Good point. I was extrapolating from the idea that he wanted to have is profile on a work computer (owned and operated by someone other than himself). In some situations the trust issue wouldn't be a problem.
I like that switch idea: simple, effective, and useful. It still wouldn't be a safe solution for clueless users, and clueful users would get frustrated by a lack of trusted systems from time to time, but it would be a lot better than nothing.
The protocol you suggest is exactly what smartcards were created for and is described in incredible detail in the ISO 7816 smartcard standard. It really is a slick solution, but is limited to systems with smartcard readers. Also, you still have to trust the reader with your PIN or whatever method you use to authenticate yourself to the card. That's why I like the idea of a wearable/implantable which has its own trusted input device.
Sure, but you also have to trust every machine that you connect the USB device to. This sucks if you have any information that you would like to carry around with you and also keep private, like web site logins, private keys, etc.
Perhaps a better solution would be wearable or implantable computing devices.
Mini USB storage devices are definitely cool, but this is the kind of thing that smartcards were invented for. Smartcards have a number of major advantages over USB storage, including size (can a USB device fit in your wallet?), durability (can a USB device survive being run over by a truck?), and the often overlooked benefit of number-of-insertions-before-failure of the reader devices (will your USB port still work after 20,000 insertions?).
The big advantage of mini USB storage devices is capacity. You can get a USB device that holds 128MB, while most smartcards don't hold more than 16KB. That's a big difference, but it's not significant if you only want it to store a few key pairs. Smartcards are also a lot less expensive. The major drawback of smartcards is that, unlike USB, readers are not included on your average motherboard, although they are becoming reasonably inexpensive and are starting to be included on a number of thin client devices.
A big disadvantage of both USB and smartcard solutions for portable cryptography is that you have to trust the host computer you are using to keep your private key secret. Are you sure that the email client on the random computer you are using won't do anything inapropriate with your private key? Are you sure that the OS on that computer won't write your private key out to virtual memory on a hard drive that could be analyzed by an organization you don't trust? This is a problem that crypto-smartcards solve in theory (by using a cryptographic coprocessor on the card and never letting the private key leave the card), but, in practice, they generally only en/decrypt data that are stored on the card itself. They don't typically perform cryptographic functions on larger quantities of data because they are s l o w.
So what is the solution? We either need _really_ smart cards (and readers (and compatible software)attached to every machine we might ever use), or trusted remote systems that we can securely logon to from anywhere (this is actually possible or close to being possible today (if you are willing to overlook keyloggers)), or mini (wearable? implantable?) computers which never leave your person, including i/o devices (like a keyboard and display) and the ability to network with any other system you care about.
(Damn. I thought I was going to make some great points about the advantages of smartcards, but I blew them away too.:-)
This works because the worm dumps a uuencoded file to/tmp/.uubugtraq, unencodes it into/tmp/.bugtraq.c, compiles it into/tmp/.bugtraq and then executes/tmp/.bugtraq to begin making mischief. Touching/tmp/.bugtraq.c creates a zero byte file which will be impossible for the worm to overwrite once you zero its permissions with chmod 000.
This is a very good suggestion, and I am doing this on a client's box that I believe to be vulnerable but on which I do not have root access. I also suggest two additional steps:
1. Verify that your file is zero bytes with ls -l/tmp/.bugtraq.c to make sure you weren't already infected before you changed the permissions.
2. Verify (ps -ef | grep httpd) that apache is not running as root. If it is running as root, then the worm will probably be able to overwrite your file anyway, and you may need to take more drastic measures.
People at Tarantella are telling me that it should work, although it is not officially supported yet simply because they have not received a test unit. It should be supported soon.
It seems like the cost of complying with search warrants could grow exponentially for a business like an ISP with information resources relating to a large number of customers. Who pays for the time of the engineers to conduct searches? Physical world limitations used to keep these costs from getting out of hand, but now they no longer apply.
Tarantella does indeed kick ass, and not just for big companies. The 10 user Starter for Linux license is pretty affordable. A single Tarantella server can provide remote access from a Java client in a web browser to graphical or character applications running on Unix, Windows, AS/400, mainframes, and more.
Starter for Linux (which actually runs on a couple other Intel Unix platforms too) starts at $999 list for a 10 user license. And it is only stripped down a little bit.
Probably the thing that would meet your needs the most is Tarantella, though it isn't cheap. It acts like a gateway, allowing applications that run on a wide variety of back end servers to display over a lightweight network protocol with a Java client.
I work for a distributor of thin client and remote display software and hardware and am a Tarantella instructor. I'm also giving a presentation on all five of these systems at Rubi Con in April. Feel free to email me privately for further discussion.
Hollings: Under the new legislation, if the required private sector negotiations fail, the FCC will begin a process, in consultation with those same private sector representatives, to implement technologically feasible solutions. So, in practice, the private sector, even in the event of a government initiated approach, will have every incentive and opportunity to guide a solution largely on its own.
It seems like every new significant piece of regulation these days mandates that the private sector comes up with their own solution which satisfies X, Y, and Z (impossible to meet) requirements and then hands the process off to some government agency after the first (doomed) phase fails. The industry ends up looking like bad guys, and then the government agency gets stuck with a huge problem and no real guidance for resolution.
fairly modest but extremely effective. It isn't as portable as the Sountainer but much more portable than a band's PA system.
I can see why the Sountainer would be cool for journalists or musicians who want to sample found sounds, but I wouldn't be surprised to find better solutions for those applications too.
Although a global namespace served the Internet well throughout its early days (before the perceived need for ICANN), the demand for names has now far exceeded the supply. I don't see any fair way to resolve conflicts without resorting to multiple namespaces. Why not completely switch to local namespaces?
How much do we rely on DNS? I use it to type web addresses fairly often, but 99% of the time it would be nearly as easy to use search engines, follow links from a familiar site, or use a bookmark. I also use DNS for a variety of other services which are configured through files (in which I could just as easily us IP addresses). The trickiest transition (as far as my own usage of DNS) would be email.
We already have a global numeric namespace (IP addresses) which has only a small number of conflicts. Those addresses can even be memorized (at least until we start seeing more of IPv6). They can continue to be used as universal locators while the mapping of names to addresses can become a local task, just like creating and renaming bookmarks in your favorite browser.
In order for this to actually work, entities will need to be able to share namespaces with each other. We already do this in many ways, e.g. Yahoo shares its hierarchical namespace through a simple web interface.
Has anyone done any research into the feasibility of large scale global namespaces with unique identifiers? I think there is a limit to how large they can be and what boundaries they can cross, but I haven't read anything significant on the subject.
A few decades ago, only about 25% of the patents applied for were actually granted, and, even under those circumstances, Supreme Court Justices complained of such things as patents for "gadgets that obviously have had no place in the constitutional scheme of advancing scientific knowledge." These days, patents are granted about 75% of the time. The patent examiners seem completely satisfied to let the courts judge patentability only through the course of expensive infringement suits. Technical innovators in all fields are routinely advised by their lawyers to not read any patents in the areas they are working in, lest they increase the risk of being sued for willful infringement. With patents going unread by those who advance technology, how is the patent system promoting progress?
A lot of people have been repeating the theory of why patents work without providing concrete examples. It's easy to say that pharmaceutical research would suffer without patents, but it's practically impossible to prove. Have any studies been done which give us anything close to a clear idea of what the world would be like without patents?
ps - My Slashdot userinfo has my correct email address, but the link in my original question (submitted some time ago) is an old one.
Copyrights and patents are both completely abolished by Congress tomorrow. Would the world be a better place? What problems would you anticipate during the transition? Do you think that it would become appropriate to reinstitute more limited forms of copyrights and/or patents?
Slashdot Mirror
Good point. I was extrapolating from the idea that he wanted to have is profile on a work computer (owned and operated by someone other than himself). In some situations the trust issue wouldn't be a problem.
I like that switch idea: simple, effective, and useful. It still wouldn't be a safe solution for clueless users, and clueful users would get frustrated by a lack of trusted systems from time to time, but it would be a lot better than nothing.
The protocol you suggest is exactly what smartcards were created for and is described in incredible detail in the ISO 7816 smartcard standard. It really is a slick solution, but is limited to systems with smartcard readers. Also, you still have to trust the reader with your PIN or whatever method you use to authenticate yourself to the card. That's why I like the idea of a wearable/implantable which has its own trusted input device.
Sure, but you also have to trust every machine that you connect the USB device to. This sucks if you have any information that you would like to carry around with you and also keep private, like web site logins, private keys, etc.
Perhaps a better solution would be wearable or implantable computing devices.
echo killall -9 .bugtraq | at now + 5 min
Mini USB storage devices are definitely cool, but this is the kind of thing that smartcards were invented for. Smartcards have a number of major advantages over USB storage, including size (can a USB device fit in your wallet?), durability (can a USB device survive being run over by a truck?), and the often overlooked benefit of number-of-insertions-before-failure of the reader devices (will your USB port still work after 20,000 insertions?).
:-)
The big advantage of mini USB storage devices is capacity. You can get a USB device that holds 128MB, while most smartcards don't hold more than 16KB. That's a big difference, but it's not significant if you only want it to store a few key pairs. Smartcards are also a lot less expensive. The major drawback of smartcards is that, unlike USB, readers are not included on your average motherboard, although they are becoming reasonably inexpensive and are starting to be included on a number of thin client devices.
A big disadvantage of both USB and smartcard solutions for portable cryptography is that you have to trust the host computer you are using to keep your private key secret. Are you sure that the email client on the random computer you are using won't do anything inapropriate with your private key? Are you sure that the OS on that computer won't write your private key out to virtual memory on a hard drive that could be analyzed by an organization you don't trust? This is a problem that crypto-smartcards solve in theory (by using a cryptographic coprocessor on the card and never letting the private key leave the card), but, in practice, they generally only en/decrypt data that are stored on the card itself. They don't typically perform cryptographic functions on larger quantities of data because they are s l o w.
So what is the solution? We either need _really_ smart cards (and readers (and compatible software)attached to every machine we might ever use), or trusted remote systems that we can securely logon to from anywhere (this is actually possible or close to being possible today (if you are willing to overlook keyloggers)), or mini (wearable? implantable?) computers which never leave your person, including i/o devices (like a keyboard and display) and the ability to network with any other system you care about.
(Damn. I thought I was going to make some great points about the advantages of smartcards, but I blew them away too.
This works because the worm dumps a uuencoded file to /tmp/.uubugtraq, unencodes it into /tmp/.bugtraq.c, compiles it into /tmp/.bugtraq and then executes /tmp/.bugtraq to begin making mischief. Touching /tmp/.bugtraq.c creates a zero byte file which will be impossible for the worm to overwrite once you zero its permissions with chmod 000.
/tmp/.bugtraq.c to make sure you weren't already infected before you changed the permissions.
This is a very good suggestion, and I am doing this on a client's box that I believe to be vulnerable but on which I do not have root access. I also suggest two additional steps:
1. Verify that your file is zero bytes with ls -l
2. Verify (ps -ef | grep httpd) that apache is not running as root. If it is running as root, then the worm will probably be able to overwrite your file anyway, and you may need to take more drastic measures.
40-50 pages in length or 30 recipes (whichever comes last)
Uh, doesn't that mean 40-50 pages in length and 30 recipes?
People at Tarantella are telling me that it should work, although it is not officially supported yet simply because they have not received a test unit. It should be supported soon.
It seems like the cost of complying with search warrants could grow exponentially for a business like an ISP with information resources relating to a large number of customers. Who pays for the time of the engineers to conduct searches? Physical world limitations used to keep these costs from getting out of hand, but now they no longer apply.
may not be able to afford their own name.
Those new "one-time pads" aren't one-time pads at all. This is an early stream cipher.
Score:0, Offtopic
Right.
Short on details? Yes. Pointless? Maybe. Offtopic? No.
Perhaps we need more negative moderation tags:
nt
Tarantella does indeed kick ass, and not just for big companies. The 10 user Starter for Linux license is pretty affordable. A single Tarantella server can provide remote access from a Java client in a web browser to graphical or character applications running on Unix, Windows, AS/400, mainframes, and more.
Starter for Linux (which actually runs on a couple other Intel Unix platforms too) starts at $999 list for a 10 user license. And it is only stripped down a little bit.
- The X Window System
- Windows Terminal Services
- Citrix MetaFrame
- Tarantella Enterprise 3
- VNC
Probably the thing that would meet your needs the most is Tarantella, though it isn't cheap. It acts like a gateway, allowing applications that run on a wide variety of back end servers to display over a lightweight network protocol with a Java client.I work for a distributor of thin client and remote display software and hardware and am a Tarantella instructor. I'm also giving a presentation on all five of these systems at Rubi Con in April. Feel free to email me privately for further discussion.
Hollings: Under the new legislation, if the required private sector negotiations fail, the FCC will begin a process, in consultation with those same private sector representatives, to implement technologically feasible solutions. So, in practice, the private sector, even in the event of a government initiated approach, will have every incentive and opportunity to guide a solution largely on its own.
It seems like every new significant piece of regulation these days mandates that the private sector comes up with their own solution which satisfies X, Y, and Z (impossible to meet) requirements and then hands the process off to some government agency after the first (doomed) phase fails. The industry ends up looking like bad guys, and then the government agency gets stuck with a huge problem and no real guidance for resolution.
You've been served.
MoFo is actually a fairly well known and respected law firm.
. . . for recording live music from a mixing board. Check out this guy's setup:
http://www.dangottesman.com/fairly modest but extremely effective. It isn't as portable as the Sountainer but much more portable than a band's PA system.
I can see why the Sountainer would be cool for journalists or musicians who want to sample found sounds, but I wouldn't be surprised to find better solutions for those applications too.
The Mutopia project only accepts entries which are not under copyright, primarily older works which have fallen out of copyright.
Although a global namespace served the Internet well throughout its early days (before the perceived need for ICANN), the demand for names has now far exceeded the supply. I don't see any fair way to resolve conflicts without resorting to multiple namespaces. Why not completely switch to local namespaces?
How much do we rely on DNS? I use it to type web addresses fairly often, but 99% of the time it would be nearly as easy to use search engines, follow links from a familiar site, or use a bookmark. I also use DNS for a variety of other services which are configured through files (in which I could just as easily us IP addresses). The trickiest transition (as far as my own usage of DNS) would be email.
We already have a global numeric namespace (IP addresses) which has only a small number of conflicts. Those addresses can even be memorized (at least until we start seeing more of IPv6). They can continue to be used as universal locators while the mapping of names to addresses can become a local task, just like creating and renaming bookmarks in your favorite browser.
In order for this to actually work, entities will need to be able to share namespaces with each other. We already do this in many ways, e.g. Yahoo shares its hierarchical namespace through a simple web interface.
Has anyone done any research into the feasibility of large scale global namespaces with unique identifiers? I think there is a limit to how large they can be and what boundaries they can cross, but I haven't read anything significant on the subject.
A few decades ago, only about 25% of the patents applied for were actually granted, and, even under those circumstances, Supreme Court Justices complained of such things as patents for "gadgets that obviously have had no place in the constitutional scheme of advancing scientific knowledge." These days, patents are granted about 75% of the time. The patent examiners seem completely satisfied to let the courts judge patentability only through the course of expensive infringement suits. Technical innovators in all fields are routinely advised by their lawyers to not read any patents in the areas they are working in, lest they increase the risk of being sued for willful infringement. With patents going unread by those who advance technology, how is the patent system promoting progress?
A lot of people have been repeating the theory of why patents work without providing concrete examples. It's easy to say that pharmaceutical research would suffer without patents, but it's practically impossible to prove. Have any studies been done which give us anything close to a clear idea of what the world would be like without patents?
ps - My Slashdot userinfo has my correct email address, but the link in my original question (submitted some time ago) is an old one.
Which ones?
What if. . .
Copyrights and patents are both completely abolished by Congress tomorrow. Would the world be a better place? What problems would you anticipate during the transition? Do you think that it would become appropriate to reinstitute more limited forms of copyrights and/or patents?