Okay, now smart cards are obviously the solution here, but your average online purchaser isn't going to have a card reader for a while.
So here's my suggestion...
When a person is issued with a credit/debit card account, they are asked if they want to make online purchases. If they think they might want to, the bank supplies them with a small device, like a pager.
Whenever a customer wants to make a purchase, they enter their credit card details and send them off, where the mod 10 algorithm and expiration dates are checked.
If this passes the test, the bank sends a message to the pager-like device asking the user if he/she authorises the transaction. The device has at least 2 buttons, maybe 3: one for "yes", one for "no", one for "alert, someone else is trying to use my account!"
I think it would be a good idea for a bank to provide this sort of service, because then users would be much happier with their security, and less worried about the possibility of online fraud.
I would suspect entrepreneurs would look at a number of things -- www.entrepreneur.com.
Assuming they could spell it (its not the most obvious of words). Spelling is quite an issue for me when it comes to registering domain names. You think of something that sounds pretty cool (and is still available), and then you think, could your average person remember how to spell it?
Just look at the major search engines, none of them have that memorable a names: lycos, excite (how many people miss out the 'c'?), altavista... (lucky for bookmarks, eh).
Another issue: do you go for the hyphenated word or not? generally, I think things look better without them, but sometimes the words get mangled and it looks different to the meaning you are trying to convey. Most decent one-word domains have gone, so you are stuck with : do I register evil-greeb.com or should it be evilgreeb.com or should I get both, just in case? (that starts to get expensive). And for those companies with more than one word as their name, they have to protect their asset (their name and identity) but just registering all variants. Not to start mentioning common misspellings....
I believe France is equally strict about its.fr domain (i.e., you have to have the business in France).
I wish they (whoever is controlling this, American gov't, CORE, whatever) would get it sorted and introduce more TLDs. There should be somewhere for people to have their own individual homepage without it needing to be http://www.geocities.com/somestreet/5184/fred.html and neither should they really be occupying http://www.fred.com/... you should know when you type a page in that you're not going to get someone's personal one-page homepage, and also that you're not going to get a p0rn site (definitely, especially if the controller is serious about 'protecting minors'). I think all p0rn sites should use a.xxx extension, then whoever didn't want to go there wouldn't accidentally and embarrassingly land up there. I overheard someone the other day saying that they received a PDF file, and went to download acrobat reader. They thought http://www.acrobat.com/acrobat.html would be a reasonable place to look for it... er, no, that was a p0rn site. Also, I'm sure companies who filter / monitor their employees Internet habits would find it easier to pick up on.xxx extensions:-)
Recently, some guy went and spent a pretty penny (or thousands and thousands of pounds) buying up the remainder of the three-letter domains in the UK. I can imagine him being able to sell some, but there's going to be hundreds left that he owns. This would be all well and good for him if he didn't have to pay the renewal fee in just under 2 years time...
As an aside, why doesn't Slashdot allow TABLE tags in comments?! It would make the above chart much easier to write/read.
I hear what you're saying, but 99% of Slashdot comments wouldn't require them. Also, its totally feasible that people would start messing up the page formatting, like I used to do with The Mirror forum till it broke. There are several options here... one is to post very early on, with the TABLE tag, and later on, with the/TABLE, or to do millions of nested tables. Also, it makes their CGI script more complicated, cos then it would have to recognise TR and TDs. And tables take ages to load in Netscape.
The Mirror forum was great, because it didn't do ANY filtering at all, just whacked things in a PRE tag. So, it was trivial to redirect it to other rival newspaper pages, mess up the frames, etc. Also, changing the font face to Wingdings, by posting a/FONT, waiting and then posting a FONT FACE=BLAH a while later (new comments appeared at the top of the page). Once someone posted a marquee tag, which didn't display properly on some people's screens, and there were panicky comments about "is this a virus?"! One thing I never tried was to see if it would execute SSIs, now that might have been fun:-) Btw, we gave them a sporting chance by e-mailing them telling them of the risks, but they never replied. Oh well!
I can't understand why the average site would want to act as a mail relay for other sites, after all, bandwidth == money (at least, here in the UK, where my co-location deal is £50 per month for 1Gbyte data transfer, and that was the best one I could find).
As for spam, my yahoo site has been taken to being spammed by yahoo addresses, my hotmail one has loads of @hotmails, and my usa-net account is ridiculously full of porn spams (I only put that address up on one silly free page and that's what I get for it!) Actually, I wondered if usa-net was actually giving out my address to spammers because the amount of junk was so excessive, so I set up a spam-box account there a while back, checked it yesterday, still not a whimper.
The most annoying thing about spam e-mails is that half of them say 'to get off this list, you must phone 1-800-AMERICANNUMBER', and I'm like, er, yeah right! So I have a filter at yahoo that gets rid of e-mails containing American phone numbers and the permutations of the phrase 'Zip Code'.
At least web-based accounts don't actually spend hours downloading the spam onto your machine, (significant while we still pay for dial-up calls in the UK).
I recall Microsoft saying at the time that they couldn't use this technology, because it would give them too much of the 'big brother' image. Oh well, back to the drawing board....:-)
I remember being in a Ross Anderson lecture where he demonstrated how by filtering out the top 30% frequency, you could hide your information from a Tempest scanner. PGP 6.0.2 apparently does this, so if you're worried about the government decrypting your transmissions then maybe you should use that!
Also, he demonstrated displaying one thing on your screen, and another thing on the attackers screen, which has the potential to be used two ways: either to foil an attacker, or the possibility of a Tempest virus, which secretly transmits your cryptographic key to the white van waiting outside, while displaying something else altogether on your screen!
What do these 'approved site' kitemarks actually mean to the average consumer? I've never heard of TRUSTe (I know I'm probably in the minority here on Slashdot), but what about your average websurfer? And do they actually acknowledge it? After all, Micros oft innovate and create great technology, they wouldn't violate my privacy, would they? (This isn't my express opinion, btw).
On another note, if Mr. bad Hacker puts up an internet site with a large grey box and a popup java/javascript window saying 'you need xyz plugin to make this site rock! get it from here', how many people would actually click through and be presented with a netscape-plugin-lookalike page, maybe even submit some personal details (for updates to this great product) and download a trojan?
And how easy is it to fake one of these icons? If you were a porno site, it would make an ideal badge to those consumers worried about paying $2 for a background check.
The thing is, most people using the Internet are far too trusting, send personal data in the clear, and believe anything. They don't need a TRUSTe badge to help them do that.
If there weren't any crackers breaking (into) things, XORing bytes would still provide enough security!
Its how you use the knowledge that counts. If you discover a security hole, then you could either:
do something to exploit it
ignore it
inform the appropriate people, so that it gets fixed
If you ignore it, then you're in effect helping the 'bad guys', who will inevitably discover this vulnerability and exploit it, when in fact there may have been a chance to get it fixed.
If you exploit it, you could either keep the discovery to yourself, make it public so that every cr/hacker-wannabe can use it for their own interests, or make it public to put pressure onto a body to fix it (as in the MS hotmail case). In the first two cases, you're being the bad guy, in the second case, your motivation is good, but your implementation is flawed: this should only be tried as a last resort.
If you report it, and it gets fixed, then kudos all round.
An article here at the Register notes how several publications 'fell for' a Dixons rip-off story (where it was claimed that Dixons were ripping consumers off), following allegations by Intel employee Craig Barrett. All of them had to apologise, after the Office of Fair Trading found that the allegations were false. Its sensible of the Slashdot people not to comment on it, in case the same happens.
A publication should not officially comment on something that may turn out to be false, because it can backfire nastily (libel?) and can cause damage to journalistic reputation.
As Slashdot subscribers, we don't have to worry about the latter problem, but I wonder if one day someone is going to libel somebody about a post made on Slashdot.
Most search engines must analyse the content of your query, to provide you with targetted advertising (like, an Intel ad if you search for 'Computer hardware'). This goes back to the advertiser logging business from yesterday.
I was looking for a domain name for my website recently, and found that almost every (decent) variant of what I wanted was taken. Looking at the whois, I saw that some of these domains had been registered years ago, and no website had been created. If they are actually using the names (e.g., for e-mail) then fair enough - but its a pretty good guess that they're just occupying the names (and a useful names at that).
In another case, all the town names in England (even my village name!) have been registered by one company, that intends to put up the same structured website for each town detailing the shops, etc, in that town. Now this rankles me (although legally I have no right), because how can they, on the other side of England, possibly know what is best for our village? What's more, they intend to sell 150 of the names to cover their costs. At least they are trying to do something useful with the names though, and its a project to watch.
They use cookies, and also collect IP addresses. Yahoo does research on users' demographics, interests and behaviour based on your registration, server log files, from surveys and during a promotion, which it then shares with "advertisers and business partners".
Yahoo is also allowed to match user information with third party data.
Yahoo allows you to switch off cookies, but then you can't use its services, such as the web e-mail.
Richard Stallman believes that not having access to source code causes material (and psychosocial) harm. Under the GPL, anyone who takes and modifies your code cannot turn it into a proprietary product. He views this is for the good of mankind.
Bill Joy, on the other hand, believes that making just the APIs available is good enough. The FreeBSD license means that you are allowed to develop proprietary software (contrast this with Debian).
For those Java developers who side with Stallman on this issue, a GNU Java compiler does exist.
Slashdot Mirror
So here's my suggestion...
When a person is issued with a credit/debit card account, they are asked if they want to make online purchases. If they think they might want to, the bank supplies them with a small device, like a pager.
Whenever a customer wants to make a purchase, they enter their credit card details and send them off, where the mod 10 algorithm and expiration dates are checked.
If this passes the test, the bank sends a message to the pager-like device asking the user if he/she authorises the transaction. The device has at least 2 buttons, maybe 3: one for "yes", one for "no", one for "alert, someone else is trying to use my account!"
I think it would be a good idea for a bank to provide this sort of service, because then users would be much happier with their security, and less worried about the possibility of online fraud.
Assuming they could spell it (its not the most obvious of words). Spelling is quite an issue for me when it comes to registering domain names. You think of something that sounds pretty cool (and is still available), and then you think, could your average person remember how to spell it?
Just look at the major search engines, none of them have that memorable a names: lycos, excite (how many people miss out the 'c'?), altavista... (lucky for bookmarks, eh).
Another issue: do you go for the hyphenated word or not? generally, I think things look better without them, but sometimes the words get mangled and it looks different to the meaning you are trying to convey. Most decent one-word domains have gone, so you are stuck with : do I register evil-greeb.com or should it be evilgreeb.com or should I get both, just in case? (that starts to get expensive). And for those companies with more than one word as their name, they have to protect their asset (their name and identity) but just registering all variants. Not to start mentioning common misspellings....
I wish they (whoever is controlling this, American gov't, CORE, whatever) would get it sorted and introduce more TLDs. There should be somewhere for people to have their own individual homepage without it needing to be http://www.geocities.com/somestreet/5184/fred.html and neither should they really be occupying http://www.fred.com/ ... you should know when you type a page in that you're not going to get someone's personal one-page homepage, and also that you're not going to get a p0rn site (definitely, especially if the controller is serious about 'protecting minors'). I think all p0rn sites should use a .xxx extension, then whoever didn't want to go there wouldn't accidentally and embarrassingly land up there. I overheard someone the other day saying that they received a PDF file, and went to download acrobat reader. They thought http://www.acrobat.com/acrobat.html would be a reasonable place to look for it ... er, no, that was a p0rn site. Also, I'm sure companies who filter / monitor their employees Internet habits would find it easier to pick up on .xxx extensions :-)
Recently, some guy went and spent a pretty penny (or thousands and thousands of pounds) buying up the remainder of the three-letter domains in the UK. I can imagine him being able to sell some, but there's going to be hundreds left that he owns. This would be all well and good for him if he didn't have to pay the renewal fee in just under 2 years time ...
I hear what you're saying, but 99% of Slashdot comments wouldn't require them. Also, its totally feasible that people would start messing up the page formatting, like I used to do with The Mirror forum till it broke. There are several options here ... one is to post very early on, with the TABLE tag, and later on, with the /TABLE, or to do millions of nested tables. Also, it makes their CGI script more complicated, cos then it would have to recognise TR and TDs. And tables take ages to load in Netscape.
The Mirror forum was great, because it didn't do ANY filtering at all, just whacked things in a PRE tag. So, it was trivial to redirect it to other rival newspaper pages, mess up the frames, etc. Also, changing the font face to Wingdings, by posting a /FONT, waiting and then posting a FONT FACE=BLAH a while later (new comments appeared at the top of the page). Once someone posted a marquee tag, which didn't display properly on some people's screens, and there were panicky comments about "is this a virus?"! One thing I never tried was to see if it would execute SSIs, now that might have been fun :-) Btw, we gave them a sporting chance by e-mailing them telling them of the risks, but they never replied. Oh well!
But don't they do any research in the area of the patent to find out if it is in fact a new creation?
Why can't they ask some computer body (IETF?) if this is in fact something that should be patented, or if everyone else is using it already?
And is this patent worldwide? (If it is, then surely other countries should have some say in the matter).
bandwidth == money (at least, here in the UK, where my co-location deal is £50 per month for 1Gbyte data transfer, and that was the best one I could find).
As for spam, my yahoo site has been taken to being spammed by yahoo addresses, my hotmail one has loads of @hotmails, and my usa-net account is ridiculously full of porn spams (I only put that address up on one silly free page and that's what I get for it!) Actually, I wondered if usa-net was actually giving out my address to spammers because the amount of junk was so excessive, so I set up a spam-box account there a while back, checked it yesterday, still not a whimper.
The most annoying thing about spam e-mails is that half of them say 'to get off this list, you must phone 1-800-AMERICANNUMBER', and I'm like, er, yeah right! So I have a filter at yahoo that gets rid of e-mails containing American phone numbers and the permutations of the phrase 'Zip Code'.
At least web-based accounts don't actually spend hours downloading the spam onto your machine, (significant while we still pay for dial-up calls in the UK).
I recall Microsoft saying at the time that they couldn't use this technology, because it would give them too much of the 'big brother' image. Oh well, back to the drawing board.... :-)
Also, he demonstrated displaying one thing on your screen, and another thing on the attackers screen, which has the potential to be used two ways: either to foil an attacker, or the possibility of a Tempest virus, which secretly transmits your cryptographic key to the white van waiting outside, while displaying something else altogether on your screen!
Ross Anderson's homepage has links to his papers on this topic.
On another note, if Mr. bad Hacker puts up an internet site with a large grey box and a popup java/javascript window saying 'you need xyz plugin to make this site rock! get it from here', how many people would actually click through and be presented with a netscape-plugin-lookalike page, maybe even submit some personal details (for updates to this great product) and download a trojan?
And how easy is it to fake one of these icons? If you were a porno site, it would make an ideal badge to those consumers worried about paying $2 for a background check.
The thing is, most people using the Internet are far too trusting, send personal data in the clear, and believe anything. They don't need a TRUSTe badge to help them do that.
Its how you use the knowledge that counts. If you discover a security hole, then you could either:
- do something to exploit it
- ignore it
- inform the appropriate people, so that it gets fixed
If you ignore it, then you're in effect helping the 'bad guys', who will inevitably discover this vulnerability and exploit it, when in fact there may have been a chance to get it fixed.If you exploit it, you could either keep the discovery to yourself, make it public so that every cr/hacker-wannabe can use it for their own interests, or make it public to put pressure onto a body to fix it (as in the MS hotmail case). In the first two cases, you're being the bad guy, in the second case, your motivation is good, but your implementation is flawed: this should only be tried as a last resort.
If you report it, and it gets fixed, then kudos all round.
Encryption isn't all its cracked up to be.
This case is lamentable because it was defeated so easily, in a way that shouldn't have been allowed to happen.
Encryption isn't all its cracked up to be.
A publication should not officially comment on something that may turn out to be false, because it can backfire nastily (libel?) and can cause damage to journalistic reputation.
As Slashdot subscribers, we don't have to worry about the latter problem, but I wonder if one day someone is going to libel somebody about a post made on Slashdot.
Most search engines must analyse the content of your query, to provide you with targetted advertising (like, an Intel ad if you search for 'Computer hardware'). This goes back to the advertiser logging business from yesterday.
In another case, all the town names in England (even my village name!) have been registered by one company, that intends to put up the same structured website for each town detailing the shops, etc, in that town. Now this rankles me (although legally I have no right), because how can they, on the other side of England, possibly know what is best for our village? What's more, they intend to sell 150 of the names to cover their costs. At least they are trying to do something useful with the names though, and its a project to watch.
They use cookies, and also collect IP addresses. Yahoo does research on users' demographics, interests and behaviour based on your registration, server log files, from surveys and during a promotion, which it then shares with "advertisers and business partners".
Yahoo is also allowed to match user information with third party data.
Yahoo allows you to switch off cookies, but then you can't use its services, such as the web e-mail.
Richard Stallman believes that not having access to source code causes material (and psychosocial) harm. Under the GPL, anyone who takes and modifies your code cannot turn it into a proprietary product. He views this is for the good of mankind.
Bill Joy, on the other hand, believes that making just the APIs available is good enough. The FreeBSD license means that you are allowed to develop proprietary software (contrast this with Debian).
For those Java developers who side with Stallman on this issue, a GNU Java compiler does exist.