I should say that I think a lot of the confusion comes in because it was a long talk covering a lot of different related topics, some related some not. There were bits covering calling IMSI info by acting as a tower, determining a phone's carrier by the block of numbers, the caller ID piece and more.
The article is BS and overblown. The talk itself was interesting.
The "find the name of the subscriber" bit has to do with the fact that a lot of carriers register the mobile phone subscribers name with the caller ID database. Since most cellphones don't use caller ID and only pair the number with their local address book, you wouldn't notice this unless the cellphone is calling your landline.
They demonstrated a technique to use a VOIP line to call another VOIP line spoofing the calling number (say 555-555-0001). They then harvested the caller ID info and moved onto the next number (555-555-0002), creating a massive database of number/name combinations.
Kind of like wardialing in reverse (cycling through source numbers not destinations).
Just secure your shit against DDoS attacks? Its not like they forgot to apply the "anti-ddos patch". Dealing with an attack from 100k+ hosts isn't something to be taken lightly. Its expensive (get a really fat pipe) and time consuming (identify and block attack traffic).
I second Openfire. I set it up at work integrated into Active Directory for a user store, using Mysql replicating to a second box as a DR instance.
My server currently averages about 370 users per day or so, but I fully expect it to eventually handle the 1000+ employees in the company.
I don't use the chat logging functionality myself, but it is available in the product.
If you're using the Spark client you can also configure the FastPath plugin in order to create a "Live Support" chat queue for your helpdesk people so that other employees can talk to the next available person via a web interface.
I definitely disagree here. While passwords can be brute forced given enough time, your face is almost certainly available to someone who has access to get at your computer.
There is a difference between identification and authentication (your claim of who you are, and your proof of that claim). What you look like is identification.
If a stranger hacks my WIFI encryption in my neighborhood and downloads child prOn, warez, illegal MP3, etc.. through my router/IP that DOES NOT mean that I did it and I AM NOT responsible for those communications/transfers as I have made reasonable accommodations to prevent that (plus I shutter to think that any of my neighbors are into any of that).
There's a difference between criminal liability and financial. You wouldn't be convicted of downloading child porn (or shouldn't be at least), but if your internet access was pay as you go, you may still be required to pay for the bandwidth used.
This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with what the credit card companies have done.
As long as the customers are responsible for the charges, they have no business reason to invest in fraud protection.
Bruce Schenier refers to this as an externality, and had written about it a number of times in the context of credit card security and computer security.
EAP-TLS is used for the key exchange process. The encryption used for the connection can either be TKIP, which uses rotating RC4 keys or CCMP which uses more secure AES encryption keys.
CCMP is the more secure choice, but is incompatible with older wireless cards. If you care about the security of your network, you are better off choosing hardware that supports CCMP.
I tried to RTFA, but I'm at work and the URL has "gambling" in it, so I got a "Access Blocked" and "This attempt has been logged" for my pains. So FTFA. How about a helpful answer?
I'm guessing that at least some of the domain names in question will cause THIS page to give you the same "Access Blocked" message.
Of course, someone already pointed it, so you most likely can't read my post;)
If there was any real "trust" component, I'd buy this argument. SSL certificate authorities are supposed to be sources of trust - we trust them to have authenticated that the FooCorp who bought a certificate really is FooCorp Ltd (and not F0oCorpe). However, the only inducement most vendors need to issue a certificate these days is money.
An SSL CA is only supposed to validate that the person requesting a certificate for authorized to request for that domain, not that its tied to any particular company. If I own bankoamerica.com, then they're supposed to issue a certificate to me.
EV certs were created to combat the phishing issues that were not a problem when the CA process for normal certs were created. EV certs tie a certificate to a verified legal entity. I believe the rules allow for the cert to be tied in a person, but last time I dealt with EV cert policies (a year or so ago), the companies I talked to only had processes in place for validating corporations.
If I had a company which owned bankoamerica.com, I could probably still own a cert for it. If I do something nefarious with it, people would know just where to find me. Bank of America would probably consider just the act of owning it nefarious.
Now the lack of validation of authorization for a domain that you mentioned can be an issue for SSL certs, but its a separate issue. Any CA which does not properly check that you're authorized to buy an SSL cert for a domain should have their CA cert revoked IMHO.
I know the telecoms are limiting bandwidth and dropping niche services, but at least I haven't had any garbled junk land in my browser yet with the message "Upgrade your service to see this website". I think this note from Tivo is pretty close:
Watching instantly on your computer
Our apologies â" instant watching is currently not supported for Macintosh.
Our goal is for Netflix members to enjoy movies and TV shows on whatever screen they want. We're required to use Digital Rights Management to protect movies watched instantly online, and right now we only have approval for this protection on Windows Operating systems, not the Mac.
I eventually noticed that Amazon.com was offering it for the same $5 in non-DRM protected mp3 format, and purchased from them. I asked for a refund from the main site, but personally I would have been willing to pay $10 in the first place, so I'm not too worried about it.
If big name bands are going to continue to do these sorts of releases, they really need to partner with a company which can handle the downloads a bit better than whoever is hosting their sites now.
I'm sure he can secure his computer, but I wonder how well he can detect man-in-the-middle attacks.
Assuming that he properly secures any protocols that he cares, he can probably do it pretty damn well. SSL/TLS secured protocols use a cert signed by a trusted authority. SSH allows you to validate the public key of a server. Initially obtaining the public key could use some improvement though.
Someone could do a MITM attack against http based web browsing, but that's fine as long as you stick to SSL for anything you care about (and your software is patched)
Yeah, that is my biggest concern here. In a perfect world everyone would secure their systems (or vendors would design systems securely) so that being on the local LAN did not grant any special privileges. But with that not being the case an open wireless network lets people access the files you accidentally shared out, compromise the system you forgot to patch or sniff your e-mail that you never setup SSL/TLS for.
Personally I'd be happy just burying the RIAA. riaaradar.com lets you figure out if the bands you're looking for are on a label which is part of the riaa or not. It even offers non-riaa suggestions for "similar" bands. Not sure how good their recommendations are yet though.
I think the "problem" with the radiohead site is you have to go through a specific place for that one album and navigate an unfamiliar site.
That's a good point actually. I bought the Radiohead album on their website, and the site truly sucked. They might have done better with an easier to use interface.
1. U.S. Patents filed after June 8, 1995 expire 20 years from the date of filing.
2. U.S. Patents filed prior to June 8, 1995 expire 17 years from the date of issue, or 20 years from the first non-provisional patent application in the family - whichever is later.
This patent was filed in 1987 and issued in 1991. So based on the filing date its already expired.
Slashdot Mirror
I should say that I think a lot of the confusion comes in because it was a long talk covering a lot of different related topics, some related some not. There were bits covering calling IMSI info by acting as a tower, determining a phone's carrier by the block of numbers, the caller ID piece and more.
The article is BS and overblown. The talk itself was interesting.
The "find the name of the subscriber" bit has to do with the fact that a lot of carriers register the mobile phone subscribers name with the caller ID database. Since most cellphones don't use caller ID and only pair the number with their local address book, you wouldn't notice this unless the cellphone is calling your landline.
They demonstrated a technique to use a VOIP line to call another VOIP line spoofing the calling number (say 555-555-0001). They then harvested the caller ID info and moved onto the next number (555-555-0002), creating a massive database of number/name combinations.
Kind of like wardialing in reverse (cycling through source numbers not destinations).
A chip to offload encryption is a good thing, however it is not a "security chip". Security is a broad topic that this chip will barely touch.
Well, that would certainly drop the "distributed" part of DDoS.
Just secure your shit against DDoS attacks? Its not like they forgot to apply the "anti-ddos patch". Dealing with an attack from 100k+ hosts isn't something to be taken lightly. Its expensive (get a really fat pipe) and time consuming (identify and block attack traffic).
My math says 34.
I second Openfire. I set it up at work integrated into Active Directory for a user store, using Mysql replicating to a second box as a DR instance.
My server currently averages about 370 users per day or so, but I fully expect it to eventually handle the 1000+ employees in the company.
I don't use the chat logging functionality myself, but it is available in the product.
If you're using the Spark client you can also configure the FastPath plugin in order to create a "Live Support" chat queue for your helpdesk people so that other employees can talk to the next available person via a web interface.
I definitely disagree here. While passwords can be brute forced given enough time, your face is almost certainly available to someone who has access to get at your computer.
There is a difference between identification and authentication (your claim of who you are, and your proof of that claim). What you look like is identification.
Elmo knows where you live!
If a stranger hacks my WIFI encryption in my neighborhood and downloads child prOn, warez, illegal MP3, etc.. through my router/IP that DOES NOT mean that I did it and I AM NOT responsible for those communications/transfers as I have made reasonable accommodations to prevent that (plus I shutter to think that any of my neighbors are into any of that).
There's a difference between criminal liability and financial. You wouldn't be convicted of downloading child porn (or shouldn't be at least), but if your internet access was pay as you go, you may still be required to pay for the bandwidth used.
This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with what the credit card companies have done.
As long as the customers are responsible for the charges, they have no business reason to invest in fraud protection.
Bruce Schenier refers to this as an externality, and had written about it a number of times in the context of credit card security and computer security.
http://www.schneier.com/blog/archives/2007/01/information_sec_1.html
http://www.schneier.com/blog/archives/2006/03/credit_card_com.html
http://www.schneier.com/blog/archives/2005/10/preventing_iden.html
EAP-TLS is used for the key exchange process. The encryption used for the connection can either be TKIP, which uses rotating RC4 keys or CCMP which uses more secure AES encryption keys.
CCMP is the more secure choice, but is incompatible with older wireless cards. If you care about the security of your network, you are better off choosing hardware that supports CCMP.
What you're describing is EAP-TLS, and its definitely the way to go if you're running wireless for a larger business.
I tried to RTFA, but I'm at work and the URL has "gambling" in it, so I got a "Access Blocked" and "This attempt has been logged" for my pains. So FTFA. How about a helpful answer?
I'm guessing that at least some of the domain names in question will cause THIS page to give you the same "Access Blocked" message.
Of course, someone already pointed it, so you most likely can't read my post ;)
http://tech.slashdot.org/article.pl?sid=08/04/01/1342225
If there was any real "trust" component, I'd buy this argument. SSL certificate authorities are supposed to be sources of trust - we trust them to have authenticated that the FooCorp who bought a certificate really is FooCorp Ltd (and not F0oCorpe). However, the only inducement most vendors need to issue a certificate these days is money.
An SSL CA is only supposed to validate that the person requesting a certificate for authorized to request for that domain, not that its tied to any particular company. If I own bankoamerica.com, then they're supposed to issue a certificate to me.
EV certs were created to combat the phishing issues that were not a problem when the CA process for normal certs were created. EV certs tie a certificate to a verified legal entity. I believe the rules allow for the cert to be tied in a person, but last time I dealt with EV cert policies (a year or so ago), the companies I talked to only had processes in place for validating corporations.
If I had a company which owned bankoamerica.com, I could probably still own a cert for it. If I do something nefarious with it, people would know just where to find me. Bank of America would probably consider just the act of owning it nefarious.
Now the lack of validation of authorization for a domain that you mentioned can be an issue for SSL certs, but its a separate issue. Any CA which does not properly check that you're authorized to buy an SSL cert for a domain should have their CA cert revoked IMHO.
Watching instantly on your computer
Our apologies â" instant watching is currently not supported for Macintosh.
Our goal is for Netflix members to enjoy movies and TV shows on whatever screen they want. We're required to use Digital Rights Management to protect movies watched instantly online, and right now we only have approval for this protection on Windows Operating systems, not the Mac.
With ADSL and leased lines the users tend to fight for their share of bandwidth (aka have contention) at the ISP's gateways to other ISPs.
That is going to be true with ANY form of internet access. The question is going to be how over subscribed their links are.
Same here.
I eventually noticed that Amazon.com was offering it for the same $5 in non-DRM protected mp3 format, and purchased from them. I asked for a refund from the main site, but personally I would have been willing to pay $10 in the first place, so I'm not too worried about it.
If big name bands are going to continue to do these sorts of releases, they really need to partner with a company which can handle the downloads a bit better than whoever is hosting their sites now.
I'm sure he can secure his computer, but I wonder how well he can detect man-in-the-middle attacks.
Assuming that he properly secures any protocols that he cares, he can probably do it pretty damn well. SSL/TLS secured protocols use a cert signed by a trusted authority. SSH allows you to validate the public key of a server. Initially obtaining the public key could use some improvement though.
Someone could do a MITM attack against http based web browsing, but that's fine as long as you stick to SSL for anything you care about (and your software is patched)
Yeah, that is my biggest concern here. In a perfect world everyone would secure their systems (or vendors would design systems securely) so that being on the local LAN did not grant any special privileges. But with that not being the case an open wireless network lets people access the files you accidentally shared out, compromise the system you forgot to patch or sniff your e-mail that you never setup SSL/TLS for.
Personally I'd be happy just burying the RIAA. riaaradar.com lets you figure out if the bands you're looking for are on a label which is part of the riaa or not. It even offers non-riaa suggestions for "similar" bands. Not sure how good their recommendations are yet though.
I think the "problem" with the radiohead site is you have to go through a specific place for that one album and navigate an unfamiliar site.
That's a good point actually. I bought the Radiohead album on their website, and the site truly sucked. They might have done better with an easier to use interface.
Yeah, I just reread what I posted. Its actually from date of issuing, not of filing. Its the post 1995 ones that expire based on the date file filing.
That still means that the patent will be expiring shortly.
Actually, I just did a bit of checking online:
http://www.freepatentsonline.com/help/item/When-does-a-patent-expire.html
1. U.S. Patents filed after June 8, 1995 expire 20 years from the date of filing.
2. U.S. Patents filed prior to June 8, 1995 expire 17 years from the date of issue, or 20 years from the first non-provisional patent application in the family - whichever is later.
This patent was filed in 1987 and issued in 1991. So based on the filing date its already expired.