysis is correct or not. Many people have a large portion of their investments in Microsoft stock because it has performed so well.
A large portion of investors are individuals with E-trade type accounts, If just 10% of microsoft investors see his analysis and believe it, they don't have the ability to verify the data, many of them get scared.
Q: What happens if 5% microsoft investors get scared and pull their money out?
A: Microsoft stock drops by a few dollars, other people get scared, rinse, repeat.
I an sceptical enough to disbelieve this unless I see a few qualified independent audits of this analysis, but how sceptical are people when their money may be on the line?
Maybe the cs department that I attend is different from some others, but "it depends" is a correct answer for many questions. However, each prof in my cs department is doing research and is teaching, so that might make a difference too. I don't know.
The problem that I see is we seem to have many people drawn to the computers for the money, not for the desire. They don't have any passion for the field, and because of that, they probably won't succeed.
At the same time, many people and organizations seem to be substituting technology for intellegence. How many accounts of the salesperson who, when the cash register stops working, can't add $2.50 and $2.50 to give a total in a state with no sales tax. I have heard and have seen dozens of accounts like this.
The real danger is when we turn our brains off.
Most of us are guilty of this. I probably have spelling and gramatical errors in this message because I normally rely on spell checkers too much.
Just remember, If we keep exercising our grey matter, it will serve us well, otherwise, we are zombies. Find a passion, follow that passion, and you will be happy and prosperous.
It appears that the real problem is that we are .ind for individuals, there are thousands
using domain names as a phonebook, or as a lookup.
We just have too many repeating names, for example,
who should get diamond.com? Diamond MultiMedia,
the jewler's association, or one of the thousand other
companies with diamond in the name?
Even if we used a
of people in the country with the same name as me, how do we resolve that?
Perhaps we should be civil and let everyone with a rational reason to need the domain name share it and have an index on that (page), then split off into sub-domains.
There are already a number of sites that do something similar.