then help me please, how do i verify that this faraway server is who i
think it is? Where do i find the correct certificate for an http server?
The remote server will sent you it's signed certificate, which has the
hostname in it. It's the hostname and the signature that is important.
If you belive you can trust the Certificate Authority who signed it to only
sign certificates who belong to who they claim they are then you can trust
it.
I do not trust everyone that is in the CA list as provided by Netscape,
Mozilla, and Microsoft. And if the feds wanted to get bogus certs signed
they could, but I bet they couldn't keep it a secret too well.
Come to think of it, where do i find the key given for SSH? So far, when i
get the SSH message saying that "here is the key for this previously
undefined host, do you wanna accept it?" I have simply typed (or clicked,
depending on client) "yes", and gone on my merry way. Care to illuminate?
For SSH, when you accept a key you are acting like a CA for yourself.
If you dont ensure they validity of the key that you are accepting then it
has little immediate worth. Since you store these keys, it is useful to
detect if the key changes, which would happen if it were being spoofed.
As for PGP and GPG, there is something called a web of trust. This
allows you to decide (once again YOU are the CA) if you want to accept a
key, but you can say, I trust Bob, and if Bob accepts Alice's key then I
will. Thus you are a allowing Bob to make your policy decisions for you.
It's not a bad method, since you get to choose who to decide.
RTFM? Something? If you want to learn more than you ever wanted to know about this stuff,
then get a copy of Schneier's Applied Cryptography.
This situation is more open to man-in-the-middle attack than if you had a signed cert since a self signed cert does not have any real proof of who you are.
In your case, if your isp allowed someone to put a box in the datapath between you and the people who are accessing you, they could pop up a cert that looked like yours (close enough to fool your customers), then decrypt it on their system, log everything, then pass it on to your server.
Since the client and your server are both talking to the man-in-the-middle SSL is only as good as the ability and faith in verification of the certs involved.
One thing to think about is that SSL may not be secure for the purpose of stopping this type of wire-tapping.
Normal SSL allows the server to send a hunk of bits to you. If they an get a key signed by one of the CA's that is installed in everyone's browsers, then they can fake you into believing that you are talking to the end customer.
From the end web-sites point of view, they would never know that a man-in-the-middle style attack is in progress, since 99.999% of SSL does not use client side certs.
As for them getting someone to sign their bogus key, a little pressure can go a long way. You might even expect to see the next Microsoft service pack to have a new CA that is a front for the "We are just looking for terrorists and anyone else who is doing something that the current regime does not approve of" folks from the FBI/CIA/NSA/...
Time to start using GPG with long keys to protect anything you really care about, since there YOU are the CA, not the folks that we know we can trust.
In short, SSL does not make it safe to download your k****e p0rn.
With TiVo you are not paying for the electronics, you buy that. What you are paying for is the information about TV programing in your area.
Without this information you can use a TiVo as a glorified vcr, and record channel 4 at 10pm for 1 hour, but you cant say, "record all showings of enterprise, unless there is a new showing of Buffy. And if there is, get a later showing of enterprise".
I dont know if the software upgrades are part of the service or part of the unit purchase. But it's not that important since in boat anchor mode, it does not do much:-)
Oh yeah... The service includes ntp syncing of the clock. I currently use my tivo as one of my ntp servers:-)
I wonder what would happen if hundres or thousands of people were to buy copies of Windows XP, and then refuse to click "I ACCEPT" on the click thru license.
Obviously you should go back to the store and demand a refund, since you did not have a full copy of the license on the outside of the box.
The cost to the retailers will make them start protesting to microsoft.
I am using the Sony RM-VL900 to control my tv, tivo, cable box, dvd/ld, amp, switch box, and other units.
It is a good deal in that you can pick it up for $37 + shipping, it controls lots of devices, has lots of learning memory, feels good in your hand with real tactile response, and is backlit.
I'm happy enough with it that I am getting a 2nd one.
The main argument that they are using is that their current sales are slipping.... There are three obvious reasons that this could be happening...
1) Music on their label sucks... Lets assume there are lots of folks with bad taste in musak...
2) Everyone who would be buying copies of their musak is burning copies, and not buying orginals... this is what they are claiming.
3) The economy sucks, and people are buying less musak in general. Especially the folks who two years ago had more disposable cash than they knew what to do with. Now, they are penny pinching and not buying tens of disks on inpulse.
I belive that #3 is the real reason that sales are down... Just compare things to almost any other market. What is happening is that they are taking advantage in the downturn in the economy to do somthing that they have wanted to for a while (stopping digital copying) but did not have a justification to do.
What we need to do is setup a campain to educate people which disks are protected, and to buy lots and lots of them. Then take every one of them back to the store and demand your $$$ back since they will not play on your primary/only cd player... your computer!
I have not trusted wep for a long time... I reciently reconfigured my home router/firewall so that the wireless bridge is on it's own interface.
I treat it as a hostile (external) interface. If the connection is from a known IPsec peer, then I consider it a trusted internal connection.
For the non IPsec connections I allow access to a few servces, mostly ssh and other crypted authenticated services.
I have setup a easy way for me to enable forwarding from the wireless network to the outside, so that when a friend comes over with a 802.11b laptop, I open my wireless network to the outside, while the inside is restricted.
Being able to do this is one of the advantabes of running a real system as a firewall/router than one of the "Firewall/routers for dummies" boxes.
Sgi has been nice enough to give the lavarand systems to the inventors (thank you very much).
Check out http://www.lavarand.org. We hope to have a copy of the classic lavarand setup running in the not too far future (Even if I have to turn my Indy on to do it).
Lavarand is not dead yet...
If you go to their web site, and click on the BUY NOW link you will see they have the following packages for sale
USB w/ 10G disk
Firewire w/ 10G disk
Firewire w/ 20G disk
Note there is no mention of a USB 2.0 version yet.
Also, they are "Out of Stock" on all of these items....
It depends on you want to do with the system. Since it looks like it has a AGP pro on it you sould be able to disable (or use both) the onboard and offboard video.
For those who want this to be the fastest quake system on the block, you know they are going to use offboard video.
For thos who want to use this as a server in a rack but need minimal video for boot/bios/NT... then putting a cheapass video on the motherboard saves the requirement of using a slot. And if you are in a 1U configuration this is very important.
I am currently using 802.11b a good bit, and have come up with a solution that I am happy with. I setup filtering to disallow any access from the 802.11 interface except to ssh. I then use ppp over ssh to connect. I have setup my laptop to do this when it brings the interface up.
I would like to do IPsec, but I have not spent enough time to get it working.
Lavarand has taken a life of it's own outside of SGI. The new website is not done yet, but you can check out http://www.lavarand.org to check out the new lavarand site.
Isn't it great that SGI supplies engineers with beer:-)
Being one of the Inventors of this (Beer Inspired) technique I have have a a lot of intrest in it.
Also, There will be a new website comming up in the near future http://www.lavarand.org (no link since it is not on the air yet) with new an improved access to a lavarand system.
Note the the intrested, the patent only covers using the data to seed a pseudo-random number generator...
I downloaded source (from the matrox website) for the current G450 driver and found it only supported 1280x1024 on the 2nd head. 10 minutes later (+30minutes for a XFree86 build) and I had it working with both heads at 1600x1200 under FreeBSD. This is a good example of Open Source Drivers at work.
And yes... I did submit the changes back to Matrox
I use to work for one of the three lettered U*ix companies and had a number of patentents applied from by them with me as an inventor (Anyone remember lavarand?).
Having talked to the companies councel, and to a firend who is a lawyer in the IP community, it appears that company has rights to inventions that you make for them. The assigment of IP form, is just a formality.
If you dont sign it, then they dont have to put your name on it. One of the reasons that they want to you sign is so you cant contest the patent at a later date.
As for after you have left the company, after 10 months, I am reviewing 3 patents that I did while still there, and the company is going to pay my the stanadard $$$ bonus as if I were still employed. They could file it without my name, but it is cleaner for them to get it.
I just made a feedback to DigitalConvergence telling them that until they change this practices, I will stop using their product/service and stop doing business with anyone who distributes their product.
I sent a similar message to Radio Shack's Customer Support.
Slashdot Mirror
think it is? Where do i find the correct certificate for an http server?
The remote server will sent you it's signed certificate, which has the
hostname in it. It's the hostname and the signature that is important.
If you belive you can trust the Certificate Authority who signed it to only
sign certificates who belong to who they claim they are then you can trust
it.
I do not trust everyone that is in the CA list as provided by Netscape,
Mozilla, and Microsoft. And if the feds wanted to get bogus certs signed
they could, but I bet they couldn't keep it a secret too well.
Come to think of it, where do i find the key given for SSH? So far, when i
get the SSH message saying that "here is the key for this previously
undefined host, do you wanna accept it?" I have simply typed (or clicked,
depending on client) "yes", and gone on my merry way. Care to illuminate?
For SSH, when you accept a key you are acting like a CA for yourself.
If you dont ensure they validity of the key that you are accepting then it
has little immediate worth. Since you store these keys, it is useful to
detect if the key changes, which would happen if it were being spoofed.
As for PGP and GPG, there is something called a web of trust. This
allows you to decide (once again YOU are the CA) if you want to accept a
key, but you can say, I trust Bob, and if Bob accepts Alice's key then I
will. Thus you are a allowing Bob to make your policy decisions for you.
It's not a bad method, since you get to choose who to decide.
RTFM? Something?
If you want to learn more than you ever wanted to know about this stuff,
then get a copy of Schneier's Applied Cryptography.
This situation is more open to man-in-the-middle attack than if you had a signed cert since a self signed cert does not have any real proof of who you are.
In your case, if your isp allowed someone to put a box in the datapath between you and the people who are accessing you, they could pop up a cert that looked like yours (close enough to fool your customers), then decrypt it on their system, log everything, then pass it on to your server.
Since the client and your server are both talking to the man-in-the-middle SSL is only as good as the ability and faith in verification of the certs involved.
One thing to think about is that SSL may not be secure for the purpose of stopping this type of wire-tapping.
Normal SSL allows the server to send a hunk of bits to you. If they an get a key signed by one of the CA's that is installed in everyone's browsers, then they can fake you into believing that you are talking to the end customer.
From the end web-sites point of view, they would never know that a man-in-the-middle style attack is in progress, since 99.999% of SSL does not use client side certs.
As for them getting someone to sign their bogus key, a little pressure can go a long way. You might even expect to see the next Microsoft service pack to have a new CA that is a front for the "We are just looking for terrorists and anyone else who is doing something that the current regime does not approve of" folks from the FBI/CIA/NSA/...
Time to start using GPG with long keys to protect anything you really care about, since there YOU are the CA, not the folks that we know we can trust.
In short, SSL does not make it safe to download your k****e p0rn.
With TiVo you are not paying for the electronics, you buy that. What you are paying for is the information about TV programing in your area.
:-)
... The service includes ntp syncing of the clock. I currently use my tivo as one of my ntp servers :-)
Without this information you can use a TiVo as a glorified vcr, and record channel 4 at 10pm for 1 hour, but you cant say, "record all showings of enterprise, unless there is a new showing of Buffy. And if there is, get a later showing of enterprise".
I dont know if the software upgrades are part of the service or part of the unit purchase. But it's not that important since in boat anchor mode, it does not do much
Oh yeah
This could be a loophole for Tivo and friends. A patent must specify the "Best Known Method (to the inventors)" or the patent is invalid.
I have a patent lawyer give me a example of this before.
I wonder what would happen if hundres or thousands of people were to buy copies of Windows XP, and then refuse to click "I ACCEPT" on the click thru license.
Obviously you should go back to the store and demand a refund, since you did not have a full copy of the license on the outside of the box.
The cost to the retailers will make them start protesting to microsoft.
I am using the Sony RM-VL900 to control my tv, tivo, cable box, dvd/ld, amp, switch box, and other units.
It is a good deal in that you can pick it up for $37 + shipping, it controls lots of devices, has lots of learning memory, feels good in your hand with real tactile response, and is backlit.
I'm happy enough with it that I am getting a 2nd one.
The main argument that they are using is that their current sales are slipping .... There are three obvious reasons that this could be happening ...
... Lets assume there are lots of folks with bad taste in musak ...
... this is what they are claiming.
... Just compare things to almost any other market. What is happening is that they are taking advantage in the downturn in the economy to do somthing that they have wanted to for a while (stopping digital copying) but did not have a justification to do.
... your computer!
1) Music on their label sucks
2) Everyone who would be buying copies of their musak is burning copies, and not buying orginals
3) The economy sucks, and people are buying less musak in general. Especially the folks who two years ago had more disposable cash than they knew what to do with. Now, they are penny pinching and not buying tens of disks on inpulse.
I belive that #3 is the real reason that sales are down
What we need to do is setup a campain to educate people which disks are protected, and to buy lots and lots of them. Then take every one of them back to the store and demand your $$$ back since they will not play on your primary/only cd player
I have not trusted wep for a long time ... I reciently reconfigured my home router/firewall so that the wireless bridge is on it's own interface.
I treat it as a hostile (external) interface. If the connection is from a known IPsec peer, then I consider it a trusted internal connection.
For the non IPsec connections I allow access to a few servces, mostly ssh and other crypted authenticated services.
I have setup a easy way for me to enable forwarding from the wireless network to the outside, so that when a friend comes over with a 802.11b laptop, I open my wireless network to the outside, while the inside is restricted.
Being able to do this is one of the advantabes of running a real system as a firewall/router than one of the "Firewall/routers for dummies" boxes.
Sgi has been nice enough to give the lavarand systems to the inventors (thank you very much). Check out http://www.lavarand.org. We hope to have a copy of the classic lavarand setup running in the not too far future (Even if I have to turn my Indy on to do it). Lavarand is not dead yet...
If you go to their web site, and click on the BUY NOW link you will see they have the following packages for sale USB w/ 10G disk Firewire w/ 10G disk Firewire w/ 20G disk Note there is no mention of a USB 2.0 version yet. Also, they are "Out of Stock" on all of these items ....
It depends on you want to do with the system. Since it looks like it has a AGP pro on it you sould be able to disable (or use both) the onboard and offboard video.
For those who want this to be the fastest quake system on the block, you know they are going to use offboard video.
For thos who want to use this as a server in a rack but need minimal video for boot/bios/NT... then putting a cheapass video on the motherboard saves the requirement of using a slot. And if you are in a 1U configuration this is very important.
I am currently using 802.11b a good bit, and have come up with a solution that I am happy with. I setup filtering to disallow any access from the 802.11 interface except to ssh. I then use ppp over ssh to connect. I have setup my laptop to do this when it brings the interface up. I would like to do IPsec, but I have not spent enough time to get it working.
Lavarand has taken a life of it's own outside of SGI. The new website is not done yet, but you can check out http://www.lavarand.org to check out the new lavarand site. Isn't it great that SGI supplies engineers with beer :-)
I use my laptop to rip vinyl into the 21st century. Hell, I even got that disco version of star wars on cd now :-)
Being one of the Inventors of this (Beer Inspired) technique I have have a a lot of intrest in it.
Also, There will be a new website comming up in the near future http://www.lavarand.org (no link since it is not on the air yet) with new an improved access to a lavarand system.
Note the the intrested, the patent only covers using the data to seed a pseudo-random number generator ...
My favorite Y2Kism was dclock showing that the year was 19:0 ... Someone was trying to be far to clever with adding ints to chars.
I downloaded source (from the matrox website) for the current G450 driver and found it only supported 1280x1024 on the 2nd head. 10 minutes later (+30minutes for a XFree86 build) and I had it working with both heads at 1600x1200 under FreeBSD. This is a good example of Open Source Drivers at work.
And yes... I did submit the changes back to Matrox
If you want real resolution and dualhead the Matrox G450 .will do 1600x1200 on both heads. Works like a charm
Having talked to the companies councel, and to a firend who is a lawyer in the IP community, it appears that company has rights to inventions that you make for them. The assigment of IP form, is just a formality.
If you dont sign it, then they dont have to put your name on it. One of the reasons that they want to you sign is so you cant contest the patent at a later date.
As for after you have left the company, after 10 months, I am reviewing 3 patents that I did while still there, and the company is going to pay my the stanadard $$$ bonus as if I were still employed. They could file it without my name, but it is cleaner for them to get it.
I just made a feedback to DigitalConvergence telling them that until they change this practices, I will stop using their product/service and stop doing business with anyone who distributes their product. I sent a similar message to Radio Shack's Customer Support.