That we all are moving towards a "trust no one unless a reason to trust" model, which will simplify everything.
So we will no longer trust the company that makes our Web browser and media player and operating system and applications -- unless they give us a reason to? Hmm, I think I will watch pr0n from DVD then. Or make my own, perhaps? You know, I cannot really trust the DVD rental company either. Data on the pr0n disk could taint my player, no?
Quit bugging me with lazy, ignorant, loaded questions. Your posts aren't dangerous, but they've worn out my patience.
This means to an extent, you trust me: you believe my posts aren't dangerous, and I am a harmless moron. You don't fear that anything in our conversation might be part of a malicious attack against you or anybody else. You will not trust me regarding security competence of course. If I sign a PGP key or certify that some application is secure you will laugh at it. But I guess by now I managed to create an impression within your mind that makes you less likely to expect sophisitcated, malicious attacks from my general direction.
You let your browser consume their pages, taint your apps and OS with data from them to process, give them your IP# associated with your personal sex preferences.
I think I understand now: You must be one of the guys those funny your-computer-transmits-an-IP-address-so-please-do wnload-our-spyware ads are aimed at.
Let me explain. Using a dialup account I will get a new IP address each time I watch pr0n. This temporary association of my IP address with my personal pr0n preferences -- not necessarily the same as my sex preferences -- is rather harmless. While there exists an association between that IP address and my name and other personal details, this association existst in a different place. And where I live my dialup provider is not allowed to give this data to my pr0n provider without my permission. A matter of trust, to an extent; enforcement is needed only where trust failed.
Would you be so kind now and explain how processing data could "taint" my computer and my OS and my application software? I thought it was the whole point of these things to process data! And I don't expect much, I just want this pr0n to be displayed on my screen. Which might become more riskiy if in addition to my Web browser and media player a trust manager is involved, adding bugs to the system without protecting me from assigning trust to parties I shouldn't. Or do you plan to manage my trust for me?
People can observe the elections by sitting in the voting areas, watch the people putting their piece of paper into the box, and walking away. They can observe the votes.
Can the also observe the counting, and the empty ballot box at the beginning? Under regular conditions without having to request a manual count?
And why is code review off limits?
Because malicious code may look innocent, the ability to verify any piece of code should not be a requirement for participation in any democratic activity, and people generally are bad at reading memory sticks and CDs.
You don't execute porn downloads, but do display them. Because that's how much you trust the sites. You say you don't trust them, but you do.
How could I -- before even having seen anything?!? OTOH I may trust a stranger after having seen him, based on his appearance and behavior. This trust may later turn out as having been misplaced. Shit happens, and confidence games are about making shit happen. That's how simple it is, be it offline or online. I do trust my Web browser for instance: it never betrayed me. Which implies that I simply expect my Web browser to do no serious harm to the rest of my system, no matter what I do or watch. I may not trust Windows Media Player if I rarely use it, but trust may build during weeks of watching pr0n, provided bad things do not happen to me (or I do not notice them happening).
Conclusion: save your trust management for conference papers. In the real world we just need secure Web browsers (and operating systems, and media players, etc.)
Maybe you run executables you download from porn pages, but sensible people don't, because porn sites are below that threshold in their web of trust - but not excluded entirely.
I don't, unless a porn site makes my browser run it through exploitation of a vulnerability in it. And that's the whole point of what I wrote: a pr0n site that exploits vulnerabilities in my software will not be stopped from doing so by all your trust voodoo. Which is not only irrelevant in a world made of less-than-bugfree software but probably also too complicated for mum and dad to understand. I whish you good luck disciplining them.
After the tipping point, on the other side of whatever puts us into the new track, we'll all accept traffic only from people we know, according to degrees of membership in our validated "web of trust".
Nonsense. Or perhaps an attempt to spread some propaganda here to prepare the ground for so-called trusted computing? Or a misunderstanding of some high-level discussions between people who never had to deal with real-world security issues?
There is an obvious flaw in your argument: What you describe requires a secure component that manages trust relationships, and decides whether to accept traffic or not from a particular source. You silently assume that this component cannot be manipulated, abused or attacked. Now if we are able to create such a component and integrate it with our computers in a meaningful way, without making it less secure through bugs outside the component itself -- why can't we build secure systems then?
Another flaw lies in the expectation that people have a web of trust, and that it can be mapped onto the network traffic they produce or accept and such mapping helps to achieve any security goal. I don't and it can't. I'm paranoid, I trust nobody. However, I am willing to accept traffic from entirely untrustworthy sources like, say, pr0n sites. Which does not imply I trust them.
... and that's enough, with "winner takes all" electoral college rules, to change the outcome of a national election.
Perhaps we should get the subtleties of machine voting right before attempting to use these machines to fix bugs elsewhere. If we do consider this a bug, that is. One might argue that a 49/51 result indicates people are undecided, in which case both results are equally acceptable. We should not forget that elections are supposed to yield results that are widely accepted, just to keep things working. Justice etc. are secondary goals, the system should work in the first place.
So, what verfiable paper trail is left by other methods of voteing? I'll give you a hint, none. You'll never be able to go back see your vote and insure it was counted correctly if at all.
I don't give a shit about verification of my vote being counted correctly. My primary interest as a voter and citicen is to ensure that the vast majority of votes is counted correctly, and that there is only one vote per voter. I don't need paper trails for every single vote to acieve that. What I need is the ability to observe the entire elections with a small group of people and limited resources. Some statistical noise would be acceptable. It must be, for otherwise it would be easy to carry out denial-of-service attacks against elections.
So with that, my dream for the Ultimate Voting System goes like this. (...)
Please answer a simple question: How does your voting system support a relatively small, distributed group of people that tries to observe elections? Such a group might consist of activists, or U.N. observers for instance. Oh, and please assume that any type of code review is off-limits, they may be just concerned citicens.
The patent APPLICATION is for encoding and transfer of CUSTOM smilies. ie an arbiary image or animation on one computer being transferred to another one automatically in a seamless manner via encoing, transmisson, reconstruction.
... President Gates declares War on Spam(tm)... Patch Day celebrations around the world... Slashdot involved in yesterday's DDoS attacks?... PGP key signing parties the latest trend in Hollywood... Hundreds of servers killed by packet storms in.cn,.kr,.jp... Y2K38 fears rising, researchers say... Man arrested for whistling unlicensed tunes... Department of Homeland Security: Guantanamo Bay will be essential element of nation-wide rights management system...
Why not just issue seperate advisories and inform the respective vendors? Seems to me like they bundled multiple flaws in multiple products so they could be creditied with discovering a new class of vulnerability.
Because the whole point of this type of vulnerability is undesired interaction between different implementations of the same protocol. No single product will ever be vulnerable and each and every vendor might well point to the next one saying it's their fault.
the web site has a very unique signature phrase... it has been successfully hijacked by other sites
Has it? Has the site been hijacked, or has just a specific page been hijacked for specific searches, which may or may not be used by a relevant fraction of potential users? I'm serious about this question. What are the searches that matter, and how are these searches affected? I couldn't care less about the mental framework of so-called SEOs and their customers, who are obsessed with high positions in some arbitrary result page.
It does not matter where the main page of a cooking site is positioned in a search for "cooking recipe", if users search for "chili con carne". The former one is what SEOs try to sell their clients. Is this hijacking still an issue if we stop listening to them?
Our main page has one phrase, very distinct, unique.
When I search for this phrase (in quotes), Google reports hundreds of matches. These sites (except our own) do not contain the phrase but are sites that sell traffic boosting.
The 302 problem is real.
Is it? What percentage of your Web site's users will
Search for that particular phrase, and
Be interested just in your main page?
This is an important point many seem to be missing: It does not matter where your main page is in any generic brand name search. What does matter are the actual searches your actual visitors do in order to find actual content.
You should repeat that test with a more reasonable approach. Do you come to the same conclusion if you search for specific pieces of information elsewhere on your site?
I guess you were glad this did happen before takeoff.
I made a similar experience on a train in Germany. It was one of those ICE-T high velocity trains with tilting technology, which allows for higher velocity in tight curves without discomforting passengers. The train had just left a station when I noticed that it did not take up speed as usual. For no particular reason -- the track was rather straight there -- the train tilted to the left, then returned into its normal position and stopped. After a while minutes an announcement was made that there was a computer problem and they had to restart the train. Everything went dark for a couple of minutes, then lights came on again. Rebooting didn't help, though. We then had to wait for the train to be pulled back into the station where another train had been held to take up the passengers. The whole thing took about 3.5 hours.
Been there, done that. This site seems to emphasize peer review as the ultimate means of assuring scientific correctness. Unfortunately, this is only half the truth. Peer review serves as a filter. The ultimate means of assuring scientific correctness, however, is testing predictions. A theory is consistent with reality if it makes predictions that can be tested in experiment, not if the majority of scientists in a field agree it might be true.
Slashdot Mirror
Much like ... pr0n.
So we will no longer trust the company that makes our Web browser and media player and operating system and applications -- unless they give us a reason to? Hmm, I think I will watch pr0n from DVD then. Or make my own, perhaps? You know, I cannot really trust the DVD rental company either. Data on the pr0n disk could taint my player, no?
This means to an extent, you trust me: you believe my posts aren't dangerous, and I am a harmless moron. You don't fear that anything in our conversation might be part of a malicious attack against you or anybody else. You will not trust me regarding security competence of course. If I sign a PGP key or certify that some application is secure you will laugh at it. But I guess by now I managed to create an impression within your mind that makes you less likely to expect sophisitcated, malicious attacks from my general direction.
You are wrong. (How many posts did this take me?)
I think I understand now: You must be one of the guys those funny your-computer-transmits-an-IP-address-so-please-do wnload-our-spyware ads are aimed at.
Let me explain. Using a dialup account I will get a new IP address each time I watch pr0n. This temporary association of my IP address with my personal pr0n preferences -- not necessarily the same as my sex preferences -- is rather harmless. While there exists an association between that IP address and my name and other personal details, this association existst in a different place. And where I live my dialup provider is not allowed to give this data to my pr0n provider without my permission. A matter of trust, to an extent; enforcement is needed only where trust failed.
Would you be so kind now and explain how processing data could "taint" my computer and my OS and my application software? I thought it was the whole point of these things to process data! And I don't expect much, I just want this pr0n to be displayed on my screen. Which might become more riskiy if in addition to my Web browser and media player a trust manager is involved, adding bugs to the system without protecting me from assigning trust to parties I shouldn't. Or do you plan to manage my trust for me?
Can the also observe the counting, and the empty ballot box at the beginning? Under regular conditions without having to request a manual count?
Because malicious code may look innocent, the ability to verify any piece of code should not be a requirement for participation in any democratic activity, and people generally are bad at reading memory sticks and CDs.
How could I -- before even having seen anything?!? OTOH I may trust a stranger after having seen him, based on his appearance and behavior. This trust may later turn out as having been misplaced. Shit happens, and confidence games are about making shit happen. That's how simple it is, be it offline or online. I do trust my Web browser for instance: it never betrayed me. Which implies that I simply expect my Web browser to do no serious harm to the rest of my system, no matter what I do or watch. I may not trust Windows Media Player if I rarely use it, but trust may build during weeks of watching pr0n, provided bad things do not happen to me (or I do not notice them happening).
Conclusion: save your trust management for conference papers. In the real world we just need secure Web browsers (and operating systems, and media players, etc.)
Am I the first human you ever met? SCNR.I don't, unless a porn site makes my browser run it through exploitation of a vulnerability in it. And that's the whole point of what I wrote: a pr0n site that exploits vulnerabilities in my software will not be stopped from doing so by all your trust voodoo. Which is not only irrelevant in a world made of less-than-bugfree software but probably also too complicated for mum and dad to understand. I whish you good luck disciplining them.
I'm different. Hire me!
Uhm, nevermind. That's really nice weather today, isn't it?
Nonsense. Or perhaps an attempt to spread some propaganda here to prepare the ground for so-called trusted computing? Or a misunderstanding of some high-level discussions between people who never had to deal with real-world security issues?
There is an obvious flaw in your argument: What you describe requires a secure component that manages trust relationships, and decides whether to accept traffic or not from a particular source. You silently assume that this component cannot be manipulated, abused or attacked. Now if we are able to create such a component and integrate it with our computers in a meaningful way, without making it less secure through bugs outside the component itself -- why can't we build secure systems then?
Another flaw lies in the expectation that people have a web of trust, and that it can be mapped onto the network traffic they produce or accept and such mapping helps to achieve any security goal. I don't and it can't. I'm paranoid, I trust nobody. However, I am willing to accept traffic from entirely untrustworthy sources like, say, pr0n sites. Which does not imply I trust them.
Perhaps we should get the subtleties of machine voting right before attempting to use these machines to fix bugs elsewhere. If we do consider this a bug, that is. One might argue that a 49/51 result indicates people are undecided, in which case both results are equally acceptable. We should not forget that elections are supposed to yield results that are widely accepted, just to keep things working. Justice etc. are secondary goals, the system should work in the first place.
How do I collect the evidence I would undoubtedly need in order to initiate manual counting?
I don't give a shit about verification of my vote being counted correctly. My primary interest as a voter and citicen is to ensure that the vast majority of votes is counted correctly, and that there is only one vote per voter. I don't need paper trails for every single vote to acieve that. What I need is the ability to observe the entire elections with a small group of people and limited resources. Some statistical noise would be acceptable. It must be, for otherwise it would be easy to carry out denial-of-service attacks against elections.
Please answer a simple question: How does your voting system support a relatively small, distributed group of people that tries to observe elections? Such a group might consist of activists, or U.N. observers for instance. Oh, and please assume that any type of code review is off-limits, they may be just concerned citicens.
Or maybe die from multiple infections after we missed patch day or forgot to wear our firewall.
So they invented ... the Internet?!?
Sensationalism? A sensationalist Slashdot headline on the subject would read like this: "Evil daystar not so evil, scientists say."
It must be called a fault in *GNU/Linux*, of course.
... President Gates declares War on Spam(tm) ... Patch Day celebrations around the world ... Slashdot involved in yesterday's DDoS attacks? ... PGP key signing parties the latest trend in Hollywood ... Hundreds of servers killed by packet storms in .cn, .kr, .jp ... Y2K38 fears rising, researchers say ... Man arrested for whistling unlicensed tunes ... Department of Homeland Security: Guantanamo Bay will be essential element of nation-wide rights management system ...
Because the whole point of this type of vulnerability is undesired interaction between different implementations of the same protocol. No single product will ever be vulnerable and each and every vendor might well point to the next one saying it's their fault.
Has it? Has the site been hijacked, or has just a specific page been hijacked for specific searches, which may or may not be used by a relevant fraction of potential users? I'm serious about this question. What are the searches that matter, and how are these searches affected? I couldn't care less about the mental framework of so-called SEOs and their customers, who are obsessed with high positions in some arbitrary result page. It does not matter where the main page of a cooking site is positioned in a search for "cooking recipe", if users search for "chili con carne". The former one is what SEOs try to sell their clients. Is this hijacking still an issue if we stop listening to them?
Is it? What percentage of your Web site's users will
This is an important point many seem to be missing: It does not matter where your main page is in any generic brand name search. What does matter are the actual searches your actual visitors do in order to find actual content.
You should repeat that test with a more reasonable approach. Do you come to the same conclusion if you search for specific pieces of information elsewhere on your site?
It isn't. The URL is part of the Web user interface.
Does this mean phishing is perfectly legal in the U.S. until specific legislation is passed against it?
I guess you were glad this did happen before takeoff.
I made a similar experience on a train in Germany. It was one of those ICE-T high velocity trains with tilting technology, which allows for higher velocity in tight curves without discomforting passengers. The train had just left a station when I noticed that it did not take up speed as usual. For no particular reason -- the track was rather straight there -- the train tilted to the left, then returned into its normal position and stopped. After a while minutes an announcement was made that there was a computer problem and they had to restart the train. Everything went dark for a couple of minutes, then lights came on again. Rebooting didn't help, though. We then had to wait for the train to be pulled back into the station where another train had been held to take up the passengers. The whole thing took about 3.5 hours.
Scalable Enterprise Solutions.
Been there, done that. This site seems to emphasize peer review as the ultimate means of assuring scientific correctness. Unfortunately, this is only half the truth. Peer review serves as a filter. The ultimate means of assuring scientific correctness, however, is testing predictions. A theory is consistent with reality if it makes predictions that can be tested in experiment, not if the majority of scientists in a field agree it might be true.