Computer Science is a very young discipline compared to other engineering disciplines. This explains why there are so many computer scientists / software engineers who do not have a degree, did not go to college and yet have highly successful careers. This is characteristic(sp?) of young disciplines. Ignore it.
CS itself is getting older, more mature. People are starting to understand that just knowing how to hack doesn't quite cut it (always). In short, going to a college and getting a degree in CS never hurts (as opposed to not getting one, not opposed to getting one in some other engineering field).
If we agree to the above - ie we must get a degree in CS or EE or math or something related, we question where we must get it from. College degrees are not pieces of paper that open the door to getting a fat job. This is one of the perks for sure, but there are others. They open the door to contributing something for the betterment of humanity (by doing original research), they open up your mind by forcing you to interact with peers who are often better than you. No matter what your job, you will fall into a mental rut as compared to school. A school is only as good as the students that study there. The students are what makes the MITs and Stanfords of today - not the professors. If the professors were getting sub-par graduate students to work with or sub-par peers they'd leave.
This is why it is absolutely essential to try to go to the best possible school you can go to. You will get exposed to things that you never were exposed to. You will learn new things from both professors and students alike. You will take part in activities that will challenge your mind in multiple dimensions - something quite unparalleled in the "real" world.
And you never know - you may want to do research for life. You may want to go on for a higher degree. In all these cases, the better school always wins. You can get by with going to a lower school - in fact you can "get by" with not going to school at all. But our purpose in life is not to just "get by". The whole point is to do something great - something that you can point your finger to 50 yrs down the line and say "I did that and changed they way people think / do something". Always strive for the best.
The problem is that in a corperate setting even the best firewalls can't prevent a sloppy third-party service tech with an infected laptop [for example] from hosing your network.
Sigh. When will 12 yr olds without any experience about corporate LANs stop ranting? Oh wait, its slashdot!
If anyone got an infected computer on a corporate LAN (and this happens _all_ the time), it will simply attempt to infect all other computers on the LAN. Remember, corporate LANs are one step in the whole security setup, not the final line of defense. This is where a personal firewall, which you obviously have not heard of before, comes in. And yes, its available for free with XPSP2 and you'll find a bunch of vendors that have better or more sophistacated implementations for nominal amounts.
once one PC INSIDE the firewall is infected you're toast.
No you're not. Read above.
Windows INSIDE a company is an open book to viruses...they use the very same ports and protocols that all the cool network administration tools use...
What are you ranting about? WHY WAS THIS PERSON MODDED INSIGHTFUL?
What "cool" network administration tools are you talking about? Again, get a personal firewall and block your ports that you don't need other people to access. If your admin tool uses a particular service that exposes a port, then assume its okay unless there is a known remote exploit for that service and then take measures until a fix is available. Note that this is NOT specific to windows.
IN a corperate setting you need better than that...because inter-network communication is essentially "trusted" so it moves very fast...often faster than the virus scanners can keep up!
What are you ranting about? Again: why was this person modded up +2 insightful???
LANs operate at higher speeds than the internet. Typically, at least. This has nothing to do with making them inherently more vulnerable and they're certainly not faster than the network stack on a given computer (which is roughly how fast your kernel mode virus scanners work).
I've seen PCs reinfect each other right after the virus scanner stopped! short of pulling the plugs and going PC-to-PC by hand and that can be brutal!!
I just feel sorry for the company that pays you for system administration. It is clear that you know nothing about security and much less than nothing about administration.
*sigh* gotta love slashdot. People turn their sarcasm detectors off when they post on slashdot, apparently. What he meant, in non-humourous, non-sarcastic, boringspeak would be something like this:
This is a pretty serious vulnerability in firefox. Yet, the previous poster claims that he feels safer using firefox because there are fewer instances of firefox out there than IE (true). By saying this, the previous poster effectively defends firefox instead of "yes, this is a problem, every piece of software has problems, lets get on with it". If the same thing was exposed in a Microsoft or other company product, the comments would never say, "I still use it because its productive / helps me get my job done / because I like windows / make up some reason to bash Windows but use it anyway".
P2P applications should be blocked at colleges. Colleges are not houses of endless bandwith... 40 copyright violations a month is a pain in the ass to deal w/ (especially in this day and age). 90% of the traffic was P2P? What about Quake pings (when I was in college that's what I was concerned with) what about downloads of legitimate software? Hah, nope, just get your P2P porn movies and the latest DiVX of The Matrix Trilogy...
NO NO NO you're missing the point. Schools and Universities are supposed to be havens of intellectual freedom. They should not prevent students from doing anything. They should not shield students from liability (in the p2p cases) either, but under no circumstances should they prevent people from running something on their computer. This goes far beyond invasion of privacy - this is the exact reason why we have raging debates about whether TCPA/NGSCB is a good thing (see previous slashdot article).
You cannot possibly dictate what may or may not bolster the sparking of original ideas. Nobody can. As a result, if you're trying to create an environment where you want the best people to generate the best possible ideas - think of stuff that has never been thought of before, you cannot, in any way, hamper their thinking, their originality by doing things such as Icarus does.
If we agree that universities should never be restricting access or preventing people from running programs, then we come to the engineering problem that is basically this: "Given a few malicious users who use an inappropriate amount of a precious resource (bandwidth), how can we establish fairness". There are a variety of solutions to this problem - including ones that establish fairness without walking all over one's freedom. For example: (these have been mentioned in previous posts) establishing up/down quotas per LAN drop, smart QoS based on bandwidth already consumed, throttling particular streams in case of high bandwidth use, etc. The advantage to all these schemes is 1. They do not disallow you from doing anything 2. They are flexible enough to be tailored to particular students' needs in exceptional cases.
The whole point of this post is simple. The primary issue here is not privacy (it is one of many) but that of freedom. Universities have always been and should always be places of complete freedom. Law enforement is not a University's prerogative and should be delegated to the proper authorities.
Continuing down the non-hacker line, I love Salman Rushdie. His non-linearity never fails to amaze me.
I loved Fury and Midnight's Children. Reading Satanic Verses right now and The Ground Beneath Her Feet is on my post-graduation list.
Also try Bill Bryson's books. A Walk In The Woods is very good.
Cry of the Kalahari was one my favourite books of all time.
Surely You're Joking, My Feynman - while not very "non-hacker", this book is _the_best_ I've read. Funny, nay hilarious, witty, amazing. Quite a few things to learn.
Finally, if you're coming out of tech school with an engineering degree or something of the sort, (ie without a significant liberal arts background) now might be a good time to round off your educations with some books about religion, philosophy, economics, politics and business (to name a few). While the subjects might sound drab, you might just find your calling (econ for me).
Um, HELLO, if someone is getting a pink slip doesn't that imply some sort of deficiency? This entire article hinges on "Foreign Students == Good"! Why is the author's solution for us to go over to India and China to grab talent when foreign companies are coming to the US? Isn't that playing into their hands? This part makes no sense. The pink-slip == deficiency argument doesn't hold. Companies at the end of the bubble laid off a lot of people and immigrants that don't have green cards (or better) are being shipped back to their home nations. Also, a lot of tech companies are no longer willing to sponsor green cards and the like thus making it harder and harder for foreign immigrants to work in the US. This is what the author of the article feels the US should not be doing. So far the US has attracted the best talent across the globe. If the US fails to do this, by making it impossibly hard for the immigrants to come in (some level of "hardness" is just fine), US R&D will suffer. The country or set of countries (EU, Australia?) willing to accept this large pool of highly skilled and highly intelligent workers will hugely benefit. Then again, I'm an immigrant student in the US, so my opinion is probably biased.
But if P2P usage makes it such that researchers can't get the resources or bandwidth do actually do their work or are significantly impacted
This is the most foolish thing I've heard. There are things called packet shaping algorithms. There is a reason we have diffserv. There is no reason why dorm or other traffic can just be given lower priority than "important" research traffic (which is exactly what is done at my University, btw)
As for the larger question of whether p2p traffic needs encrypting etc, here are some things to consider: 1. The whole idea behind p2p is to tell everyone what you're sharing. So an easier way is to just use the standard kazaa client or a clone to query each user for what they're sharing. Run this in daemon mode and you have a rather up-to-date list of what everyone on campus has / had and at what time. 2. So the only remaining thing is: you're downloading something and you don't want anyone to figure out what you're downloading. In theory, you could use SSL. But it won't do much. If I really wanted to find out what you're downloading, I'd look at your SSL connection, figure out what IP you're hitting, query them over the P2P network to find out list of exported files. I can calculate approximate filesize from the packets that you're receiving and just compare that to get a very good estimate on what you're downloading. Also, by default, files that you download are immediately shared, so I could always just query you and compare filelists.
My point in writing that whole thing was simple: p2p networks are not meant to be private. SSL doesn't give you any protection since anyone would be able to get this simply by querying you over the p2p network.
Universities often represent some of the fastest connections to the internet that aren't traffic monitored. People have fast connections at work as well and its the threat of their IT department monitoring the network, finding out about P-2-P and getting the employee fired, that prevents people from filesharing at work (albeit some companies have lenient policies with regards to this) Universities, OTOH, aspire to higher ideals of complete freedom (else all of us students would protest, at least in theory). Hence no threat from the University IT department, for the ones that haven't capitulated to such RIAA blackmailing. As a result, a very large chunk of filesharing traffic originates or ends at university IPs. Hence they make the perfect RIAA target. Its fairly logical. We just have to hope that universities don't give in to this kind of blackmailing. The question of threatening a student's freedom is much larger than that of stopping some of them from taking part in illegal acts.
So I was meeting a very successful entrepreneur and he gave me this insight: Patents can be used to ward of small competitors to a business. You cannot use a patent to ward of microsoft or ibm or any other large company with a large amount of money in the bank. You can sue them for patent infringement, they would drag the case in court, fight for a year or so and pay you a million bucks at the end. But by that time, they've already done whatever damage they could, and your company is bankrupt. Of course this doesn't work if the patent holder is a big company such as one of the above. Moral of the story is: if big players want to infringe smaller players' patents, they could do so and have a good chance of getting away with it for not that much money. Such are the wonders of capitalism.
FTP traffic is given lower priority than HTTP traffic in a large number of packet shaping / DiffServ type routing algorithms.
These algorithms are based on the assumption that HTTP traffic consists of fairly short bursts and not long sustained transfers which is typically what FTP traffic looks like. Based on these assumptions, these routers give lower priority to FTP traffic than they do to HTTP.
This does not mean that you should serve large files off HTTP since it'll be "faster". Au contraire, it means that you should be fair to others and serve them over FTP, so that the routers can do the correct packet shaping even if it means a slight speed hit to you.
Think of people downloading huge files off your web server and screwing up your warcraft (/quake/whatever) game.
A big issue to doing something like this, which was pointed out to me by some researchers in a company I interned for, pertained to the amount of information about you that is required for such a system to function but still maintain your privacy. For example, a mid-air system that delivers messages to you while you're in a certain area can also figure out where you are at what time on what day, simply by aggregating this information in one place. The researchers that I talked to worked around this (they were using GPS) by making the exact co-ordinates fuzzy and increasing the resolution from a few meters to a few miles. Thus you can't exactly tell where a person was at a certain time. However, in the article, the researchers are using bluetooth, which doesn't leave out much in the way of destroying location information. Which consequently means that the Government, or any company with enough money could come in, aggregate this information and track the devices that are mid-air message enabled. (and if we assume that people aren't going to be swapping cell phones every few minutes, then we can track the people themselves)
The paper is based on an interesting observation and is a cool hack. But its not nearly as earth shaking as the authors make it out to be. (All authors have to make their conference papers seem earth shaking in order to get them in the conference, but that's not the point) The whole paper is based on whether IPid is random or predictable. The simple fix happens when either 1. people switch to ipv6 (if at all; that's a whole new debate) 2. the tcp stacks on windows, mac and linux are fixed to randomize IPid in some fashion. This isn't as hard as it seems, if the stacks were replaced in one of the kernel patches in linux and the next service releases of windows and OS X, things would be dandy. That said, I don't really believe anyone would care a damn, because the ISPs wouldn't care a damn. All they care about is the bandwidth consumption and its far easier to look at bandwidth consumption of hosts and yell at people about that or charge them differently than it is to go about implementing such algorithms in the backend, thus spawning a slew of OS fixes and/or new NAT equipment or firmware upgrades.
With digital media (insert fav. file format here) getting increasingly popular, the music industry must let go of the whole "CD" business. Its their refusal to do this and clinging on to dead media while times have moved ahead that are creating all these hassles. P2P networks are not going to survive for long. The very factors that help various users use P2P networks for sharing content can be used against them to prevent them from sharing content. Examples: o Flood the network with files with the same name containing junk. I believe the RIAA does this already, it just needs to be more aggressive in replicating false content to the point that false content > good content and then every thing falls apart. o They can run their own supernodes, mess around with queries. The idea is not that you don't get any desired file but that getting a desired file of acceptable kb/Khz with the right content is such a pain that you'd rather go to Borders and buy the content. Oh and since we're talking RIAA, run a few thousand of these supernodes. o DOSing is stupid, would not work because of various features associated with p2p networks (ie how many hosts will/can you DOS). The DOS throughput wouldn't be large enough to merit the time and effort. Oh and never mind all the legal mess DOS gets you into.
If you've ever done helpdesk duty at any University, you've probably run into Joe Shmoe who comes running to you and asks you to help get his final report off this floppy which seems to be corrupt. Even after having tons of space on the network drive and a cd-burner on the same computer people still use floppies. Dunno why. People have often told me they back their data onto floppies. WHY? Floppies are probably the worst thing for backups given their failure rates. Step in the right direction IMO.
This guy went on a complete rant and someone gave him a 4 score. Sheesh. You have touched upon a few good points (and a lot of bad ones). The good stuff: 1. I think some of the stuff at the top you're trying to get at is summarized very neatly in the end-to-end argument paper by Reed, Saltzer and Clark (MIT). THe core of the argument (applied to security) is that you have to assure secrecy between the two end-points that matter. Encryption in between may only be used as an optimization - no guarantees can be made or expected. Read the paper if you haven't: http://web.mit.edu/Saltzer/www/publications/pubs.h tml
The bad stuff: 1. Short of non-reversable encs like md5 it is basically impossible to protect data if you know the before enc and after enc data on a common packet. What utter nonsense. Go back home and read your crypto book. What you're talking about is a known plaintext attack (you know the plain text and the cypher text and try to determine a key) and almost all the ciphers out there (DES, Rijndael, DES-variants) can withstand this attack. 2. its been well known in military tactics for decades that no matter how you encrypt your data it will always be broken when its exposed to scruitany. Hell pgp can even easily be broken if you know the source doc before encryption and thats supposed to be one of the most secure encryption devices out there. Add to this that with tcpip you'll always know the source I cant see how you're gonna encrypt the packets short of changing the way tcpip works.
No no and no. Knowing the source does not allow you to break a crypto scheme. That's the whole difference between good crypto and security by obscurity. Read some books. The secret is usually the key, not the protocol, not the algorithm.
802.11 is about as secure as your wired LAN or any other unencrypted traffic flying out of your computer. Security is an end-to-end argument and it does not behoove the protocol to make any security guarantees (neither ethernet nor 802.11 do this). I've had enough about people saying how insecure 802.11 is just because someone can sniff your packets. Its the same for any shared medium (think ethernet or the internet backbone). So if you are paranoid about your security, encrypt all the traffic that is flying across the wire.
Slashdot Mirror
Computer Science is a very young discipline compared to other engineering disciplines. This explains why there are so many computer scientists / software engineers who do not have a degree, did not go to college and yet have highly successful careers. This is characteristic(sp?) of young disciplines. Ignore it.
CS itself is getting older, more mature. People are starting to understand that just knowing how to hack doesn't quite cut it (always). In short, going to a college and getting a degree in CS never hurts (as opposed to not getting one, not opposed to getting one in some other engineering field).
If we agree to the above - ie we must get a degree in CS or EE or math or something related, we question where we must get it from. College degrees are not pieces of paper that open the door to getting a fat job. This is one of the perks for sure, but there are others. They open the door to contributing something for the betterment of humanity (by doing original research), they open up your mind by forcing you to interact with peers who are often better than you. No matter what your job, you will fall into a mental rut as compared to school. A school is only as good as the students that study there. The students are what makes the MITs and Stanfords of today - not the professors. If the professors were getting sub-par graduate students to work with or sub-par peers they'd leave.
This is why it is absolutely essential to try to go to the best possible school you can go to. You will get exposed to things that you never were exposed to. You will learn new things from both professors and students alike. You will take part in activities that will challenge your mind in multiple dimensions - something quite unparalleled in the "real" world.
And you never know - you may want to do research for life. You may want to go on for a higher degree. In all these cases, the better school always wins. You can get by with going to a lower school - in fact you can "get by" with not going to school at all. But our purpose in life is not to just "get by". The whole point is to do something great - something that you can point your finger to 50 yrs down the line and say "I did that and changed they way people think / do something". Always strive for the best.
*sigh* gotta love slashdot. People turn their sarcasm detectors off when they post on slashdot, apparently. What he meant, in non-humourous, non-sarcastic, boringspeak would be something like this:
This is a pretty serious vulnerability in firefox.
Yet, the previous poster claims that he feels safer using firefox because there are fewer instances of firefox out there than IE (true).
By saying this, the previous poster effectively defends firefox instead of "yes, this is a problem, every piece of software has problems, lets get on with it".
If the same thing was exposed in a Microsoft or other company product, the comments would never say, "I still use it because its productive / helps me get my job done / because I like windows / make up some reason to bash Windows but use it anyway".
Hence the word "bias".
Schools need more english-lit-for-geeks classes.
P2P applications should be blocked at colleges. Colleges are not houses of endless bandwith... 40 copyright violations a month is a pain in the ass to deal w/ (especially in this day and age). 90% of the traffic was P2P? What about Quake pings (when I was in college that's what I was concerned with) what about downloads of legitimate software? Hah, nope, just get your P2P porn movies and the latest DiVX of The Matrix Trilogy...
NO NO NO you're missing the point. Schools and Universities are supposed to be havens of intellectual freedom. They should not prevent students from doing anything. They should not shield students from liability (in the p2p cases) either, but under no circumstances should they prevent people from running something on their computer. This goes far beyond invasion of privacy - this is the exact reason why we have raging debates about whether TCPA/NGSCB is a good thing (see previous slashdot article).
You cannot possibly dictate what may or may not bolster the sparking of original ideas. Nobody can. As a result, if you're trying to create an environment where you want the best people to generate the best possible ideas - think of stuff that has never been thought of before, you cannot, in any way, hamper their thinking, their originality by doing things such as Icarus does.
If we agree that universities should never be restricting access or preventing people from running programs, then we come to the engineering problem that is basically this: "Given a few malicious users who use an inappropriate amount of a precious resource (bandwidth), how can we establish fairness". There are a variety of solutions to this problem - including ones that establish fairness without walking all over one's freedom. For example: (these have been mentioned in previous posts) establishing up/down quotas per LAN drop, smart QoS based on bandwidth already consumed, throttling particular streams in case of high bandwidth use, etc. The advantage to all these schemes is 1. They do not disallow you from doing anything 2. They are flexible enough to be tailored to particular students' needs in exceptional cases.
The whole point of this post is simple. The primary issue here is not privacy (it is one of many) but that of freedom. Universities have always been and should always be places of complete freedom. Law enforement is not a University's prerogative and should be delegated to the proper authorities.
Continuing down the non-hacker line, I love Salman Rushdie. His non-linearity never fails to amaze me.
I loved Fury and Midnight's Children. Reading Satanic Verses right now and The Ground Beneath Her Feet is on my post-graduation list.
Also try Bill Bryson's books. A Walk In The Woods is very good.
Cry of the Kalahari was one my favourite books of all time.
Surely You're Joking, My Feynman - while not very "non-hacker", this book is _the_best_ I've read. Funny, nay hilarious, witty, amazing. Quite a few things to learn.
Finally, if you're coming out of tech school with an engineering degree or something of the sort, (ie without a significant liberal arts background) now might be a good time to round off your educations with some books about religion, philosophy, economics, politics and business (to name a few). While the subjects might sound drab, you might just find your calling (econ for me).
Happy reading.
Um, HELLO, if someone is getting a pink slip doesn't that imply some sort of deficiency? This entire article hinges on "Foreign Students == Good"! Why is the author's solution for us to go over to India and China to grab talent when foreign companies are coming to the US? Isn't that playing into their hands? This part makes no sense.
The pink-slip == deficiency argument doesn't hold. Companies at the end of the bubble laid off a lot of people and immigrants that don't have green cards (or better) are being shipped back to their home nations. Also, a lot of tech companies are no longer willing to sponsor green cards and the like thus making it harder and harder for foreign immigrants to work in the US. This is what the author of the article feels the US should not be doing.
So far the US has attracted the best talent across the globe. If the US fails to do this, by making it impossibly hard for the immigrants to come in (some level of "hardness" is just fine), US R&D will suffer. The country or set of countries (EU, Australia?) willing to accept this large pool of highly skilled and highly intelligent workers will hugely benefit.
Then again, I'm an immigrant student in the US, so my opinion is probably biased.
But if P2P usage makes it such that researchers can't get the resources or bandwidth do actually do their work or are significantly impacted
This is the most foolish thing I've heard. There are things called packet shaping algorithms. There is a reason we have diffserv. There is no reason why dorm or other traffic can just be given lower priority than "important" research traffic (which is exactly what is done at my University, btw)
As for the larger question of whether p2p traffic needs encrypting etc, here are some things to consider:
1. The whole idea behind p2p is to tell everyone what you're sharing. So an easier way is to just use the standard kazaa client or a clone to query each user for what they're sharing. Run this in daemon mode and you have a rather up-to-date list of what everyone on campus has / had and at what time.
2. So the only remaining thing is: you're downloading something and you don't want anyone to figure out what you're downloading. In theory, you could use SSL. But it won't do much. If I really wanted to find out what you're downloading, I'd look at your SSL connection, figure out what IP you're hitting, query them over the P2P network to find out list of exported files. I can calculate approximate filesize from the packets that you're receiving and just compare that to get a very good estimate on what you're downloading. Also, by default, files that you download are immediately shared, so I could always just query you and compare filelists.
My point in writing that whole thing was simple: p2p networks are not meant to be private. SSL doesn't give you any protection since anyone would be able to get this simply by querying you over the p2p network.
Universities often represent some of the fastest connections to the internet that aren't traffic monitored. People have fast connections at work as well and its the threat of their IT department monitoring the network, finding out about P-2-P and getting the employee fired, that prevents people from filesharing at work (albeit some companies have lenient policies with regards to this)
Universities, OTOH, aspire to higher ideals of complete freedom (else all of us students would protest, at least in theory). Hence no threat from the University IT department, for the ones that haven't capitulated to such RIAA blackmailing.
As a result, a very large chunk of filesharing traffic originates or ends at university IPs. Hence they make the perfect RIAA target. Its fairly logical.
We just have to hope that universities don't give in to this kind of blackmailing. The question of threatening a student's freedom is much larger than that of stopping some of them from taking part in illegal acts.
So I was meeting a very successful entrepreneur and he gave me this insight:
Patents can be used to ward of small competitors to a business. You cannot use a patent to ward of microsoft or ibm or any other large company with a large amount of money in the bank. You can sue them for patent infringement, they would drag the case in court, fight for a year or so and pay you a million bucks at the end. But by that time, they've already done whatever damage they could, and your company is bankrupt.
Of course this doesn't work if the patent holder is a big company such as one of the above.
Moral of the story is: if big players want to infringe smaller players' patents, they could do so and have a good chance of getting away with it for not that much money.
Such are the wonders of capitalism.
FTP traffic is given lower priority than HTTP traffic in a large number of packet shaping / DiffServ type routing algorithms.
These algorithms are based on the assumption that HTTP traffic consists of fairly short bursts and not long sustained transfers which is typically what FTP traffic looks like. Based on these assumptions, these routers give lower priority to FTP traffic than they do to HTTP.
This does not mean that you should serve large files off HTTP since it'll be "faster". Au contraire, it means that you should be fair to others and serve them over FTP, so that the routers can do the correct packet shaping even if it means a slight speed hit to you.
Think of people downloading huge files off your web server and screwing up your warcraft (/quake/whatever) game.
A big issue to doing something like this, which was pointed out to me by some researchers in a company I interned for, pertained to the amount of information about you that is required for such a system to function but still maintain your privacy.
For example, a mid-air system that delivers messages to you while you're in a certain area can also figure out where you are at what time on what day, simply by aggregating this information in one place. The researchers that I talked to worked around this (they were using GPS) by making the exact co-ordinates fuzzy and increasing the resolution from a few meters to a few miles. Thus you can't exactly tell where a person was at a certain time.
However, in the article, the researchers are using bluetooth, which doesn't leave out much in the way of destroying location information. Which consequently means that the Government, or any company with enough money could come in, aggregate this information and track the devices that are mid-air message enabled. (and if we assume that people aren't going to be swapping cell phones every few minutes, then we can track the people themselves)
The paper is based on an interesting observation and is a cool hack.
But its not nearly as earth shaking as the authors make it out to be. (All authors have to make their conference papers seem earth shaking in order to get them in the conference, but that's not the point)
The whole paper is based on whether IPid is random or predictable. The simple fix happens when either
1. people switch to ipv6 (if at all; that's a whole new debate)
2. the tcp stacks on windows, mac and linux are fixed to randomize IPid in some fashion. This isn't as hard as it seems, if the stacks were replaced in one of the kernel patches in linux and the next service releases of windows and OS X, things would be dandy.
That said, I don't really believe anyone would care a damn, because the ISPs wouldn't care a damn. All they care about is the bandwidth consumption and its far easier to look at bandwidth consumption of hosts and yell at people about that or charge them differently than it is to go about implementing such algorithms in the backend, thus spawning a slew of OS fixes and/or new NAT equipment or firmware upgrades.
With digital media (insert fav. file format here) getting increasingly popular, the music industry must let go of the whole "CD" business. Its their refusal to do this and clinging on to dead media while times have moved ahead that are creating all these hassles.
P2P networks are not going to survive for long. The very factors that help various users use P2P networks for sharing content can be used against them to prevent them from sharing content. Examples:
o Flood the network with files with the same name containing junk. I believe the RIAA does this already, it just needs to be more aggressive in replicating false content to the point that false content > good content and then every thing falls apart.
o They can run their own supernodes, mess around with queries. The idea is not that you don't get any desired file but that getting a desired file of acceptable kb/Khz with the right content is such a pain that you'd rather go to Borders and buy the content. Oh and since we're talking RIAA, run a few thousand of these supernodes.
o DOSing is stupid, would not work because of various features associated with p2p networks (ie how many hosts will/can you DOS). The DOS throughput wouldn't be large enough to merit the time and effort. Oh and never mind all the legal mess DOS gets you into.
If you've ever done helpdesk duty at any University, you've probably run into Joe Shmoe who comes running to you and asks you to help get his final report off this floppy which seems to be corrupt.
Even after having tons of space on the network drive and a cd-burner on the same computer people still use floppies. Dunno why.
People have often told me they back their data onto floppies. WHY? Floppies are probably the worst thing for backups given their failure rates.
Step in the right direction IMO.
You have touched upon a few good points (and a lot of bad ones).
The good stuff:
1. I think some of the stuff at the top you're trying to get at is summarized very neatly in the end-to-end argument paper by Reed, Saltzer and Clark (MIT). THe core of the argument (applied to security) is that you have to assure secrecy between the two end-points that matter. Encryption in between may only be used as an optimization - no guarantees can be made or expected. Read the paper if you haven't:
http://web.mit.edu/Saltzer/www/publications/pubs.
The bad stuff:
1. Short of non-reversable encs like md5 it is basically impossible to protect data if you know the before enc and after enc data on a common packet.
What utter nonsense. Go back home and read your crypto book. What you're talking about is a known plaintext attack (you know the plain text and the cypher text and try to determine a key) and almost all the ciphers out there (DES, Rijndael, DES-variants) can withstand this attack.
2. its been well known in military tactics for decades that no matter how you encrypt your data it will always be broken when its exposed to scruitany. Hell pgp can even easily be broken if you know the source doc before encryption and thats supposed to be one of the most secure encryption devices out there.
Add to this that with tcpip you'll always know the source I cant see how you're gonna encrypt the packets short of changing the way tcpip works.
No no and no. Knowing the source does not allow you to break a crypto scheme. That's the whole difference between good crypto and security by obscurity. Read some books. The secret is usually the key, not the protocol, not the algorithm.
802.11 is about as secure as your wired LAN or any other unencrypted traffic flying out of your computer. Security is an end-to-end argument and it does not behoove the protocol to make any security guarantees (neither ethernet nor 802.11 do this).
I've had enough about people saying how insecure 802.11 is just because someone can sniff your packets. Its the same for any shared medium (think ethernet or the internet backbone). So if you are paranoid about your security, encrypt all the traffic that is flying across the wire.
Who are the correct people, if any to alert in case you see such attacks originating from certain IPs?