It'd have been nice to have them try and impliment an Open "OpenVMS" type OS, as that was more the direction they were going anyway... We've got OSS POSIX, but no VMS.:-/ That would be incredible, IMO.
I don't think there's necessarily any problem with everyone using the same hardware form factor key. Just have the key be able to interface with various existing authentication methods (PAM and Windows auth would likely be more than sufficient for starters, but hopefully some sort of modular system so that additional authenticaiton methods can be added trivially) so that it could conceiveably be used on any system that supports USB tokens or CF cards, etc.
THen, just have a password on the card/chip/token that prevents its use without a passphrase (using internal encryption and not something sw based, of course).
It's little different, and undoubtedly more secure, than an ATM: you've got the "thing you have" and the "thing you know. The difference is, "the thing you have" isn't just a 16 character string but something much more fundamentally secure with its own encryption, and the "thing you know" isn't just a 4-digit PIN, but any number of combinations of alphanumeric, mixed-case, with special characters - of variable length.
There's relatively little incentive for someoen to go through the trouble of putting an "ATM sniffer" like device on a computer, too, as it's due to not have nearly the return (and what good would it do them with the encryption?)
And, for web applicaiton of this tech, add in a single-time pad so that if indeed data is sniffed and cracked, its useless as soon as 5 minutes later.
You forgot things like compatibility with a specific X server version, specific library linking (IE, the "correct version" and maybe even things such as SDL version and specific window/desktop manager version.
At least two of those things will need to be taken into consideration. Sure, they could build for a target distro, but then they'd leave a good 80% of the Linux community out of their potential clientele - unless they invested significant time/energy in remedying the situation.
In Windows, you just have DirectX and the specific Windows version to worry about (ie, Win98, WinXP, Win2k). That's certainly a real advantage to having long times between major OS releases: it's not a moving target for developers (as much as it is in Linux, at least).
What I want to know is, why does google not have an uber-customizeable "user profile" page where you can specify custom search modifiers via a pull-down menu, label them what you want, and then apply them to your searches as you go?
THeir "advanced search" does not include anywhere near all of the actual features which google supports, and its a shame as its sometimes difficult to figure out how to do some of the stuff.
Nonsense. Microsoft simply did it wrong: they centralized it against themselves.
Instead, let each system be independent and its own authority. If that one host is compromised, then one host is compromised, along with one key for each user on the system: not the keys for all of those users on other systems.
Think of it as an SSL/SSH shared key, where there's a central point with all the information of where it's allowed to connect without authorizing with a passphrase, and then those endpoints know who is allowed to use a key. Instead, it should be a physical key which I can take anywhere.
The current problem with the SSH/SSL keys is that there's no practical physical solution implimenting them, and different systems have different requirements, etc. - IE, Windows login authentication vs. PAM authentication. Maybe if you built a device which could utilize them all... THAT would actually work quite well, IMO.
I'd pay up to $200 for one such device for myself, provided it would work fairly universally. I'd require the 'dock' (if there were one, but preferably not), and at least two replacement keys for such a price, though. And they'd have to be sturdy: in other words, putting it through the wash, or leaving it in my pocket if I went to the beach, would not be a problem so much as a hastle.
Additionally, it would need to work with all OSes fairly trivially - and preferably make the interface as basic as possible so that it could be well-tied-down at the hardware level for each OS.
The trick, I think, would be making the device secure: here you have a device which is attached to your system with every single password you own. Those passwords would likely have a management tool for each OS as well, which would allow you to access the 'admin' layer of security on them. The problem, of course, would be having viruses, trojans, spyware, etc. that would likely agressively try and steal that data. It would definately require a second hash to access the device - but that would certainly be preferable to having the hundreds of passwords we have now. The need for "forgotten password" reminders would be all but relegated to the last century.
Another method might simply be the "secure hardware ID" type measure that Intel put in their P3s originally. Then anyone could simply grant your ID access. This might have a bit more complications than the above method, though, for various reasons (such as damaged/lost keys or someone designing a device which can mimick the mechanism). The first method is likely preferable.
I really do see this as the best solution, but these devices would likely have to come with new computers - and cost a mere pitance ($10?) for most people to be willing to switch to them without provocation and irritation - and their OSes would need to support them before they switched to this methodology of authentication.
It's a fairly futuristic concept, really. One "chip" to grant you access to all the resources you need for your job, and you're done. Very "Star Trek".
Don't forget: native support within all three major operating systems (Windows, Linux, and MacOS, respectively).
That'd be a large hurdle in and of itself. What kind of encryption will they use? Plain hash? SSL key? Etc. Expect each respective group to do things differently, some* embracing and extending the agreed upon standard, etc.
Here in South Dakota, USA, there's a state senate process which was to "send a bill to the 41st day" which sounds similar. I don't know if this is national practice or not; I don't really know the formalities of law making that well. At any rate, this functionally has the result of killing the bill for the year, as there are only 40 days in senate's session per year (yes, they work really hard *cough*).
I've been wondering why they don't just throw the bill out when there's enough concensus to "41st day it", as there's obviously enough concensus that the bill sucks.
Security is support capital. In other words, if you spend the time to do security right -even if work piles up - you will have more than enough time to catch up because your support role was greatly reduced by your security measures.
Take, for instance, Windows spyware issues. Install corporate spyware removal stuff and central management, and things like managing an install of 3,000 desktop systems no longer feels so inundating to a small group.
This is severe merely because he "used a computer" and that, my friend, is an incredibly grevious crime nowadays! With all that free information floating around out there on the internet - bomb instructions, illegal software, and (heaven forbid) porn - it's a dangeorous place, and anyone that knows how to use a computer diligently should be arrested!
I didn't RTFA, but it's possible that a kid could put a keylogger on a machine and still remain innocent. He or she could be bored shitless and simply want to entertain themselves, the data itself being fairly inconsequential.
Though, it sounds like from the temperature of the posts that he did indeed target the teacher specifically for test answers. In that case...
(On the other hand, I knew someone that did that, and never used them - they were for a class he wasn't even in, he just did it for shits and giggles.)
The problem here, though, is that it's difficult to design a better human - humans being, after all, the biggest footfall in physical security, largely due to not knowing shit about physical security or proper passwords.
It takes many years (about 12 + 4 here in the states) to program a human, and for years the quality of that programming has decreased drastically due to bored, underpaid programmers and poor programming procedures in general. I'm not sure how you want to make the humans better, but currently there's no practical method aside from the non-profit "open source" method of human programming.
I'm guessing that scenario of your's was mostly successful due to luck. Sure,there was a degree of good human understanding on your part as to what a teacher might pick as a password, but the likelyhood was still quite low - unless there was a particular reason you thought "hello" would be valid, that is?
I've got a similar story that's similar (my relationship to them won't be shared to protect them from any reprecussions - you never know - but I can tell you that it was not me that was involved).
A science teacher (chemistry, I think?) in my acquantance's high school had already given the final exam for a class he was in before the last week of school. So, when he went in for his last actual class period for that course, she basically said "free day". She passed out pizza because a certain percentage of the class had gotten A's on the final (and in the course), and she wanted to reward them as she said she would. She had some board games and various chemistry-related fun things for students to do at their leasure for the hour (oooo! dry ice!), and let them at it.
Except for one thing. She started up her computer, opened up the gradebook application terminal, and told the students that they could come up, one by one, to check their grades. She then went back to her desk and read her book (until the dry ice fun began, at least).
Well, as it would be, she opened her grade book - not an exported spreadsheet or anything like that. Students were more than able to change their grades at whim, or the grades of their friends.
Well, this acquantance of mine changed a couple F's for incomplete homework assignments to C's and what have you - enough to bring him up to the A he needed (which reflected his exams). He also changed the grades of a fellow classmate of his, one who was notorious for beating up middle school kids and being an all around jackass - in the opposite direction. Nobody found out, and apparently a couple other folks did the same thing, too.
If there was reporting software for the gradebook, I suspect it made quite a few revision notes during that 30 minute period prior to the dry ice fun.:P
The irony is, this exact same thing happened to the same acquantance a couple years earlier as well (minus the grade altering). Teachers are just stupid (either that, or they want to do everything possible to make sure it looks like their students did well - the chem teacher in the first example was apparently quite easy.)
I had full reign of my high school's Novell servers the entire time I was there. I also had full access to student grades and teacher notes on various students, as it was all stored on systems with factory-default passwords. Granted, I never did anything with the information, and happened upon the fact before I was even "into" computers - I was just curious. A couple years after I found out about it, however, a classmate of my younger brother found out it independently. He didn't play it too close to his vest, and told his (female) cousin and one other person (I think?). Well, before long someone on the fringes of their social group heard about it and thought it was a good idea to save about 5Gb of porn and MP3s on the school's fileserver (back when 10G disks were still about $150/each or more) - in the administrator's directory. They found it and a couple people got in trouble, leading back to my brother's acquantance. Somehow he managed to sweet talk his way out of it, as he never actually did anything to the system (just discovered the 'vulnerability')
There was also this guy I knew* when I was a freshman in high school that put a keylogger in the startup (Win95) of all the lap computers - maybe 40 or so? He actually took the time to go from PC to PC with a floppy and install it via a batch job that said something like "Performing system registry maintenance, please wait..."
If I recall correctly, he did it during his computer class (which, of course, involved doing asinine things like making Word documents and PowerPoint slides) under the guise of "helping the teacher". Never got caught, either. The teacher was a fat bastard that was always stressed out by the littlest occurances within the labs, and I doubt he knew a thing about computers; he was probably scared to death by them.
This friend of mine showed me some pretty outrageous things that our classmates had written via hotmail (remember those pre-MS days?:P) He'd also installed a scheduler app on them and had the logs uploaded to a server somewhere nightly.
Oh boy, did he wreak havok with the gossip chain. It's absolutely -amazing- how quickly a little glib off-the-cuff comment can travel in high school. Quite the social experiment we had.
No, I think it's more along the lines of leaving your gun outside your door in a a gang-heavy neighborhood.
A better analogy than your's and still along the same lines would be something like: repeatedly leaving your truck - with a gun rack in the back window - unlocked in a bad neighborhood, and having it repeatedly stolen for drive-by shootings. you'd likely get in a bit of trouble for that.
it would be interesting if, instead of simply cutting off their access, they switched them over to a non-routeable subnet (via a short dhcp lease time) and direct all HTTP traffic to a single server which would then alert them to the problem (with bold blinking red on black text or something equally as noxious) and provide them with a list of links to various tools to disinfect them, based on what's a common problem at the time being. all stored on this private subnet, of course.
They could even go a step further and automatically generate a custom page for the user based on the type of traffic and its signature (iis exploit, etc.), their IP address (thus, it would startle them with their own name), and even provide them with the most likely fixes for the problem.
Then, after they're done fixing things they could click a button that said "I have fixed my computer and would like to use the internet within 15 minutes" or something like that. They'd then be 'tested' for such hostile network activity again, and if they didn't pass they'd be alerted to it.
I could imagine a large cable/dsl ISp implimenting something like this. it would pay for itself in a couple months due ot bandwidth and tech support calls.
that's not what we're talking about. we're talking about 'business process' stuff, like a mathematical formula, a load balancing equation, a new fast virtual memory manager, etc. - things which can make or break the quality of a product.
What? Social criticism, raw idealism, "triumphalism" about the human spirit? Did you see the same TOS I remember?
I remember exotic alien women, vulcan nerve pinches, and exotic, foreign cultures with different customs and beliefs that result in mayhem with the Enterprise crew opposing their views - through force - on those they encounter. That's what made it fun, not the whole "good will towards men" stuff.
This might be greatly advantageous to small bookstores (new and used), if they can get any title for a person within two days and not have to order in bulk, etc.
I wonder if this rate deal covers the "used" 3rd party books.
So you're saying that one company should be able to profit off of the hard work and invention of another - and on top of that, so that they compete against the other company?
I drive a Taurus wagon with no power steering to work daily, with a large cup of hot coffee sitting between my legs, a cigarette in my hand, and a breakfast sandwitch on the seat beside me which I'll occasionally grab a bite of.
I was sitting here reading this comment and thought, "hey, that's pretty insiteful; I htink I'll reply" and then I realized I'd written it not 5 minutes ago.
Lay off the crack, man... lay off the crack./puts the crack pipe down
It'd have been nice to have them try and impliment an Open "OpenVMS" type OS, as that was more the direction they were going anyway... We've got OSS POSIX, but no VMS. :-/ That would be incredible, IMO.
I don't think there's necessarily any problem with everyone using the same hardware form factor key. Just have the key be able to interface with various existing authentication methods (PAM and Windows auth would likely be more than sufficient for starters, but hopefully some sort of modular system so that additional authenticaiton methods can be added trivially) so that it could conceiveably be used on any system that supports USB tokens or CF cards, etc.
THen, just have a password on the card/chip/token that prevents its use without a passphrase (using internal encryption and not something sw based, of course).
It's little different, and undoubtedly more secure, than an ATM: you've got the "thing you have" and the "thing you know. The difference is, "the thing you have" isn't just a 16 character string but something much more fundamentally secure with its own encryption, and the "thing you know" isn't just a 4-digit PIN, but any number of combinations of alphanumeric, mixed-case, with special characters - of variable length.
There's relatively little incentive for someoen to go through the trouble of putting an "ATM sniffer" like device on a computer, too, as it's due to not have nearly the return (and what good would it do them with the encryption?)
And, for web applicaiton of this tech, add in a single-time pad so that if indeed data is sniffed and cracked, its useless as soon as 5 minutes later.
Oh, and what's this "MS owns 60% of OGL" nonsense? Where do you get that from?
You forgot things like compatibility with a specific X server version, specific library linking (IE, the "correct version" and maybe even things such as SDL version and specific window/desktop manager version.
At least two of those things will need to be taken into consideration. Sure, they could build for a target distro, but then they'd leave a good 80% of the Linux community out of their potential clientele - unless they invested significant time/energy in remedying the situation.
In Windows, you just have DirectX and the specific Windows version to worry about (ie, Win98, WinXP, Win2k). That's certainly a real advantage to having long times between major OS releases: it's not a moving target for developers (as much as it is in Linux, at least).
What I want to know is, why does google not have an uber-customizeable "user profile" page where you can specify custom search modifiers via a pull-down menu, label them what you want, and then apply them to your searches as you go?
THeir "advanced search" does not include anywhere near all of the actual features which google supports, and its a shame as its sometimes difficult to figure out how to do some of the stuff.
Nonsense. Microsoft simply did it wrong: they centralized it against themselves.
Instead, let each system be independent and its own authority. If that one host is compromised, then one host is compromised, along with one key for each user on the system: not the keys for all of those users on other systems.
Think of it as an SSL/SSH shared key, where there's a central point with all the information of where it's allowed to connect without authorizing with a passphrase, and then those endpoints know who is allowed to use a key. Instead, it should be a physical key which I can take anywhere.
The current problem with the SSH/SSL keys is that there's no practical physical solution implimenting them, and different systems have different requirements, etc. - IE, Windows login authentication vs. PAM authentication. Maybe if you built a device which could utilize them all... THAT would actually work quite well, IMO.
Precisely.
I'd pay up to $200 for one such device for myself, provided it would work fairly universally. I'd require the 'dock' (if there were one, but preferably not), and at least two replacement keys for such a price, though. And they'd have to be sturdy: in other words, putting it through the wash, or leaving it in my pocket if I went to the beach, would not be a problem so much as a hastle.
Additionally, it would need to work with all OSes fairly trivially - and preferably make the interface as basic as possible so that it could be well-tied-down at the hardware level for each OS.
The trick, I think, would be making the device secure: here you have a device which is attached to your system with every single password you own. Those passwords would likely have a management tool for each OS as well, which would allow you to access the 'admin' layer of security on them. The problem, of course, would be having viruses, trojans, spyware, etc. that would likely agressively try and steal that data. It would definately require a second hash to access the device - but that would certainly be preferable to having the hundreds of passwords we have now. The need for "forgotten password" reminders would be all but relegated to the last century.
Another method might simply be the "secure hardware ID" type measure that Intel put in their P3s originally. Then anyone could simply grant your ID access. This might have a bit more complications than the above method, though, for various reasons (such as damaged/lost keys or someone designing a device which can mimick the mechanism). The first method is likely preferable.
I really do see this as the best solution, but these devices would likely have to come with new computers - and cost a mere pitance ($10?) for most people to be willing to switch to them without provocation and irritation - and their OSes would need to support them before they switched to this methodology of authentication.
It's a fairly futuristic concept, really. One "chip" to grant you access to all the resources you need for your job, and you're done. Very "Star Trek".
Don't forget: native support within all three major operating systems (Windows, Linux, and MacOS, respectively).
That'd be a large hurdle in and of itself. What kind of encryption will they use? Plain hash? SSL key? Etc. Expect each respective group to do things differently, some* embracing and extending the agreed upon standard, etc.
Here in South Dakota, USA, there's a state senate process which was to "send a bill to the 41st day" which sounds similar. I don't know if this is national practice or not; I don't really know the formalities of law making that well. At any rate, this functionally has the result of killing the bill for the year, as there are only 40 days in senate's session per year (yes, they work really hard *cough*).
I've been wondering why they don't just throw the bill out when there's enough concensus to "41st day it", as there's obviously enough concensus that the bill sucks.
"No fucking shit lady, what do you think I'm doing, ordering a pizza?!"
The sentiments, if not the words, are appropriate.
Bullshit.
Security is support capital. In other words, if you spend the time to do security right -even if work piles up - you will have more than enough time to catch up because your support role was greatly reduced by your security measures.
Take, for instance, Windows spyware issues. Install corporate spyware removal stuff and central management, and things like managing an install of 3,000 desktop systems no longer feels so inundating to a small group.
This is severe merely because he "used a computer" and that, my friend, is an incredibly grevious crime nowadays! With all that free information floating around out there on the internet - bomb instructions, illegal software, and (heaven forbid) porn - it's a dangeorous place, and anyone that knows how to use a computer diligently should be arrested!
*ahem* Orwell was right. *sniff*
I didn't RTFA, but it's possible that a kid could put a keylogger on a machine and still remain innocent. He or she could be bored shitless and simply want to entertain themselves, the data itself being fairly inconsequential.
Though, it sounds like from the temperature of the posts that he did indeed target the teacher specifically for test answers. In that case...
(On the other hand, I knew someone that did that, and never used them - they were for a class he wasn't even in, he just did it for shits and giggles.)
The problem here, though, is that it's difficult to design a better human - humans being, after all, the biggest footfall in physical security, largely due to not knowing shit about physical security or proper passwords.
It takes many years (about 12 + 4 here in the states) to program a human, and for years the quality of that programming has decreased drastically due to bored, underpaid programmers and poor programming procedures in general. I'm not sure how you want to make the humans better, but currently there's no practical method aside from the non-profit "open source" method of human programming.
I'm guessing that scenario of your's was mostly successful due to luck. Sure,there was a degree of good human understanding on your part as to what a teacher might pick as a password, but the likelyhood was still quite low - unless there was a particular reason you thought "hello" would be valid, that is?
:P
I've got a similar story that's similar (my relationship to them won't be shared to protect them from any reprecussions - you never know - but I can tell you that it was not me that was involved).
A science teacher (chemistry, I think?) in my acquantance's high school had already given the final exam for a class he was in before the last week of school. So, when he went in for his last actual class period for that course, she basically said "free day". She passed out pizza because a certain percentage of the class had gotten A's on the final (and in the course), and she wanted to reward them as she said she would. She had some board games and various chemistry-related fun things for students to do at their leasure for the hour (oooo! dry ice!), and let them at it.
Except for one thing. She started up her computer, opened up the gradebook application terminal, and told the students that they could come up, one by one, to check their grades. She then went back to her desk and read her book (until the dry ice fun began, at least).
Well, as it would be, she opened her grade book - not an exported spreadsheet or anything like that. Students were more than able to change their grades at whim, or the grades of their friends.
Well, this acquantance of mine changed a couple F's for incomplete homework assignments to C's and what have you - enough to bring him up to the A he needed (which reflected his exams). He also changed the grades of a fellow classmate of his, one who was notorious for beating up middle school kids and being an all around jackass - in the opposite direction. Nobody found out, and apparently a couple other folks did the same thing, too.
If there was reporting software for the gradebook, I suspect it made quite a few revision notes during that 30 minute period prior to the dry ice fun.
The irony is, this exact same thing happened to the same acquantance a couple years earlier as well (minus the grade altering). Teachers are just stupid (either that, or they want to do everything possible to make sure it looks like their students did well - the chem teacher in the first example was apparently quite easy.)
No kidding.
:P) He'd also installed a scheduler app on them and had the logs uploaded to a server somewhere nightly.
I had full reign of my high school's Novell servers the entire time I was there. I also had full access to student grades and teacher notes on various students, as it was all stored on systems with factory-default passwords. Granted, I never did anything with the information, and happened upon the fact before I was even "into" computers - I was just curious. A couple years after I found out about it, however, a classmate of my younger brother found out it independently. He didn't play it too close to his vest, and told his (female) cousin and one other person (I think?). Well, before long someone on the fringes of their social group heard about it and thought it was a good idea to save about 5Gb of porn and MP3s on the school's fileserver (back when 10G disks were still about $150/each or more) - in the administrator's directory. They found it and a couple people got in trouble, leading back to my brother's acquantance. Somehow he managed to sweet talk his way out of it, as he never actually did anything to the system (just discovered the 'vulnerability')
There was also this guy I knew* when I was a freshman in high school that put a keylogger in the startup (Win95) of all the lap computers - maybe 40 or so? He actually took the time to go from PC to PC with a floppy and install it via a batch job that said something like "Performing system registry maintenance, please wait..."
If I recall correctly, he did it during his computer class (which, of course, involved doing asinine things like making Word documents and PowerPoint slides) under the guise of "helping the teacher". Never got caught, either. The teacher was a fat bastard that was always stressed out by the littlest occurances within the labs, and I doubt he knew a thing about computers; he was probably scared to death by them.
This friend of mine showed me some pretty outrageous things that our classmates had written via hotmail (remember those pre-MS days?
Oh boy, did he wreak havok with the gossip chain. It's absolutely -amazing- how quickly a little glib off-the-cuff comment can travel in high school. Quite the social experiment we had.
This must be the, what now, 4th "let's read fark and then post it on slashdot" article on slashdot this week?
:-/
Kuro5hin seems just as bad nowadays, too.
No, I think it's more along the lines of leaving your gun outside your door in a a gang-heavy neighborhood.
A better analogy than your's and still along the same lines would be something like: repeatedly leaving your truck - with a gun rack in the back window - unlocked in a bad neighborhood, and having it repeatedly stolen for drive-by shootings. you'd likely get in a bit of trouble for that.
it would be interesting if, instead of simply cutting off their access, they switched them over to a non-routeable subnet (via a short dhcp lease time) and direct all HTTP traffic to a single server which would then alert them to the problem (with bold blinking red on black text or something equally as noxious) and provide them with a list of links to various tools to disinfect them, based on what's a common problem at the time being. all stored on this private subnet, of course.
They could even go a step further and automatically generate a custom page for the user based on the type of traffic and its signature (iis exploit, etc.), their IP address (thus, it would startle them with their own name), and even provide them with the most likely fixes for the problem.
Then, after they're done fixing things they could click a button that said "I have fixed my computer and would like to use the internet within 15 minutes" or something like that. They'd then be 'tested' for such hostile network activity again, and if they didn't pass they'd be alerted to it.
I could imagine a large cable/dsl ISp implimenting something like this. it would pay for itself in a couple months due ot bandwidth and tech support calls.
that's not what we're talking about. we're talking about 'business process' stuff, like a mathematical formula, a load balancing equation, a new fast virtual memory manager, etc. - things which can make or break the quality of a product.
What? Social criticism, raw idealism, "triumphalism" about the human spirit? Did you see the same TOS I remember?
I remember exotic alien women, vulcan nerve pinches, and exotic, foreign cultures with different customs and beliefs that result in mayhem with the Enterprise crew opposing their views - through force - on those they encounter. That's what made it fun, not the whole "good will towards men" stuff.
This might be greatly advantageous to small bookstores (new and used), if they can get any title for a person within two days and not have to order in bulk, etc.
I wonder if this rate deal covers the "used" 3rd party books.
So you're saying that one company should be able to profit off of the hard work and invention of another - and on top of that, so that they compete against the other company?
I'm pretty dangerous, I guess.
I drive a Taurus wagon with no power steering to work daily, with a large cup of hot coffee sitting between my legs, a cigarette in my hand, and a breakfast sandwitch on the seat beside me which I'll occasionally grab a bite of.
Hrm...
I was sitting here reading this comment and thought, "hey, that's pretty insiteful; I htink I'll reply" and then I realized I'd written it not 5 minutes ago.
/puts the crack pipe down
Lay off the crack, man... lay off the crack.