The paradigm is embedded in the quantity, or subset, of data you choose to analyse. In addition, once you start to analyze something, you have already built the "model" ipso facto. I can't imagine how you could set out to analyze something without a model.
The example Anderson uses in fact shows this. Ventner had to have a model of an ecosystem within which he posits the existence of organisms. Through testing (statistical analysis), he finds them. Thus 1) ecosystems house organisms and 2) there are organisims we don't yet know about.
The answer to you question is that you can use a self-signed certificate anywhere you can use one signed by a CA, public or not. However, to ensure that you are always talking to the web server and not through a MITM, you must distribute the self-signed certificate or the certificate thumbprint (and then verify it!) through some trusted means.
Using a public CA like Verisign buys you is that since their public CA certificates are already distributed in browsers, any certificate issued by them should just work. Oh, and make sure the host name matches the common name.
There are more wind farms cropping up in central new york (find Syracuse onna map). You can see a few off to the east when flying into Hancock Intl, Syracuse's airport.
Yeah, I second this. 20 years ago I fit all my shit in a sea bag. Now I have dogs, a mortgage, bills, and more stuff than I can pack myself. I am happy, but I feel encumbered.
Not as major is the Infoworld examples, but I still to this day sometimes forget to set-up a virtual interface when configuring a cisco router. This little command me more often than I care to admit:
telnet 192.168.1.1
cisco-router$ en
cisco-router$ config t
cisco-router(config)# int g0/1
cisco-router(config-if)# ip address 10.1.1.1 mask 255.255.255.0
Connection Closed
The Internet's traffic system gives preferential treatment to short communication paths. The technical term is "round-trip time effect." The shorter your RTT, the faster TCP speeds up and the more traffic you can deliver.
Yes. And? Do I really want the server next to me to be as slow as the server in Tokyo?
His point is that firms like Akami leverage the fact that shorter round trip times means preferential treatment. It's a hack to get around the TCP design.
The Internet's congestion avoidance mechanism, an afterthought that was tacked-on in the late 80's, reduces and increases the rate of TCP streams to match available network resources, but it doesn't molest UDP at all. So the Internet is not neutral with respect to its two transport protocols.
I'm not sure about this. But he's the expert so I'll accept his claim. But wouldn't it be easier to add UDP management capabilities to the existing structure than any of the alternatives?
He's absolutely correct on this point. If you have a UDP stream like a VOIP phone call or streaming media, it will chug away at it's given data rate. TCP will play nice and ratchet up or down. It's not that simple, of course--that doesn't mean a UDP stream at 256KB will stay at 256KB end to end (except on the local network prior to the first router)--there are alot of moving parts. Namely routers will queue up traffic introducing delay and jitter. The queueing mechanisms generally try to be "fair" in how flows are treated.
In general, if you start file transfer and then a streaming video, the file transfer will back-off.You can try this best on a local network. Use iperf or netperf to start a TCP that sucks up most of your bandwidth. Then start UDP stream that sucks up 70% of your banswidth. TCP will back off to the remaining 30%.
The big problem comes when the amount of traffic causes congestion. UDP packets are simply dropped while TCP retransmits, causing more congestion and degrading UDP.
I don't think the original design of UDP predicted the sheer amount of traffic that would be carried over it.
So grabbing a huge file off of the server next to me is more efficient than a VOIP call to Tokyo. I'm not seeing the problem yet.
Neither, I don't think. The problem is that as more flows (a uniqiue stream of traffic either TCP or UDP between two peers) are added to the network, utilization goes up. When you reach congestion, the point where packets are dropped, that is where the problem occurs. Congestion can happen anywhere. If there are 15 hops between you and your VoIP caller in Tokyo and 5 hops between you and where you are pulling a file over TCP, and there is congestion in hops 3 or 4 (Let's assume both flows cross the same hops 3 adn 4), then that is where you will get packet loss, delay, and jitter which will degrade your call.
Ah, but the browser has to accept the wildcard as an acceptable replacement for the sites actual host name. I forget, either Firefox or IE accepts a wildcard cert.
1) Because certificates cost money to purchase and manage.
2) Because doing SSL on a grand scale would require many sites to invest in SSL acceleration gear to keep up with demand.
3) because the management burden on web server admins from the dudes that manage amazon.com to the lowly mom and pop shop using a shared hosted service would have to engage in a needlessly complex process.
For a SSL MITM to be seamlessly possible, meaning the browser wouldn't pop up a dialog due to some issue with the certificate, the server doing the MITM would have to
generate a new certificate with the target webservers host name in the certificates common name
get their CA certificate into your browsers trusted certificate store
If they can't do both, at minimum, your browser will pop a dialog about a hostname mismatch or untrusted certificate respectively.
You would think there were be laws requiring encrypted storage of PII, but even HIPAA, probably the more proscriptive gov't regulation (though woefully inadequate), doens't require it. The language is much more general requiring protections, of which encryption could be one factor.
Here's the deal, US corporations will do the absolute least to spend money on protecting data. The fines are low enough to simply not matter and there is no indication that their business suffers much of a hit.
The only way to address this and get companies to start protecting data is to make the punishment more expensive than than the fix. If a company could be fined 35% of their gross revenues per loss, not per record, and companies were fined, others would take notice. The fines that will be levied against Bank of NY will barely bump thier bottom line.
Which is a fine example of security theater. Thanks. EV certificates are marketed as more "trustworthy", yet looking over the docs, the system can be gamed. Add in that the so-called EV certs turn the address bar green on supported browsers. Green means good, safe, and secure. Better than white or red, right?
Say, isn't that little yellow lock supposed to mean something? Oh that's right. It means you have an SSL session with a web site that has a certificate issued from a trusted certificate authority like Verisign. Hmmmm.
If public CA's are supposed to be trusted authorities of identity on the Internet, why do we have to have "extended validation" of an entity before they get a certificate? If we can't trust the CA to validate entities before issuing certificates in the first place, how can we trust them to issue Extended Validation Certificates in the second?
Oh, I forgot, they are in collusion with Microsoft and other CA's to inflate the cost of digital certificates they already issue.
You ppl that think the WII controller is acceptable for tracking real punches (shadow boxing) need to go to a gym and learn to fight for real.
There is a noticeable lag between the controller movement and the screen, meaning you have to slow down punches and blocks. Think fighting in Dune, but not.:) It also can't differentiate between a jab, uppercut, and reverse punch well.
No, no, no. The TPM does NOT work like SSL. It does NOT have a digital certificate built in, therefore it can NOT be verified by a certificate chain.
It has a private key, yes, and memory to store code and hashes to verify itself. The TPM self-validates at boot time.
You can, if you like, use it to protect a private key, say for a personal certificate or PGP key, while the key is in storage. But once the PGP key is pulled into memory, all bets are off.
Also, the TPM specifications are designed so that it is not enabled by default. The platform owner, that's you if it's a personal computer or your company for a corporate one, has to manually enable the TPM. That is a requirement of the specification. Today, that means getting into the BIOS. Not something your average user is going to do.
Of course, that design requirement could change in the future, but today, that is how it works.
IANAL, but CFR 164.104(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter and the comments to CFR 160, 162, and 164, indicate otherwise.
Both Google and Microsoft are engaged in transmitting healthcare information.
Completely unaware of the fact that I was about to be laid off, I had kicked of an elaborate SQL script on the live server just before my boss called me into his office. They killed my account with this script still running-- oops. A friend of mine who was still at the company said that the resulting zombie crashed the main Oracle server, requiring a reboot, three days after I left.
How very childish of you. I hope that story makes the rounds in your community and you have a hard time getting work.
Purposely thrashing a system helps no one. Being pissed that your being laid-off, that is understandable. Throwing a tantrum over it indicates the company was probably exercising good judgment in letting you go. Hell, the lay-off many have just been a convenient excuse.
Google isn't doing this out of the goodness of their hearts. They want to monetize it, so how will they do that? Sell ads? Ok, where and when will they show up? Only when you are searching your health information or whenever you happen to be searching?
what about selling health information to other entities. Maybe they don't sell the identifying bits, but even regional data can have an enormous impact on your ability to get health and life insurance, the premiums you pay, etc. Insurance carriers already track regional trends, but more data means better predictions.
Look, corporate entities, and never, ever forget that Google is a corporate entity, have to make money and think about how they will do that.
If it were only so simple. At some point, all your DSL connections are aggregated somewhere and that aggregation point becomes the bottleneck.
The WAN technology doesn't make that go away. There could be any number of reasons why you haven't suffered any depredation such as population density, the profile of your neighbors, etc. It could just be that neighborhood hasn't reached saturation yet.
I used to have DSL and I found my connection would degrade noticeably in the late afternoon and evening simply because we had a lot of people in the area connected with lots of kids.
The last mile is just one point of depredation. The in-home connection experience is going to get bad. I would hate to live in a city and use wireless simply because of contention on the airwaves. Hell, when I first got FiOS, I had to convince the tech that the reason for the poor performance was because the Actiontec router they provided and a neighbors were on the same channel, 6, causing contention. I moved mine to channel 11, a non-interfering channel, and wah-lah, performance problem solved.
Slashdot Mirror
The example Anderson uses in fact shows this. Ventner had to have a model of an ecosystem within which he posits the existence of organisms. Through testing (statistical analysis), he finds them. Thus 1) ecosystems house organisms and 2) there are organisims we don't yet know about.
Seems like the scientific method to me.
The answer to you question is that you can use a self-signed certificate anywhere you can use one signed by a CA, public or not. However, to ensure that you are always talking to the web server and not through a MITM, you must distribute the self-signed certificate or the certificate thumbprint (and then verify it!) through some trusted means.
Using a public CA like Verisign buys you is that since their public CA certificates are already distributed in browsers, any certificate issued by them should just work. Oh, and make sure the host name matches the common name.
Can you cite any examples of a case where a certificate has been subverted in this way?
Yes. Back in 2001, Verisign issued 3 code signing certificates to people impersonating Microsoft employees.As others I am sure have already said, the strength of the identity verification is solely based on how the verification is done.
There are more wind farms cropping up in central new york (find Syracuse onna map). You can see a few off to the east when flying into Hancock Intl, Syracuse's airport.
Yeah, I second this. 20 years ago I fit all my shit in a sea bag. Now I have dogs, a mortgage, bills, and more stuff than I can pack myself. I am happy, but I feel encumbered.
I wish I had the guts to do this.
come on, Mod funny! I just spit javacript on my PC after reading it.
I shall not want.
Not as major is the Infoworld examples, but I still to this day sometimes forget to set-up a virtual interface when configuring a cisco router. This little command me more often than I care to admit:
telnet 192.168.1.1
cisco-router$ en
cisco-router$ config t
cisco-router(config)# int g0/1
cisco-router(config-if)# ip address 10.1.1.1 mask 255.255.255.0
Connection Closed
Gaaaaaaaaaaaaaaaaaaaaaaaah!
His point is that firms like Akami leverage the fact that shorter round trip times means preferential treatment. It's a hack to get around the TCP design. I'm not sure about this. But he's the expert so I'll accept his claim. But wouldn't it be easier to add UDP management capabilities to the existing structure than any of the alternatives?
He's absolutely correct on this point. If you have a UDP stream like a VOIP phone call or streaming media, it will chug away at it's given data rate. TCP will play nice and ratchet up or down. It's not that simple, of course--that doesn't mean a UDP stream at 256KB will stay at 256KB end to end (except on the local network prior to the first router)--there are alot of moving parts. Namely routers will queue up traffic introducing delay and jitter. The queueing mechanisms generally try to be "fair" in how flows are treated.
In general, if you start file transfer and then a streaming video, the file transfer will back-off.You can try this best on a local network. Use iperf or netperf to start a TCP that sucks up most of your bandwidth. Then start UDP stream that sucks up 70% of your banswidth. TCP will back off to the remaining 30%.
The big problem comes when the amount of traffic causes congestion. UDP packets are simply dropped while TCP retransmits, causing more congestion and degrading UDP.
I don't think the original design of UDP predicted the sheer amount of traffic that would be carried over it.
So grabbing a huge file off of the server next to me is more efficient than a VOIP call to Tokyo. I'm not seeing the problem yet.
Neither, I don't think. The problem is that as more flows (a uniqiue stream of traffic either TCP or UDP between two peers) are added to the network, utilization goes up. When you reach congestion, the point where packets are dropped, that is where the problem occurs. Congestion can happen anywhere. If there are 15 hops between you and your VoIP caller in Tokyo and 5 hops between you and where you are pulling a file over TCP, and there is congestion in hops 3 or 4 (Let's assume both flows cross the same hops 3 adn 4), then that is where you will get packet loss, delay, and jitter which will degrade your call.
Ah, but the browser has to accept the wildcard as an acceptable replacement for the sites actual host name. I forget, either Firefox or IE accepts a wildcard cert.
1) Because certificates cost money to purchase and manage.
2) Because doing SSL on a grand scale would require many sites to invest in SSL acceleration gear to keep up with demand.
3) because the management burden on web server admins from the dudes that manage amazon.com to the lowly mom and pop shop using a shared hosted service would have to engage in a needlessly complex process.
#1 and #2 are the biggest issues though.
- generate a new certificate with the target webservers host name in the certificates common name
- get their CA certificate into your browsers trusted certificate store
If they can't do both, at minimum, your browser will pop a dialog about a hostname mismatch or untrusted certificate respectively.You would think there were be laws requiring encrypted storage of PII, but even HIPAA, probably the more proscriptive gov't regulation (though woefully inadequate), doens't require it. The language is much more general requiring protections, of which encryption could be one factor.
Here's the deal, US corporations will do the absolute least to spend money on protecting data. The fines are low enough to simply not matter and there is no indication that their business suffers much of a hit.
The only way to address this and get companies to start protecting data is to make the punishment more expensive than than the fix. If a company could be fined 35% of their gross revenues per loss, not per record, and companies were fined, others would take notice. The fines that will be levied against Bank of NY will barely bump thier bottom line.
Which is a fine example of security theater. Thanks. EV certificates are marketed as more "trustworthy", yet looking over the docs, the system can be gamed. Add in that the so-called EV certs turn the address bar green on supported browsers. Green means good, safe, and secure. Better than white or red, right?
Say, isn't that little yellow lock supposed to mean something? Oh that's right. It means you have an SSL session with a web site that has a certificate issued from a trusted certificate authority like Verisign. Hmmmm.
So what is the difference again?
If public CA's are supposed to be trusted authorities of identity on the Internet, why do we have to have "extended validation" of an entity before they get a certificate? If we can't trust the CA to validate entities before issuing certificates in the first place, how can we trust them to issue Extended Validation Certificates in the second?
Oh, I forgot, they are in collusion with Microsoft and other CA's to inflate the cost of digital certificates they already issue.
You ppl that think the WII controller is acceptable for tracking real punches (shadow boxing) need to go to a gym and learn to fight for real.
:) It also can't differentiate between a jab, uppercut, and reverse punch well.
There is a noticeable lag between the controller movement and the screen, meaning you have to slow down punches and blocks. Think fighting in Dune, but not.
Fix that and it would be cool.
No, no, no. The TPM does NOT work like SSL. It does NOT have a digital certificate built in, therefore it can NOT be verified by a certificate chain.
It has a private key, yes, and memory to store code and hashes to verify itself. The TPM self-validates at boot time.
You can, if you like, use it to protect a private key, say for a personal certificate or PGP key, while the key is in storage. But once the PGP key is pulled into memory, all bets are off.
Also, the TPM specifications are designed so that it is not enabled by default. The platform owner, that's you if it's a personal computer or your company for a corporate one, has to manually enable the TPM. That is a requirement of the specification. Today, that means getting into the BIOS. Not something your average user is going to do.
Of course, that design requirement could change in the future, but today, that is how it works.
Good point. It also applies to an entity that is a business associate of a covered entity. It also applies to "healthcare clearing house."
Both seem to apply here.
Sorry, that was CFR 160.102 and CFR 160.103. You can view it here.
IANAL, but CFR 164.104(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter and the comments to CFR 160, 162, and 164, indicate otherwise.
Both Google and Microsoft are engaged in transmitting healthcare information.
didn't read thoroughly.
Completely unaware of the fact that I was about to be laid off, I had kicked of an elaborate SQL script on the live server just before my boss called me into his office. They killed my account with this script still running-- oops. A friend of mine who was still at the company said that the resulting zombie crashed the main Oracle server, requiring a reboot, three days after I left.
How very childish of you. I hope that story makes the rounds in your community and you have a hard time getting work.
Purposely thrashing a system helps no one. Being pissed that your being laid-off, that is understandable. Throwing a tantrum over it indicates the company was probably exercising good judgment in letting you go. Hell, the lay-off many have just been a convenient excuse.
Google isn't doing this out of the goodness of their hearts. They want to monetize it, so how will they do that? Sell ads? Ok, where and when will they show up? Only when you are searching your health information or whenever you happen to be searching?
what about selling health information to other entities. Maybe they don't sell the identifying bits, but even regional data can have an enormous impact on your ability to get health and life insurance, the premiums you pay, etc. Insurance carriers already track regional trends, but more data means better predictions.
Look, corporate entities, and never, ever forget that Google is a corporate entity, have to make money and think about how they will do that.
If it were only so simple. At some point, all your DSL connections are aggregated somewhere and that aggregation point becomes the bottleneck.
The WAN technology doesn't make that go away. There could be any number of reasons why you haven't suffered any depredation such as population density, the profile of your neighbors, etc. It could just be that neighborhood hasn't reached saturation yet.
I used to have DSL and I found my connection would degrade noticeably in the late afternoon and evening simply because we had a lot of people in the area connected with lots of kids.
The last mile is just one point of depredation. The in-home connection experience is going to get bad. I would hate to live in a city and use wireless simply because of contention on the airwaves. Hell, when I first got FiOS, I had to convince the tech that the reason for the poor performance was because the Actiontec router they provided and a neighbors were on the same channel, 6, causing contention. I moved mine to channel 11, a non-interfering channel, and wah-lah, performance problem solved.