I've never bought into the whole speech control thing. I'd feel stupid in a room with other people talking to the VCR
I have speech recognition on the car phone. It works OK for that application but the limits are pretty obvious. First you have to explain to passengers not to talk over the commands. I was giving a lift to someone who was in the voice directory and was calling his wife to tell her we would be home soon. So each time I say Roger he says 'what?' which spoiled the recognizer.
I don't think that speech actually helps at all for most applications. In the first place the command set becomes pretty cumbersome. In most applications voice is used it is actually limited to recalling one of a small number of pre-set programs. The ambiguity in human speech is huge and machines often have no context to resolve it in.
Good UI design for me is something that allows me to build up a coherent mental model of how the device is working. That is why a lot of folk like UNIX, the commands may be bizarely arcane but the model is usually exposed (in flat text files). Macs on the other hand are not designed as tools, they are designed as assistants. You have a problem, it tries to help you. If your problem is not the one the designers thought of, well tough luck buddy.
The principal problem with the notorious VCR programming task is frequently user anticipation. Instead of doing something consistently the machine tries to be helpful and fails.
Another problem with VCRs is that the 'easy to use' interface software can have bugs. Before I got my PVR I had a Magnavox VCR. After failing to tape the F1 Grand Prix twice in a row I said "I have a degree in Nuclear Physics, I was elected to be a fellow of the British Computer Society, why do I keep assuming the problem is me?" So the next time I took photos of the settings on the VCR with my coolpix, turns out that if you set the device under certain circumstances the damn thing will set itself to record a year later than programmed.
My pet peeve in user interfaces is that manufacturers try to make devices look simple and uncluttered by making one button do six things. I know that there is also a cost issue, but when I buy a $1,000 digital camera, or even a $300 one I think that I am owed a few extra buttons. The Coolpix would be a heck of a lot easier to use if there was a single slider that controlled the flash, allowing it to be turned off completely, on, on with red eye correction. Instead the mode button that controls it also cycles the autofocus modes, and is context sensitive to boot. But it is the same for the 35mm film world. Come to think of it, the only gadgets I have that I have not managed to fully master every switch on are my N90s and its flash gun...
In windows, once you know the setting's key/value you can easily change it with a few API calls. In Unix, you'd have to parse a text file insert/delete/change lines and then rewrite the file. Fun
You both missed the real problem with the UNIX approach - race conditions when two applications try to update the system configuration. This can really screw up a system because under UNIX the system config is in several files and you can be fairly certain the bozo who wrote at least one of the programs trying to update your config did not understand what locks are for.
I have seen many a UNIX system collapse in a gibbering heap due to corrupted config files.
I have ceased to be amazed at how people can praise inadequate engineering for its simplicity. Any problem can be given a simple solution if you ignore at least half of the problem.
The success of UNIX propagation says nothing for its utility. Herpes has also spread widely.
Ever wondered why so many consultants wear $5000 stainless steel and gold Rolexes? Its because it is a way to indicate to the customer that you don't work for cheap and the $3K per day or whatever you are charging is the going rate.
So no I would not wear a $300 dollar watch, its too expensive to wear to the beach and I certainly could not afford to wear something that cheap to work.
People don't like junk arketting scum. The scum who take the jobs would like us to be polite to them. Nobody else seems to agree.
In Europe you pay a huge fee to call a cell phone. In the US the subscriber pays. This sux if you get spam calls and the mobile co did not offer first minute free.
In theory calling cell phones is ilegal in the US. This is not easy to check for however since a single area code can have mobile numbers and land lines.
Now for the part nobody mentioned yet, the problem is about to get much harder as under the new regime any number can be for a land line or a mobile. Furthermore it wil be possible to map numbers from one area code onto a completely different area code.
Essentially in the future your telephone number will be capable of being used anywhere, at least in the US (eventually worldwide).
What this means is that the companies that track SS7 signalling info are going to have to provide info on what kind of line the call eventually maps to. There could also be a role for a national do not call list - possibly organized by a private company.
Each time I have changed my telephone number I have had about six months of calls from debt collection agencies trying to get payment from the last person with the number. The calls have largely been of the harassing kind.
At first I though that it was deadbeats. Then I changed my long distance carrier from MCI and they kept billing me. Then I got a Bell South RIM pager and cancelled it and they tried to keep billing me (and did the same to four other people in my office). So I now conclude that what a lot of big US corporations do is that they don't have any customer service, they just send out masses of bills whether an account has been cancelled or not and they then sell the 'debts' to collection agencies to prop up their bottom line.
Oddly enough the debt collection folk have much better service than the companies they buy debts from. As soon as they get faxed a cease and desist you never hear a squeak from them again.
FTC rulings cannot control what happens in third-world countries like India and Portugal.
Utterly untrue. The telemarketers sell their services to companies in the US. They have offices in the US and assets in the US that can be seized and garnished.
Most domestic telemarketers violate the law.
True, but the only reason they get away with it is that the authorities don't deal with the problem very seriously. If illegal junk marketing calls were treated in the same way as drug dealers the industry would be dead PDQ.
Please do not verbally abuse them - you won't hurt the industry, just somebody (not unlike myself) who is trying to make ends meet
Again, wrong. Don't feel the slightest twinge of conscience as you tell the miserable heap of offal what a loathsesome turd they are. It is a damn sight cheaper than therapy. People suffer from far too much tension and lack ways to chanel their aggression in socially useful ways.
My favorite is too ask them to hold the line while I play one of a selection of.wav files I keep stored for the purpose. These cover a range of dramatic scenes, my favorite being the 'missus threatening to jump out of the window' which the telemarketer gets to hear. I had to stop playing that after the cops came round one time to see what was up.
These days I don't get much chance to play them as the telemarketers have mostly put me on there 'be really sure not to call list'.
Sure, anyone can be an X.509 CA, but that doesn't help much. In order to issue meaningful X.509 certificates, you need to be a widely trusted CA,
That has nothing to do with the format of the certificate. It is simply basic math.
All the major email programs allow you to install your own trust roots, always have. The problem is getting a trust root widely recognized.
The diameter of a graph is the length of the longest path between two nodes. If the diameter of the graph is small then either the graph cannot be large or there must be at least soe nodes of very high degree. [The Moore bound on the diameter of a graph is k * (k-1)^d where k is the degree of the nodes and d the diameter.
Applied to PGP it means that if you have a Web of trust with a trust chain length of 5 and each person signs ten other keys you can have no more than 90,000 members if the members align themselves perfectly. In practice the size of the graph would be much smaller since the connections would be either random or highly locally connected which gets you down to about 10,000 users.
PGP works largely because people take untrusted keys of key servers and because there are folk like Jeff Schiller who have signed hundreds of keys.
If you want a global PKI then you need intermediaries. PGP is not designed to scale to be a global system. But if you are prepared to put up with the size limitations of the PGP model you can do the same in S/MIME.
Microsoft even ship a mini CA tool with Office and Visual studio - makecert.exe. It is a bit idiosyncratic and you need to get another tool fro the Microsoft site to convert the private key formats to PKCS12 format but it certainly works. The SSLeay code also has a cert signer.
If he really wants to do something, GnuPGP would probably welcome him with open arms...
Have you tried to work with Phil Z.? Oh... thought not.
People who end up in the mess Phil did are not always the folk with the best social interfaces...
The problem with PGP is that overall it is tending to hinder the use of crypto than help at this point. There is perfectly good crypto built into Outlook, Outlook Express, Notes, Netscape etc. Only thing is people don't know its there because they are being told that only crypto persecuted by the NSA should be used.
PGP has a somewhat different PKI design, but not all that much different. Anyone can be a CA with X.509, the only technical difference being that certificate signing certs have the key signing bit set.
Rather than attempt to resurect the PGP message formats it would be better to spend time building S/MIME key signing code.
When cars were widely available, new laws certainly came into effect. Speed limits were posted (not previously needed for horse and buggy carriages).
But the first legislative response to the car was the passing of the red flag act in the UK which required a man to walk in front of a car with a red flag.
The attempts to legislate cyberspace in the US have mostly been as clueless. The CDA, COPA, DMCA, etc. etc. All pushed with the primary goal of making a congressman look cybersavy.
Where the article is wrong is that the technologists are not the ones calling for the laws. It is the army of self appointed experts who think everything is changing, Internet time, etc. etc.
The media thinks that the experts on the Internet are academics who write books on it not the people who write RFCs, architect standards etc. They think that everything is changing at the speed of light only because they have so little grasp of the technology.
It took us six years to get HTTP adopted as a standard. We are currently working on redoing RPC and CORBA in XML syntax. We are doing it better (and the CORBA losers have only themselves to blame), but ten years after it could have happened.
I did two specs in the past 18 months which is pretty much a record for standards work. It is going to take us at least five more years before a significant fraction of commerce transations are e-comerce (but not value, since a small number of transactions account for 90% of value).
The point is that the Internet does not move so fast that the legislature needs to take special measures.
Actually most analysts recon that the bulk mail is subsidized by the letter post. This has been the case since the start of the USPS, several early revolutionaries were newspapermen and so they secured guaranteed low rates for their product.
Junk mail gets a massive subsidy because the companies that do bulk mailings buy influence in Congress. The cost savings from automation are nowhere near large enough to cover the breaks junk mailers get.
That doesn't matter, they are distributing it and since they are distributing it in large numbers (not the 'copy from friend' type of distributing) they have to make the source available to their customers. Even if they didn't modify it.
To which they would no doubt reply you can get the source from any Linux disto site on the net. If you read the GPL you will note that it is sufficient to provide an ftp site for the source code.
I am much less interested in getting copies of linux from dish tv that being able to mod the hardware to put a decent size disk drive in it. We fill 30 hours very easily, 90 is not going to be a heck of a lot better.
What I really want is a system with a firewire port on it that will allow me to plug in a RAID array with a Tb or so.
Great, so if I'm at a party at your house and I use your phone to call in a death threat to the President, you should go to jail for having an unsecured phone line, right? Retard.
Perhaps there should be a down mod for 'unjustified namecalling', or maybe thats just flamebait.
When I did security for the Whitehouse the death threats were a major problem. There is a federal law that says that the secret service have to investigate each and every one.
So if you have someone com to your party and they make a phone call from your phone with a death threat against the President you are in a heck of a lot of deep doo-doo. Even if you do convince the secret service chaps that you are OK the experience is not likely to be plesant.
The same thing pretty much holds for supporting anonymous contact points. It is certainly a risk.
Given that the administration's re-election plan as revealed by Karl Rove is to exploit as much fear of terrorism as possible, having someone make a death threat or announcement of an Al-Qaeda attack via your open access port would be a decidely bad thing. That might not be enough to send you to jail according to the constitution, but only the second ammendment appears to be respected at this point.
So maybe it should not happen that way, but don't discount the probability that it could.
Why do we jump to have the government certify our electronic devices, standards, and protocols?
Because they are one of the key parties able to give an endorsement to a product. The microcomputer market exploded when IBM entered and provided it with the necessary endorsement, before IBM entered the fray micros were considered by many IT managers to be toys. The Web took off outside the computer industry after the Whitehouse went on line, before that no F500 company that was not in the computer or communications business would give us time of day.
The issue here is that the WEP-I standard was baddly bodged. So there is going to have to be an endorsement by an opinion leader before people feel safe to use the improved WEP-II.
The idea that NIST could provide that endorsement is not a bad one, clearly none of the industry players can do it at the moment. This is despite the fact that the 802.11 security group was acting on the problems before they were brought to public attention in the Berkely paper.
The standard that is being generally adopted is 802.1X, which is a general authentication mechanism for port level access that was originally developed for ethernet. Microsoft deployed a profile of this in the Windows XP support for WEP. There may be some divergence between this and the eventual standard since Windows XP only a short time after the WEP flaws were publicised.
WEPII does not provide perfect security, there remain features of the design which have the property that although nobody knows an exploit are still rather unsatisfactory. The biggest of these being that they still use RC4 where I would much prefer AES. However, the processors on the current 802 cards don't have the power to support AES and the liability is not great enough to justify throwing away all the existing cards.
On the OSS front, the best thing to do in this instance would be to follow Microsoft's approach and use a compatible profile of 802.1X. For the code to be any use to people it is going to have to work with the 802 hardware sold by the major vendors.
The big problem at the moment is that the access point hardware with support for the more advanced authentication mechanisms tends to be sold as $1500 enterprise solutions rather than $150 SOHO boxes, grrrr.
What I would really like is for someone to develop a cheap ($150) firewall router type box that supports Linux (or BSD) and PCMCIA to plug in an access card.
The problem there is that people^h^h^h^h^h^hSPAMers are bypassing the address book hack by forging emails with sender lines taken from mailing lists.
What we need to do is to organize a SPAM summit and develop a comprehensive strategy for addressing the issue. Paul Vixie recently made some good proposals. However if SPAM is to be defeated we really need to have more than a single fix.
Basically, 2600 is telling users to say "Shove it!" to GM and buy a Ford. It's almost a form of (negative) advertising.
The wonderful thing about 2600 cases is that the worst that can happen is they throw Goldstein et. al. in the slammer which given that they appear to have the personality of the Grouch in Sesame street (being anoyed makes me happy) I suspect they would really, really enjoy...
I don't much care if 2600 can't point 'fuckxyz' at Ford. But I do care about the various deep linking cases.
The sheer eggregiousness of the 2600 case made it a pretty good test case. If 2600 lost the risk of collateral damage to serious deep linking would be minimal. If they win, well if you can point fuck at someone then you can probably point most anything.
The downside being that it was a pretty risky case that could easilly have backfired. 2600 made a really good target for the MPAA in the DeCSS case. My concern about this case was that they might easily have got a Reagan appointee conservative judge who might well have made an idiotic rulling because he disliked the 2600 people trying to turn a court case into performance art.
I had been asked to give expert testimony in the case but could not because Ford's legal people had added my employer in as a defendant in yet another case.
I suspect that the basic problem is that either the Ford lawyers are fundamentally incompetent or an incompetent manager insisted on a lawsuit. Starting a law suit in an untested area of law is a pretty stupid first recourse if your interest is to solve a problem. It is possible that Ford really wanted to have this area of law settled, but I doubt it.
It is the cases like this one that led to the charges for domain names in the first place. Until people started to file lawsuits registration was free.
Re:If if changes the Unix/Linux security model, fi
on
Analyzing Palladium
·
· Score: 2
As the standard linux kernel can't handle that by default, but its easy to add on.
I tend to be somewhat wary of add on products. The problem is that if you have a product that requires five separate add ons to provide the features you need the chances are very high that they are going to turn out to be incompatible.
So you can use Matt Blaze's code for an encrypting file system but does that work with the extensions to support label based security?
Computers are by definition Turing machines and you can add practically any feature to any computer under any O/S. The question is the extent to which it is supported.
I get somewhat tired of people who don't know much about security and practically nothing of WNT pontificating about security architectures. The security problems in WNT have nothing to do with the O/S layer. It is the application layer that is shot.
Unfortunately UNIX is only better in certain very limited respects, in particular virus propagation is difficult to get above critical mass if an O/S has a small user base and I suspect that programmers really avoid active code because it is hard to support rather than because it is near impossible to secure. But thats just my opinion, I could be wrong.
That's nice if you only communicate with people you already know. Not so good if you have a public website, a company, or you participate in public forums (like slashdot) and people you do not yet know will make contact with you.
That is a problem, however my first priority is to try to do what I can to take what we can definitively identify as signal.
If you get a signed email from an unknown source it could be spam or it could be signal. In my corporate email client I would configure it to automatically presume that email with source addresses in the domains sun.com, microsoft.com, cisco.com, ibm.com etc. that is signed to not be spam.
If an email came that was signed and was not from the whitelist it would be put into an 'unidentified' queue. Initially none of the spam would be signed and a signature alone would be sufficient authentication. However that is not going to last forever as a sorting mechanism.
One thing that you could do is to reply to the sender with a note saying 'your email is in the pending queue, please return this confirmation message if you are not a spammer, i don't like scum who send spam'. Although a spammer could sign their messages and respond to the return messages doing so would be much more expensive and technically problematic, especially if we make it hard to automate the replies. It is also something that we could introduce a law to prohibit false replies.
The other part of the puzzle is that commercial communications would be separately identified. So if IBM wants to send me an invoice for the web server service they provided me with their invoice is signed and marked as an invoice. If IBM want to then send me some information on some additional service they might want to offer me it would be signed and marked as SPAM but would also have a tag to indicate what sort of spam it was. So offers for HGH, penis enlargement, Breast enhancement, nigerian letters etc. can head straight for the bit bucket while I might actually read a PR newsletter that I signed up for from Microsoft or Red Hat. But those message would go into my 'low priority folder'.
There are a bunch of other hacks that can be used. For example we might use PGP style community key signing to establish the authenticity of key holders. Or we might use commercial PKI CAs to authenticate key holders. While anyone can lie to a CA and get a certificate under false pretenses, it is also possible for CAs to revoke certificates.
In the long run I think we will see people signing their email routinely to bypass spam filters. The cost of obtaining a certificate will be low enough not to notice because they will be issued in bulk through channels such as the ISPs, but people who want to use PGP will still have that option.
First of all, crytopgraphy and spam are orthogonal concepts. Second, the "M" in XKMS stands for "Messaging" and by that they mean wireless communications--it has nothing to do with email.
It stands for XML Key Management Specification. And although there have been discussions on it in many fora, the latest draft uses examples from email. Unfortunately the one on the site is a little older.
Sounds to me like you are trying to whore some points--somebody mod this guy down
Sounds to me like you either don't have a clue and could not be bothered to do the simplest of research or you don't like one of my other posts for some reason but don't have any mod points.
Claude Shannon proved decades ago that noise is inevitable in communications.
He did no such thing. Shannon's law demonstrates that the information bearing capacity of a communication line is limited by the signal to noise ratio.
It is quite amusing to see how such basic observations are transmorgaphied by the game of Internet chinese whispers.
Spam will be addressed as a problem as soon as the pain barrier becomes high enough. With PKI it is possible to identify an email sender by means of a digital signature. The current problem being that there is no good way to locate public keys bound to email addresses. There is a lot of good work going on in this area, in particular the W3C XKMS group recently discussed a working draft that describes a mechanism for accessing public keys via DNS SRC records.
So under this system what would happen is that when you get email from them the email client would scan your address book to see if they were on your approved sender's list. This would probably include the individuals you know (Cmdr. Taco etc.) and also whole domains (ai.mit.edu) you might trust. if the mail is not in the list it goes into the 'low priority' pile.
There are email clients that do this at the moment but the spammers are using counter measures, such as scanning email list archives and sending out SPAM with fake sender addresses taken from the archive. With PKI and a means of determining whether the person actually has a public key or not this type of filtering becomes much more robust. Incidentally the mechanism does not require S/MIME to work, it can also be used with PGP.
To deploy the solution all we need to do is to persuade email client writers to support XKMS register and locate functions and ISPs to provide XKMS services along with their existing SMTP server. Oh yes and finish the XKMS spec I guess.
Re:If if changes the Unix/Linux security model, fi
on
Analyzing Palladium
·
· Score: 2
On any windows domain there is a user who can change the passwords of other users who have forgotten their passwords.
True, but Windows is designed to allow for other forms of log in (write your own GINA.exe).
The point is that if you use EFS you can set the system up so that the system admins have absolutely no way to read a file - even if they dismount the disk and put it in another machine.
Re:If if changes the Unix/Linux security model, fi
on
Analyzing Palladium
·
· Score: 5, Insightful
I really don't know windows very well, but I'm sure there is one account (superadmin??) that can change these privilages. Which is basically root.
I find it amazing how folk can start a sentence 'I don't know anything about this' and then go on to pontificate. Examples of this behavior include practically every Senator's reaction to the pledge of allegiance rulling (I haven't read the rulling but I'll make a dumb-ass statement to protect my base) and 50% of the posts on Slashdot by Linux people on WNT.
Under WNT you can set the O/S up with very strong file access permissions. It is not unusual to configure a WNT machine so that administrators don't have access to user's files and if you read the manual you can set the system up so that nobody has system privillege, administrators who can mod user accounts cannot modify the system log etc.
With W2K and later you can turn on the encrypting file system. By default the administrator still has the ability to recover files via the recovery root. But you can export that to a floppy disk and put it in a safe. You can also integrate more powerful Key Recovery systems from third party vendors that enforce dual control over recovery.
UNIX was not designed to be a secure O/S. The security it does support is a subset of the security mechanisms of MULTICS. The design observation made at the time being that the machines of the day (early PDPs) could not support a complex security model.
It is unfortunate that so many people mistake age for security. By the time VM-UNIX was developed the VAX 11/750 VMUNIX was developed on was capable of supporting a sophisticated security model as VMS proved. But like so many UNIX design features what had originally been a shortcut had been elevated to the status of dogma.
Which FUD are we talking about? This entire series by been a collection of FUD on both sides.
Which is amply demonstrated by the fact that this is the second time the story has been posted this week.
The Register article shows only that the reporter has no clue as to what Palladium is and what it can and cannot do.
No DRM solution is 100% secure, the issue is not eliminating piracy, it is raising the barrier sufficiently so that the content owners are confident enough to release material and for the level of piracy to be low enough that people can all make a buck.
Attempting to rig a DRM solution so that people could only run MSFT O/S would be (1) illegal and (2) very stupid since people would have a legitimate reason for bypassing the alledged DRM measures to run Linux.
If you run Linux you are not going to have a Palladium certified O/S and many content providers are not going to sell stuff to you. But that is exactly the current situation. Palldium is only going to mean that Windows users can get content that the owners will not release without strong(ish) DRM.
Sep of Church & State was included, because at the time there were many countries that were actually ruled by the church elders, our founding fathers did not want this, so they added it to the constitiution. It was in no way meant to take all religion out of the government, it was included to ensure that the heads of the church would not rule the government.
Actually it was as much determined the other way. In England at the time the Bishops sat in the House of Lords and the Monarch was 'supreme govenor' of the Church of England. The pilgrim fathers were mainly non-conformists who had come to the Americas to escape the established church which they saw as making God's church subject to the will of the state.
Slashdot Mirror
I have speech recognition on the car phone. It works OK for that application but the limits are pretty obvious. First you have to explain to passengers not to talk over the commands. I was giving a lift to someone who was in the voice directory and was calling his wife to tell her we would be home soon. So each time I say Roger he says 'what?' which spoiled the recognizer.
I don't think that speech actually helps at all for most applications. In the first place the command set becomes pretty cumbersome. In most applications voice is used it is actually limited to recalling one of a small number of pre-set programs. The ambiguity in human speech is huge and machines often have no context to resolve it in.
Good UI design for me is something that allows me to build up a coherent mental model of how the device is working. That is why a lot of folk like UNIX, the commands may be bizarely arcane but the model is usually exposed (in flat text files). Macs on the other hand are not designed as tools, they are designed as assistants. You have a problem, it tries to help you. If your problem is not the one the designers thought of, well tough luck buddy.
The principal problem with the notorious VCR programming task is frequently user anticipation. Instead of doing something consistently the machine tries to be helpful and fails.
Another problem with VCRs is that the 'easy to use' interface software can have bugs. Before I got my PVR I had a Magnavox VCR. After failing to tape the F1 Grand Prix twice in a row I said "I have a degree in Nuclear Physics, I was elected to be a fellow of the British Computer Society, why do I keep assuming the problem is me?" So the next time I took photos of the settings on the VCR with my coolpix, turns out that if you set the device under certain circumstances the damn thing will set itself to record a year later than programmed.
My pet peeve in user interfaces is that manufacturers try to make devices look simple and uncluttered by making one button do six things. I know that there is also a cost issue, but when I buy a $1,000 digital camera, or even a $300 one I think that I am owed a few extra buttons. The Coolpix would be a heck of a lot easier to use if there was a single slider that controlled the flash, allowing it to be turned off completely, on, on with red eye correction. Instead the mode button that controls it also cycles the autofocus modes, and is context sensitive to boot. But it is the same for the 35mm film world. Come to think of it, the only gadgets I have that I have not managed to fully master every switch on are my N90s and its flash gun...
You both missed the real problem with the UNIX approach - race conditions when two applications try to update the system configuration. This can really screw up a system because under UNIX the system config is in several files and you can be fairly certain the bozo who wrote at least one of the programs trying to update your config did not understand what locks are for.
I have seen many a UNIX system collapse in a gibbering heap due to corrupted config files.
I have ceased to be amazed at how people can praise inadequate engineering for its simplicity. Any problem can be given a simple solution if you ignore at least half of the problem.
The success of UNIX propagation says nothing for its utility. Herpes has also spread widely.
Ever wondered why so many consultants wear $5000 stainless steel and gold Rolexes? Its because it is a way to indicate to the customer that you don't work for cheap and the $3K per day or whatever you are charging is the going rate.
So no I would not wear a $300 dollar watch, its too expensive to wear to the beach and I certainly could not afford to wear something that cheap to work.
In Europe you pay a huge fee to call a cell phone. In the US the subscriber pays. This sux if you get spam calls and the mobile co did not offer first minute free.
In theory calling cell phones is ilegal in the US. This is not easy to check for however since a single area code can have mobile numbers and land lines.
Now for the part nobody mentioned yet, the problem is about to get much harder as under the new regime any number can be for a land line or a mobile. Furthermore it wil be possible to map numbers from one area code onto a completely different area code.
Essentially in the future your telephone number will be capable of being used anywhere, at least in the US (eventually worldwide).
What this means is that the companies that track SS7 signalling info are going to have to provide info on what kind of line the call eventually maps to. There could also be a role for a national do not call list - possibly organized by a private company.
At first I though that it was deadbeats. Then I changed my long distance carrier from MCI and they kept billing me. Then I got a Bell South RIM pager and cancelled it and they tried to keep billing me (and did the same to four other people in my office). So I now conclude that what a lot of big US corporations do is that they don't have any customer service, they just send out masses of bills whether an account has been cancelled or not and they then sell the 'debts' to collection agencies to prop up their bottom line.
Oddly enough the debt collection folk have much better service than the companies they buy debts from. As soon as they get faxed a cease and desist you never hear a squeak from them again.
Utterly untrue. The telemarketers sell their services to companies in the US. They have offices in the US and assets in the US that can be seized and garnished.
Most domestic telemarketers violate the law.
True, but the only reason they get away with it is that the authorities don't deal with the problem very seriously. If illegal junk marketing calls were treated in the same way as drug dealers the industry would be dead PDQ.
Please do not verbally abuse them - you won't hurt the industry, just somebody (not unlike myself) who is trying to make ends meet
Again, wrong. Don't feel the slightest twinge of conscience as you tell the miserable heap of offal what a loathsesome turd they are. It is a damn sight cheaper than therapy. People suffer from far too much tension and lack ways to chanel their aggression in socially useful ways.
My favorite is too ask them to hold the line while I play one of a selection of .wav files I keep stored for the purpose. These cover a range of dramatic scenes, my favorite being the 'missus threatening to jump out of the window' which the telemarketer gets to hear. I had to stop playing that after the cops came round one time to see what was up.
These days I don't get much chance to play them as the telemarketers have mostly put me on there 'be really sure not to call list'.
That has nothing to do with the format of the certificate. It is simply basic math.
All the major email programs allow you to install your own trust roots, always have. The problem is getting a trust root widely recognized.
The diameter of a graph is the length of the longest path between two nodes. If the diameter of the graph is small then either the graph cannot be large or there must be at least soe nodes of very high degree. [The Moore bound on the diameter of a graph is k * (k-1)^d where k is the degree of the nodes and d the diameter.
Applied to PGP it means that if you have a Web of trust with a trust chain length of 5 and each person signs ten other keys you can have no more than 90,000 members if the members align themselves perfectly. In practice the size of the graph would be much smaller since the connections would be either random or highly locally connected which gets you down to about 10,000 users.
PGP works largely because people take untrusted keys of key servers and because there are folk like Jeff Schiller who have signed hundreds of keys.
If you want a global PKI then you need intermediaries. PGP is not designed to scale to be a global system. But if you are prepared to put up with the size limitations of the PGP model you can do the same in S/MIME.
Microsoft even ship a mini CA tool with Office and Visual studio - makecert.exe. It is a bit idiosyncratic and you need to get another tool fro the Microsoft site to convert the private key formats to PKCS12 format but it certainly works. The SSLeay code also has a cert signer.
This was none too suprising when you consider that most DVDs are only watched once. So the net take for the movie companies would go down drastically.
Then the idea that circuit city would get a monopoly of the dvd rental business...
Have you tried to work with Phil Z.? Oh... thought not.
People who end up in the mess Phil did are not always the folk with the best social interfaces...
The problem with PGP is that overall it is tending to hinder the use of crypto than help at this point. There is perfectly good crypto built into Outlook, Outlook Express, Notes, Netscape etc. Only thing is people don't know its there because they are being told that only crypto persecuted by the NSA should be used.
PGP has a somewhat different PKI design, but not all that much different. Anyone can be a CA with X.509, the only technical difference being that certificate signing certs have the key signing bit set.
Rather than attempt to resurect the PGP message formats it would be better to spend time building S/MIME key signing code.
But the first legislative response to the car was the passing of the red flag act in the UK which required a man to walk in front of a car with a red flag.
The attempts to legislate cyberspace in the US have mostly been as clueless. The CDA, COPA, DMCA, etc. etc. All pushed with the primary goal of making a congressman look cybersavy.
Where the article is wrong is that the technologists are not the ones calling for the laws. It is the army of self appointed experts who think everything is changing, Internet time, etc. etc.
The media thinks that the experts on the Internet are academics who write books on it not the people who write RFCs, architect standards etc. They think that everything is changing at the speed of light only because they have so little grasp of the technology.
It took us six years to get HTTP adopted as a standard. We are currently working on redoing RPC and CORBA in XML syntax. We are doing it better (and the CORBA losers have only themselves to blame), but ten years after it could have happened.
I did two specs in the past 18 months which is pretty much a record for standards work. It is going to take us at least five more years before a significant fraction of commerce transations are e-comerce (but not value, since a small number of transactions account for 90% of value).
The point is that the Internet does not move so fast that the legislature needs to take special measures.
Junk mail gets a massive subsidy because the companies that do bulk mailings buy influence in Congress. The cost savings from automation are nowhere near large enough to cover the breaks junk mailers get.
To which they would no doubt reply you can get the source from any Linux disto site on the net. If you read the GPL you will note that it is sufficient to provide an ftp site for the source code.
I am much less interested in getting copies of linux from dish tv that being able to mod the hardware to put a decent size disk drive in it. We fill 30 hours very easily, 90 is not going to be a heck of a lot better.
What I really want is a system with a firewire port on it that will allow me to plug in a RAID array with a Tb or so.
Perhaps there should be a down mod for 'unjustified namecalling', or maybe thats just flamebait.
When I did security for the Whitehouse the death threats were a major problem. There is a federal law that says that the secret service have to investigate each and every one.
So if you have someone com to your party and they make a phone call from your phone with a death threat against the President you are in a heck of a lot of deep doo-doo. Even if you do convince the secret service chaps that you are OK the experience is not likely to be plesant.
The same thing pretty much holds for supporting anonymous contact points. It is certainly a risk.
Given that the administration's re-election plan as revealed by Karl Rove is to exploit as much fear of terrorism as possible, having someone make a death threat or announcement of an Al-Qaeda attack via your open access port would be a decidely bad thing. That might not be enough to send you to jail according to the constitution, but only the second ammendment appears to be respected at this point.
So maybe it should not happen that way, but don't discount the probability that it could.
Because they are one of the key parties able to give an endorsement to a product. The microcomputer market exploded when IBM entered and provided it with the necessary endorsement, before IBM entered the fray micros were considered by many IT managers to be toys. The Web took off outside the computer industry after the Whitehouse went on line, before that no F500 company that was not in the computer or communications business would give us time of day.
The issue here is that the WEP-I standard was baddly bodged. So there is going to have to be an endorsement by an opinion leader before people feel safe to use the improved WEP-II.
The idea that NIST could provide that endorsement is not a bad one, clearly none of the industry players can do it at the moment. This is despite the fact that the 802.11 security group was acting on the problems before they were brought to public attention in the Berkely paper.
The standard that is being generally adopted is 802.1X, which is a general authentication mechanism for port level access that was originally developed for ethernet. Microsoft deployed a profile of this in the Windows XP support for WEP. There may be some divergence between this and the eventual standard since Windows XP only a short time after the WEP flaws were publicised.
WEPII does not provide perfect security, there remain features of the design which have the property that although nobody knows an exploit are still rather unsatisfactory. The biggest of these being that they still use RC4 where I would much prefer AES. However, the processors on the current 802 cards don't have the power to support AES and the liability is not great enough to justify throwing away all the existing cards.
On the OSS front, the best thing to do in this instance would be to follow Microsoft's approach and use a compatible profile of 802.1X. For the code to be any use to people it is going to have to work with the 802 hardware sold by the major vendors.
The big problem at the moment is that the access point hardware with support for the more advanced authentication mechanisms tends to be sold as $1500 enterprise solutions rather than $150 SOHO boxes, grrrr.
What I would really like is for someone to develop a cheap ($150) firewall router type box that supports Linux (or BSD) and PCMCIA to plug in an access card.
The problem there is that people^h^h^h^h^h^hSPAMers are bypassing the address book hack by forging emails with sender lines taken from mailing lists.
What we need to do is to organize a SPAM summit and develop a comprehensive strategy for addressing the issue. Paul Vixie recently made some good proposals. However if SPAM is to be defeated we really need to have more than a single fix.
The wonderful thing about 2600 cases is that the worst that can happen is they throw Goldstein et. al. in the slammer which given that they appear to have the personality of the Grouch in Sesame street (being anoyed makes me happy) I suspect they would really, really enjoy...
I don't much care if 2600 can't point 'fuckxyz' at Ford. But I do care about the various deep linking cases.
The sheer eggregiousness of the 2600 case made it a pretty good test case. If 2600 lost the risk of collateral damage to serious deep linking would be minimal. If they win, well if you can point fuck at someone then you can probably point most anything.
The downside being that it was a pretty risky case that could easilly have backfired. 2600 made a really good target for the MPAA in the DeCSS case. My concern about this case was that they might easily have got a Reagan appointee conservative judge who might well have made an idiotic rulling because he disliked the 2600 people trying to turn a court case into performance art.
I had been asked to give expert testimony in the case but could not because Ford's legal people had added my employer in as a defendant in yet another case.
I suspect that the basic problem is that either the Ford lawyers are fundamentally incompetent or an incompetent manager insisted on a lawsuit. Starting a law suit in an untested area of law is a pretty stupid first recourse if your interest is to solve a problem. It is possible that Ford really wanted to have this area of law settled, but I doubt it.
It is the cases like this one that led to the charges for domain names in the first place. Until people started to file lawsuits registration was free.
I tend to be somewhat wary of add on products. The problem is that if you have a product that requires five separate add ons to provide the features you need the chances are very high that they are going to turn out to be incompatible.
So you can use Matt Blaze's code for an encrypting file system but does that work with the extensions to support label based security?
Computers are by definition Turing machines and you can add practically any feature to any computer under any O/S. The question is the extent to which it is supported.
I get somewhat tired of people who don't know much about security and practically nothing of WNT pontificating about security architectures. The security problems in WNT have nothing to do with the O/S layer. It is the application layer that is shot.
Unfortunately UNIX is only better in certain very limited respects, in particular virus propagation is difficult to get above critical mass if an O/S has a small user base and I suspect that programmers really avoid active code because it is hard to support rather than because it is near impossible to secure. But thats just my opinion, I could be wrong.
That is a problem, however my first priority is to try to do what I can to take what we can definitively identify as signal.
If you get a signed email from an unknown source it could be spam or it could be signal. In my corporate email client I would configure it to automatically presume that email with source addresses in the domains sun.com, microsoft.com, cisco.com, ibm.com etc. that is signed to not be spam.
If an email came that was signed and was not from the whitelist it would be put into an 'unidentified' queue. Initially none of the spam would be signed and a signature alone would be sufficient authentication. However that is not going to last forever as a sorting mechanism.
One thing that you could do is to reply to the sender with a note saying 'your email is in the pending queue, please return this confirmation message if you are not a spammer, i don't like scum who send spam'. Although a spammer could sign their messages and respond to the return messages doing so would be much more expensive and technically problematic, especially if we make it hard to automate the replies. It is also something that we could introduce a law to prohibit false replies.
The other part of the puzzle is that commercial communications would be separately identified. So if IBM wants to send me an invoice for the web server service they provided me with their invoice is signed and marked as an invoice. If IBM want to then send me some information on some additional service they might want to offer me it would be signed and marked as SPAM but would also have a tag to indicate what sort of spam it was. So offers for HGH, penis enlargement, Breast enhancement, nigerian letters etc. can head straight for the bit bucket while I might actually read a PR newsletter that I signed up for from Microsoft or Red Hat. But those message would go into my 'low priority folder'.
There are a bunch of other hacks that can be used. For example we might use PGP style community key signing to establish the authenticity of key holders. Or we might use commercial PKI CAs to authenticate key holders. While anyone can lie to a CA and get a certificate under false pretenses, it is also possible for CAs to revoke certificates.
In the long run I think we will see people signing their email routinely to bypass spam filters. The cost of obtaining a certificate will be low enough not to notice because they will be issued in bulk through channels such as the ISPs, but people who want to use PGP will still have that option.
No it does not.
It stands for XML Key Management Specification. And although there have been discussions on it in many fora, the latest draft uses examples from email. Unfortunately the one on the site is a little older.
Sounds to me like you are trying to whore some points--somebody mod this guy down
Sounds to me like you either don't have a clue and could not be bothered to do the simplest of research or you don't like one of my other posts for some reason but don't have any mod points.
He did no such thing. Shannon's law demonstrates that the information bearing capacity of a communication line is limited by the signal to noise ratio.
It is quite amusing to see how such basic observations are transmorgaphied by the game of Internet chinese whispers.
Spam will be addressed as a problem as soon as the pain barrier becomes high enough. With PKI it is possible to identify an email sender by means of a digital signature. The current problem being that there is no good way to locate public keys bound to email addresses. There is a lot of good work going on in this area, in particular the W3C XKMS group recently discussed a working draft that describes a mechanism for accessing public keys via DNS SRC records.
So under this system what would happen is that when you get email from them the email client would scan your address book to see if they were on your approved sender's list. This would probably include the individuals you know (Cmdr. Taco etc.) and also whole domains (ai.mit.edu) you might trust. if the mail is not in the list it goes into the 'low priority' pile.
There are email clients that do this at the moment but the spammers are using counter measures, such as scanning email list archives and sending out SPAM with fake sender addresses taken from the archive. With PKI and a means of determining whether the person actually has a public key or not this type of filtering becomes much more robust. Incidentally the mechanism does not require S/MIME to work, it can also be used with PGP.
To deploy the solution all we need to do is to persuade email client writers to support XKMS register and locate functions and ISPs to provide XKMS services along with their existing SMTP server. Oh yes and finish the XKMS spec I guess.
True, but Windows is designed to allow for other forms of log in (write your own GINA.exe).
The point is that if you use EFS you can set the system up so that the system admins have absolutely no way to read a file - even if they dismount the disk and put it in another machine.
I find it amazing how folk can start a sentence 'I don't know anything about this' and then go on to pontificate. Examples of this behavior include practically every Senator's reaction to the pledge of allegiance rulling (I haven't read the rulling but I'll make a dumb-ass statement to protect my base) and 50% of the posts on Slashdot by Linux people on WNT.
Under WNT you can set the O/S up with very strong file access permissions. It is not unusual to configure a WNT machine so that administrators don't have access to user's files and if you read the manual you can set the system up so that nobody has system privillege, administrators who can mod user accounts cannot modify the system log etc.
With W2K and later you can turn on the encrypting file system. By default the administrator still has the ability to recover files via the recovery root. But you can export that to a floppy disk and put it in a safe. You can also integrate more powerful Key Recovery systems from third party vendors that enforce dual control over recovery.
UNIX was not designed to be a secure O/S. The security it does support is a subset of the security mechanisms of MULTICS. The design observation made at the time being that the machines of the day (early PDPs) could not support a complex security model.
It is unfortunate that so many people mistake age for security. By the time VM-UNIX was developed the VAX 11/750 VMUNIX was developed on was capable of supporting a sophisticated security model as VMS proved. But like so many UNIX design features what had originally been a shortcut had been elevated to the status of dogma.
Which is amply demonstrated by the fact that this is the second time the story has been posted this week.
The Register article shows only that the reporter has no clue as to what Palladium is and what it can and cannot do.
No DRM solution is 100% secure, the issue is not eliminating piracy, it is raising the barrier sufficiently so that the content owners are confident enough to release material and for the level of piracy to be low enough that people can all make a buck.
Attempting to rig a DRM solution so that people could only run MSFT O/S would be (1) illegal and (2) very stupid since people would have a legitimate reason for bypassing the alledged DRM measures to run Linux.
If you run Linux you are not going to have a Palladium certified O/S and many content providers are not going to sell stuff to you. But that is exactly the current situation. Palldium is only going to mean that Windows users can get content that the owners will not release without strong(ish) DRM.
Actually it was as much determined the other way. In England at the time the Bishops sat in the House of Lords and the Monarch was 'supreme govenor' of the Church of England. The pilgrim fathers were mainly non-conformists who had come to the Americas to escape the established church which they saw as making God's church subject to the will of the state.
The pledge of allegiance was originally written by the socialist clergyman Francis Bellamy.
The phrase 'under god' was added because the pledge sounded like the loyalty oaths uttered by 'godless communists