You'll need a LiveCD, a modified keyboard, and mouse. The keyboard will need to have a key generator and a LCD readout. The LCD readout will display a generated key. This will be used as the initial seed value. The LiveCD will need to have special keyboard drivers and software. The goal is to allow the user to enter the initial cipher key using graphical mouse input. The encryption generator in the keyboard will periodically rotate the key. To prevent statistical analysis attacks the keybard should send a continuous stream of data.
This should prevent key loggers. You'll need to bring you're own keyboard though.
This also happened to Linuxtoday. CMP media (Dr. Dobbs, EE Times, etc) stopped all referrals that originated from LinuxToday. (I can't find the link now.) I let my subscription to Dr. Dobbs expire and decided to subscribe to LWN. It's a shame, becuase I had been subscribing to Dr. Dobbs for at least 8 years.
Computers were originally people who determined calculated firing tables. The first computers were used to calculate this information and break encryption codes.
I'll grant you that business plays a large role too. It funds its fair share, but it seems as though it is more practical and immediate. The military seems to fund things that might not be very practical now, but can possible provide the edge in battle.
Have you looked at RenderDrive? The company that my wife works bought one of these recently. The guy that uses it loves it. It does the job much quicker.
It's a general pupose computer that has special hardware that is used to do the rendering. The OS is linux. In order to get it on the newtork you setup a floppy with your config file. There's a plug-in for your system that is used to do the rendering on he computer.
Many customers are discovering that the actual cost of acquiring used hardware may go beyond the price of relicensing the software.
"I made the mistake of showing a visiting Cisco rep the 2611 router I'd purchased on eBay for $1,200," says Mark Payton, director of IT at the Vermont Academy, a school in Saxtons River, Vt. "Not only are they asking me to pay to relicense the software, but they are expecting me to get a one-year SmartNet maintenance agreement and to pay an inspection fee."
Although Cisco is only asking Payton for slightly more than $300 each for the software relicensing and the SmartNet agreement, the inspection fee alone is more than $850. Payton is still negotiating with Cisco. "If my sales rep can't get some of those costs waived, the total cost to me for the 2611 router is over $2,700. Brand new through CDW without my additional discounts, I could get this same unit today with one year of SmartNet for $2,300."
The problem with purchasing Cisco equipment from E-Bay is that you'll have to relicense the software, if you want to get a support contract. You do want the support contract right?
Even if you don't get the contract then you may be running the hardware without the appropriate license. I believe Ed Foster at infoworld or someone else there recently (within 2 months) wrote an article that deals with this bargain hardware.
Essentially the cost of ended up being more than the router.
You might check out what the samba developers are doing with the 3.0 series. Supposedly, they were looking at caching some of the username and password data so they weren't hitting the ldap server as much.
Horde isn't as bad as it use to be. I finished helping a friend get it installed and it was much smoother than before. You'll probably want to tbe running the latest distribution. This install went on a RH 8.0 box.
If you need a battery system for your video camera, you should check out Anton Bauer. They are primarily concerned with the professional, but the sales rep that I talked to mentioned that they were getting into prosumer products. Supposedly CNN and a bunch of other organizations use these things. I was told the CNN reporters covering Afghanistan were using them along with some Sony DV equipment.
Don't forget that it's probably easier for them to purchase 16 - 17" monitors than 1 - $3200 projector. The monitors could be used by all students whereas the projector can only be used by one group at a time. After using the video wall, it can be torn down and the monitors given back to the appropriate classroom(s).
Also, projectors may cost considerably more than here in the US. This project presents a nice easy way to use existing technology the schools may have to do something else. A lot of us don't really have any idea how bad things might be. I've worked for small companies and getting them to purchase big ticket items was like pulling the tooth of an awake tiger.
You only have 150 users, if worse comes to worse you can just recreate accounts. As all of the others have suggested you can use LDAP. The big thing is the user data.
I don't know if outlook does this. But, using mozilla I was able to copy from one account to another by just highlighting all of the messages and then right clicking and doing a copy to.
My suggestion is setup up the new box with sendmail, imap, ldap enabled. Setup imap on the exhange box and give them a mail reader that do the move. I would think that Outlook would work. Then during the night redirect all incoming e-mail from to the new box. Turn off sending e-mail and receiving e-mail on exchange if it can be done.
One possibility is to setup a front line box and have it redirect mail for only certain users so that you can do a few users at a time. You may have to do some hand holding to them to move their e-mail.
Just a thought. Why don't you use postgresql or mysql and dump only the needed data into a database and use the ODBC drivers to pull into your ID printer?
I've used access to dump data from a foxpro database (Wind2 FMS) into and postgresql database so that uses could do reports. All you would need to do is to use some perl/java/etc to dump the data from your LDAP source into your database. Then use the ODBC drivers to pull data into the ID app. It's kind of a kludge but it should work no problems, but not as nice as being able to pull them in directly
This happened to my wife. The person used her hotmail address as the From. They included a link to a webpage where you could buy stun guns etc. I contacted the abuse people there and they removed the website.
It seems to me that a better solution would be to install a logging device in the keyboard itself. While it would not be as convenient as a piece of software that could send its data capture back to the FBI via the Internet, I would think that it would be harder to detect.
In theory the FBI dressed as cleaning people (or however they enter someone's home) would go in to the office(home) in the evening and install it. Periodically they would go back in attach it to a data extractor box that has a PS/2 port and download the data.
With this method, you wouldn't have to worry about someone finding your software and hacking and telling the world about it. Of course, there is the periodic re-entry. You might be able to rig up a transmission system, but then someone that sweeps for radio waves could detect it. Then again, the keyboard might go bad and then they throw it away. That might be a good way to get your data back. Just set the device to disable the keyboard and retrieve it.
Only tricky thing is that most people love their keyboards. You mess with their keyboards and they know. If there is much difference in the weight, then they probably would notice.
Another option would be to wrap a device aroud the keyboard cable that picks up the rf given off, sorta like a tempest device. Maybe it would magnify the signals and people out side could just pick it up and record it that way. The only time it kicks in is when the computer is on and anyone sweeping for radio frequency might just think that it additional noise from the machine.
This is all just hypothetical though and I don't know what I'm talking about.
Why not make up a new award and give it to companies , individuals and politicians? This new award would be a reward those Americans who have done the most to prevent basic human rights and freedoms abroad.
In this case, if an American company gets the contract they would get the business category award. We could call it the "Americans Helping Others to Step on Their Citizens." I'm sure that there's someone out there though that could think up a better name.
Sorry, I must not have been clear in my first sentence. I was in a hurry. This is the key part. I've included my mistakes in wording as well "how could the U.S. possibly sign this since the treaty?" I should have removed the "this since". The U.S. couldn't sign on to this treaty and then enact legislation to force citizens to testify against themselves. It may go to court, but hopefully the court wouldn't uphold it.
That sentence was the whole point. The 5th amendment does only apply in the U.S. I was responding to "The U.S. may well sign this treaty - we've participated in the drafting process."
Of course, since those from the U.S. that are participating know that they would be circumventing the 5th amendment, they are probably using the E.U. to further their own cause. It would be in the U.S.'s best interest, as you have noted, to have the E.U. pass this and force the participating countries to enact legislation. This sort of applies to not only what you were describing, but the U.S. could apply pressure to these countries to get the keys of its citizens to further is own law enforcement efforts abroad. I'm sure that this would prove useful in the terrorist situations but in others as well.
James
P.S. I think that it's naivety. I don't care cause I can't spell either.
If it is true that the treaty forces countries to create legislation that makes it illegal to not provide keys on demand, how could the U.S. possibly sign this since the treaty? The 5th amendment prevents the gov't from forcing a person to testify against themselves. I believe that Mitnick used the 5th amend. to keep his encryption keys secret. I think that it was even discussed on slashdot a while back too.
Why doesn't the local communities get together and form a co-op? The school system would take the lead on this since they would benefit first but the rest of the members would benefit.
If your system is anything like where I grew up, we had small schools for each of the communities. Why not take a room from each of the schools and turn it into the local pop for the service. If you've got a line of sight from each of the schools or could get access to a point where you could relay it, then you wouldn't have to worry about using T1's to connect each of the locations.
The co-op would sell access to the Internet and since they're the only game in town there's no competition.
The school system would get deep discount since they're providing the space and power. But, setup a non-profit to run it and make them responsible.
Of course they'll be some interesting political hurdles to jump but hey that's what makes life so great.
If you live in Virginia there is a state program to get deep discounts called Virginia Link. They did have some really nice pricing on T1s and installation.
James
Having the local community install the fiber and provide access to it maybe the only answer for a lot of people. It is extremely hard to get people to invest money in small areas where there is a small population center. This problem should be viewed as an infrastructure problem. You can't attract industries without the proper infrastructure in place. More and more this means that not having broadband access will probably hurt your chances of attracting buisnesses esp high tech.
Just like the local community usually provides water, sewer, garbage, police, etc services, if they can't get industry to do then they'll have to provide broadband. Unfortunately, the state of Virginia passed a law making it illegal for city or county gov'ts to provide telecommunication services. The city of Bristol, Va, took this to court and won. They are planning on rolling out a fiber network that would serve the city.
Another community nearby, Abingdon, Va, has had fiber down their main street for a few years.The city provides the fiber and a connection while a local ISP NetAccess provides the bandwidth and manages the billing. (Congressman Boucher lives here by the way.)
I went to look at a friends computer who had a GeForce2 DDR in his HP. He had the same problem. The heatsink/fan had actually broken off of the card. It apparently got so hot that it messed up some of the video logic. It would put lines across the screen. He was able to use it until he got a new one. He ended up buying a GeForce3.
The thing is that an HP sales rep called asking if he wanted to extend his warranty about 2 weeks before he started having problems. He decided not to take them up on it.
The system that you describe sounds really nice, but it still doesn't deal with the intruder that replaces your authentication mechanism with one of their own. Your method of distributing parts of the account information to mulitple machines would prevent someone that is listening near one of the authenticators from getting all of the info. Why would they go to all of that trouble when they could compromise one machine on the network. After you compromise the machine, all you need to do is write a program that will pass i/o between the user and the other parts of the system.
This is why they say that "security is a process." You could have the coolest, geewhiz, unbreakable cryptosystem in the world. But, if someone put a sniffer between your keyboard and computer, what good is it?
My guess is that this is what happened here. Someone compromised the system and had the ability to change the authentication systems.
I would've thought that something like Tripwire would have been used to check for possible changes in the system. Nothing is infalliable though and that is the most important thing to keep in mind.
Besides, for a site that hosts ~21,000 projects and has ~180,000 users, I think that it's pretty amazing that it hasn't happened sooner
The ability to set up multiple servers in the enterprise, assign different users to said servers and have the ability for all calendars/users in the enterprise to interoperate.
User authentication/setup through a directory service (i.e. LDAP)
The ability to generate e-mail requesting people attend an event and have people reject or confirm either by e-mail or via url. Should work for people outside of company.
Web based front end that can reside on a separate server.
The ability to plug-in various back end databases.
Slashdot Mirror
You'll need a LiveCD, a modified keyboard, and mouse. The keyboard will need to have a key generator and a LCD readout. The LCD readout will display a generated key. This will be used as the initial seed value. The LiveCD will need to have special keyboard drivers and software. The goal is to allow the user to enter the initial cipher key using graphical mouse input. The encryption generator in the keyboard will periodically rotate the key. To prevent statistical analysis attacks the keybard should send a continuous stream of data.
This should prevent key loggers. You'll need to bring you're own keyboard though.
This also happened to Linuxtoday. CMP media (Dr. Dobbs, EE Times, etc) stopped all referrals that originated from LinuxToday. (I can't find the link now.) I let my subscription to Dr. Dobbs expire and decided to subscribe to LWN. It's a shame, becuase I had been subscribing to Dr. Dobbs for at least 8 years.
Let's be realistic here. When has it not?
Computers were originally people who determined calculated firing tables. The first computers were used to calculate this information and break encryption codes.
The Internet is based on equipment and protocols that DARPA paid for. Defense Advanced Research Projects Agency Check out the current and recent solicitations.
I'll grant you that business plays a large role too. It funds its fair share, but it seems as though it is more practical and immediate. The military seems to fund things that might not be very practical now, but can possible provide the edge in battle.
Have you looked at RenderDrive? The company that my wife works bought one of these recently. The guy that uses it loves it. It does the job much quicker.
It's a general pupose computer that has special hardware that is used to do the rendering. The OS is linux. In order to get it on the newtork you setup a floppy with your config file. There's a plug-in for your system that is used to do the rendering on he computer.
I think that you must think that I'm Jordan Hubbard. Sorry, I'm not. I'm not dumping on you either.
Check out this Ed Foster article. Here's a quote:
Many customers are discovering that the actual cost of acquiring used hardware may go beyond the price of relicensing the software.
"I made the mistake of showing a visiting Cisco rep the 2611 router I'd purchased on eBay for $1,200," says Mark Payton, director of IT at the Vermont Academy, a school in Saxtons River, Vt. "Not only are they asking me to pay to relicense the software, but they are expecting me to get a one-year SmartNet maintenance agreement and to pay an inspection fee."
Although Cisco is only asking Payton for slightly more than $300 each for the software relicensing and the SmartNet agreement, the inspection fee alone is more than $850. Payton is still negotiating with Cisco. "If my sales rep can't get some of those costs waived, the total cost to me for the 2611 router is over $2,700. Brand new through CDW without my additional discounts, I could get this same unit today with one year of SmartNet for $2,300."
The problem with purchasing Cisco equipment from E-Bay is that you'll have to relicense the software, if you want to get a support contract. You do want the support contract right?
Even if you don't get the contract then you may be running the hardware without the appropriate license. I believe Ed Foster at infoworld or someone else there recently (within 2 months) wrote an article that deals with this bargain hardware.
Essentially the cost of ended up being more than the router.
You might check out what the samba developers are doing with the 3.0 series. Supposedly, they were looking at caching some of the username and password data so they weren't hitting the ldap server as much.
Horde isn't as bad as it use to be. I finished helping a friend get it installed and it was much smoother than before. You'll probably want to tbe running the latest distribution. This install went on a RH 8.0 box.
If you need a battery system for your video camera, you should check out Anton Bauer. They are primarily concerned with the professional, but the sales rep that I talked to mentioned that they were getting into prosumer products. Supposedly CNN and a bunch of other organizations use these things. I was told the CNN reporters covering Afghanistan were using them along with some Sony DV equipment.
It's all hearsay though.
--James
Don't forget that it's probably easier for them to purchase 16 - 17" monitors than 1 - $3200 projector. The monitors could be used by all students whereas the projector can only be used by one group at a time. After using the video wall, it can be torn down and the monitors given back to the appropriate classroom(s).
Also, projectors may cost considerably more than here in the US. This project presents a nice easy way to use existing technology the schools may have to do something else. A lot of us don't really have any idea how bad things might be. I've worked for small companies and getting them to purchase big ticket items was like pulling the tooth of an awake tiger.
--James
You only have 150 users, if worse comes to worse you can just recreate accounts. As all of the others have suggested you can use LDAP. The big thing is the user data.
I don't know if outlook does this. But, using mozilla I was able to copy from one account to another by just highlighting all of the messages and then right clicking and doing a copy to.
My suggestion is setup up the new box with sendmail, imap, ldap enabled. Setup imap on the exhange box and give them a mail reader that do the move. I would think that Outlook would work. Then during the night redirect all incoming e-mail from to the new box. Turn off sending e-mail and receiving e-mail on exchange if it can be done.
One possibility is to setup a front line box and have it redirect mail for only certain users so that you can do a few users at a time. You may have to do some hand holding to them to move their e-mail.
Just a suggestion.
Just a thought. Why don't you use postgresql or mysql and dump only the needed data into a database and use the ODBC drivers to pull into your ID printer?
I've used access to dump data from a foxpro database (Wind2 FMS) into and postgresql database so that uses could do reports. All you would need to do is to use some perl/java/etc to dump the data from your LDAP source into your database. Then use the ODBC drivers to pull data into the ID app. It's kind of a kludge but it should work no problems, but not as nice as being able to pull them in directly
This happened to my wife. The person used her hotmail address as the From. They included a link to a webpage where you could buy stun guns etc. I contacted the abuse people there and they removed the website.
It seems to me that a better solution would be to install a logging device in the keyboard itself. While it would not be as convenient as a piece of software that could send its data capture back to the FBI via the Internet, I would think that it would be harder to detect.
In theory the FBI dressed as cleaning people (or however they enter someone's home) would go in to the office(home) in the evening and install it. Periodically they would go back in attach it to a data extractor box that has a PS/2 port and download the data.
With this method, you wouldn't have to worry about someone finding your software and hacking and telling the world about it. Of course, there is the periodic re-entry. You might be able to rig up a transmission system, but then someone that sweeps for radio waves could detect it. Then again, the keyboard might go bad and then they throw it away. That might be a good way to get your data back. Just set the device to disable the keyboard and retrieve it.
Only tricky thing is that most people love their keyboards. You mess with their keyboards and they know. If there is much difference in the weight, then they probably would notice.
Another option would be to wrap a device aroud the keyboard cable that picks up the rf given off, sorta like a tempest device. Maybe it would magnify the signals and people out side could just pick it up and record it that way. The only time it kicks in is when the computer is on and anyone sweeping for radio frequency might just think that it additional noise from the machine.
This is all just hypothetical though and I don't know what I'm talking about.
Later
James
Why not make up a new award and give it to companies , individuals and politicians? This new award would be a reward those Americans who have done the most to prevent basic human rights and freedoms abroad.
In this case, if an American company gets the contract they would get the business category award. We could call it the "Americans Helping Others to Step on Their Citizens." I'm sure that there's someone out there though that could think up a better name.
James
Slashdot discussion about Mitnick's efforts to get back his data and the gov't refusal because they couldn't crack the encryption. James
Sorry, I must not have been clear in my first sentence. I was in a hurry. This is the key part. I've included my mistakes in wording as well "how could the U.S. possibly sign this since the treaty?" I should have removed the "this since". The U.S. couldn't sign on to this treaty and then enact legislation to force citizens to testify against themselves. It may go to court, but hopefully the court wouldn't uphold it.
That sentence was the whole point. The 5th amendment does only apply in the U.S. I was responding to "The U.S. may well sign this treaty - we've participated in the drafting process."
Of course, since those from the U.S. that are participating know that they would be circumventing the 5th amendment, they are probably using the E.U. to further their own cause. It would be in the U.S.'s best interest, as you have noted, to have the E.U. pass this and force the participating countries to enact legislation. This sort of applies to not only what you were describing, but the U.S. could apply pressure to these countries to get the keys of its citizens to further is own law enforcement efforts abroad. I'm sure that this would prove useful in the terrorist situations but in others as well.
James
P.S. I think that it's naivety. I don't care cause I can't spell either.
If it is true that the treaty forces countries to create legislation that makes it illegal to not provide keys on demand, how could the U.S. possibly sign this since the treaty? The 5th amendment prevents the gov't from forcing a person to testify against themselves. I believe that Mitnick used the 5th amend. to keep his encryption keys secret. I think that it was even discussed on slashdot a while back too.
"nor shall be compelled in any criminal case to be a witness against himself"
James
P.S. Does the search feature for stories even work anymore?
Why doesn't the local communities get together and form a co-op? The school system would take the lead on this since they would benefit first but the rest of the members would benefit.
If your system is anything like where I grew up, we had small schools for each of the communities. Why not take a room from each of the schools and turn it into the local pop for the service. If you've got a line of sight from each of the schools or could get access to a point where you could relay it, then you wouldn't have to worry about using T1's to connect each of the locations.
The co-op would sell access to the Internet and since they're the only game in town there's no competition.
The school system would get deep discount since they're providing the space and power. But, setup a non-profit to run it and make them responsible.
Of course they'll be some interesting political hurdles to jump but hey that's what makes life so great.
If you live in Virginia there is a state program to get deep discounts called Virginia Link. They did have some really nice pricing on T1s and installation. James
Having the local community install the fiber and provide access to it maybe the only answer for a lot of people. It is extremely hard to get people to invest money in small areas where there is a small population center. This problem should be viewed as an infrastructure problem. You can't attract industries without the proper infrastructure in place. More and more this means that not having broadband access will probably hurt your chances of attracting buisnesses esp high tech.
Just like the local community usually provides water, sewer, garbage, police, etc services, if they can't get industry to do then they'll have to provide broadband. Unfortunately, the state of Virginia passed a law making it illegal for city or county gov'ts to provide telecommunication services. The city of Bristol, Va, took this to court and won. They are planning on rolling out a fiber network that would serve the city.
Another community nearby, Abingdon, Va, has had fiber down their main street for a few years.The city provides the fiber and a connection while a local ISP NetAccess provides the bandwidth and manages the billing. (Congressman Boucher lives here by the way.)
I went to look at a friends computer who had a GeForce2 DDR in his HP. He had the same problem. The heatsink/fan had actually broken off of the card. It apparently got so hot that it messed up some of the video logic. It would put lines across the screen. He was able to use it until he got a new one. He ended up buying a GeForce3.
The thing is that an HP sales rep called asking if he wanted to extend his warranty about 2 weeks before he started having problems. He decided not to take them up on it.
I was able to pick a Cimmaron, Kansas radio station in Big Stone Gap Virginia about 6 weeks ago.
The system that you describe sounds really nice, but it still doesn't deal with the intruder that replaces your authentication mechanism with one of their own. Your method of distributing parts of the account information to mulitple machines would prevent someone that is listening near one of the authenticators from getting all of the info. Why would they go to all of that trouble when they could compromise one machine on the network. After you compromise the machine, all you need to do is write a program that will pass i/o between the user and the other parts of the system.
This is why they say that "security is a process." You could have the coolest, geewhiz, unbreakable cryptosystem in the world. But, if someone put a sniffer between your keyboard and computer, what good is it?
My guess is that this is what happened here. Someone compromised the system and had the ability to change the authentication systems.
I would've thought that something like Tripwire would have been used to check for possible changes in the system. Nothing is infalliable though and that is the most important thing to keep in mind.
Besides, for a site that hosts ~21,000 projects and has ~180,000 users, I think that it's pretty amazing that it hasn't happened sooner
2001-03-26 20:26:00
Yeeee Haaahhh
Just a few requests: