I'd be curious if the injected traffic has to be on the targetted site... I wonder if the approach is to inject the javascript on some non-encrypted page and use it to load the encrypted known text.
So I walked into an office depot the other day. I wanted to buy a USB extension cable. I looked on the shelf and the price was high for a short cable. I grabbed something else I needed and ordered the cable from newegg on my phone while I waited in the check out line.
Tools like Amazon's UPC scanner are greatly helpful. Google goggles as well. As OP said though, unless you're LaForge, the ARoverlay is more cumbersome than it's worth.
This just sucks all around. I feel for Hastings. Netflix started to get big and the content companies, (scared of another iTunes), started to rachet up content prices. His response was to jack up consumer cost which reminded people they had netflix and promptly cancelled it.
That said, this solution is terrible. I have 2 disks + bluray + streaming. I honestly might have kept it. I like getting movies on bluray. I almost LIVE off of netflix movies. However, amazon prime is looking a LOT nicer now. I'd probably get hulu too if I didn't know that it would be putting money directly in the pockets of the people who screwed netflix. I don't want to reward them for their actions.
Find some place that collects e-waste in a business-heavy area (or military area). You can usually find racks for cheap.
Since there have been a lot of rack mount suggestions, I might throw in my personal experience. I bought got a half-height portable rack for $500 a few years ago. I put it in a closet with a free-standing portable AC unit ($400) and vented it into the dryer vent. (If you lack dryer vents, a closet with a window will do fine. I'd recommend talking to building maintenance to see make sure the rack and the AC unit can power off the same circuit, but otherwise you should be fine.
I also created a small lab (about 25 laptop hosts and 12 pieces of network equipment. It ran free-standing in a room with no modifications for cooling/electricity. At the size you're talking, I wouldn't worry about heat/power.
Apple's fundamental problem is that they don't know how to MANAGE security. They don't know how to communicate. They don't know how to be up-front and honest about what they're doing. They don't know how to set clear expectations. Microsoft learned this a long time ago. (Incidentally, Linus won a pwnie for his silent patching a few years back I think.)
Sounds like a great fing idea. Payment systems have manditory controls. Health systems have manditory controls. Government systems have manditory controls. SCADA systems have defined controls. the CA system is so important, they clearly should be following some controls (NIST's are pretty good) and be demonstrating compliance as a prerequisite to having their certs included in browsers. Also, as painful as it is (and even though Moxie suggested it couldn't practically be done), the browsers should either completely pull or at least warn (similar to self-signed certs) of any cert signed by a CA who hasn't demosntrated compliance.
And as compliance != security, regular operational security audits should be required. I don't want to trust a CA that can't prove they can detect, react and recover from attacks.
I assume someone has already pointed out that the mac mini's problem isn't active cooling but too small of fans (a mistake I"ve made before as well).
What I'd suggest is longer cables. Specifically, I normally put my TV-connected computers in a different room and just run a USB cable and HDMI cable to them. If your cables can't reach, for $50 you can extend HDMI over 2 cat-6 cables. You can also get self-powered USB repeater cables which can let you extend USB out pretty far. Then your computer can be as big, loud, and ugly as you want. At your entertainment center all you have is a USB hub (with a USB sound card and bluetooth receiver) and the cable going to your TV.
The only people who can truely make this happen are the major browser vendors. Until the built in ability to use convergence and direct DNSSEC retrieval of certs along with the CA chain into their browsers, this won't take off. However, it would be very easy to have the CA chain internally as well as the DNSSEC trust chain (and simple self-signed certs) and then use convergence to double-check them. Most users would never know what was going on. Advanced and security concious users could go and actually adjust their trust relationships as they wished. All it would take is one or two of the browser vendors to implement (similar to do-not-track cookies but actually useful) to get the rest to join in.
Moxie's talk as well as the blog post he wrote mid-summer explain the issue with DNS. Your registrars are the same as (verisign) or worse than (godaddy) your CAs.
I don't think that's true. In the talk, Moxie points out that you could have a notary which checks perspective, one that checks the SSL observatory, one that checks DNSSEC, and one that checks CA signatures. It is unlikely a spoofed website could fool all of these. If it did not, (including if all notaries agree on the legit cert), you'd be encrypting your traffic in a way the phishing site would not be able to unencrypt.
Ultimately, all encryption will have to be tracked back to an OS vendor's root certificate. Your actual chain of trust is something like:
Install OS with root cert->install browser signed with OS cert->receive other root certs from signed browser including browser manufacturer's root cert.
Any of the 3 certs (OS, browser, other) can be used to anchor downloading more root certs, preferably for notaries, but they all anchor with the OS cert. A good thing to remember the next time you think about running a chinese operating system.
One of the benefits of Moxie's approach is that you don't have to trust anyone you don't want to. (Granted, you have to trust your OS and browser provider, but since you're running their code, including to validate certificates, you implicitly trust them anyway.)
Not only could they use this to promote "scrolls", Skyrim, and Oblivion. It's also a chance to promote Quake 3 and Rage. You couldn't ASK for a better PR event.
Moxie's point is that, even if you use DNSSEC and SSL, you're still trusting your registrar, the TLD, and ICANN implicitly. If you can't trust all those certificate authorities, why would you trust the DNS hierarchy? I think he's got a great point given how the US Gov's been using DNS to block illegal content.
Personally, I favor a blended economy that phases out CAs. Let DNSSEC + certificate distribution exist. This helps cut CAs out and make certificates accessable to the masses. Next, add on the convergence/perspectives process for retrieving certs. If you are lazy, your browser gets the cert directly only. However, the more you manage your notaries, the more secure your connection becomes. And we can get rid of the CAs.
And this MUST happen. As user endpoints become almost exclusively wireless (cellular, wifi, whatever), the ability to be the man in the middle becomes extremely worrysome. Add to that the fact that apps are communicating flexibly over the internet with little user insight and you have a huge storm brewing. The big companies have no problem getting the certs they need, but what if every single blog you visit has a MitM iframe inserted. What if hackers sit, record network traffic from every app, fuzz it, and then MitM injects into the apps? The answer is you NEED SSL on every connection, period. You can only get that if certs can be securely distributed free which means the CA system HAS TO CHANGE.
This points that the last bastion of security (secure transport layers provided by the transporter) is no longer viable. MITM is apperently practical on most wireless networks, even the adnvaced cellular ones. In that case, you MUST authenticate every location every app goes to. This means EVERYONE needs certs. I wish there was more info on Moxie's new tool because it may be an absolute necessity in the very near future. (Unless the CAs are going to start giving out free certs.)
It seems that, while android can be encrypted, it's typically irrelevant since the system is always on. To deal with that, could you run a second environment? I see it's common to run linux chrooted on android. Could you do something similar, except the second environment is encrypted when not running? This way, quick but unsecure information is immediately available. Sensitive information is slower to access but is secured?
And so that you didn't have to regularly encrypt/decrypt the secure environment, could you use a bluetooth dongle to authenticate as well as signal when the environment should remain decrypted? When it's near, the unsecure environment knows to keep the secure environment decrypted. When the bluetooth system disassociates, the unsecure environment encrypts the secure environment. When the bluetooth dongle comes back, you push a button on the dongle and it provides the decryption key to the unsecure environment.
I see the researchers pointing out that the public key information can be agregated and visualized. However, bitcoin's anonymity lies in a lack of connection between public key and flesh and blood person. If the person keeps that tie anonymous, they stay anonymous. This is all implicit in the system as well as obvious.
He can say what he wants. I just bought Oblivion 5 year edition and a bunch of DLC. I also will hit Skyrim HARD. I like games I can get 'lost' in. However, I do drop out of games that piss me off. (SPOILER ALERT for DA2)
I quit Dragon Age 2 at the very end because my only healer did something very naughty and I had to either keep him (and be able to beat the final battles) or leave him (as I would prefer to do) and have no healer and no hope of making it through. The game basically let me choose between winning and keeping my morals. I kept my morals, screw the game. I don't need to beat it.
Dear US scientists, learn to share. We don't need another Large Hadron Collider.
The US really should accept that it doesn't need one of everything and there is no shame using the resources of other countries rather than duplicating them.
No-one accuses a store with a glass window of being "asleep at the wheel' with respect to security just because they don't have bars in the window. Cyber security's mentality that if you haven't implemented all security features you have somehow invited the attack is simply unfair and removes the mentality of malice from those who are breaking the law. Ultimately, a culture shift to seeing those breaking into websites as common criminals to be dispised needs to happen. High-value targets will always need bars on the windows, but the rest of the internet should be able to get by without an IPS, web app security gateway, etc, etc, etc.
The problem with Meego was never likely to be the OS. Instead it's the same problem Microsoft has, the ecosystem. There simply isn't room for another mobile platform (behind iOS, Android, Win 7 Mobile, blackberry OS, and the less recognized WebOS, Symbian, and QNX). While two years ago, it was ok to just have a great mobile OS, now it is imperitive that the entire software and services ecosystem exist around that OS.
Nokia can't do it. They tried it with Symbian and OVI and failed miserably. Microsoft can do it. The combination of microsoft's OS (which I think will be even more impressive as windows 8 becomes a multi-form factor reality) and nokia's hardware as well as microsoft's money creating the ecosystem will provide a very competitive brand. One I'd expect to take 3rd in the mobile OS wars.
I do lament the loss of Meego though. I want a phone thats also a computer. Meego's promise of true linux on a phone is extremely tempting. Hell, maybe I'll find a meego phone just to be my persnoal computer. As for now, I'll stick to my Epic 4g until I see windows 8 on a phone or a VERY compelling android upgrade.
Slashdot Mirror
I'd be curious if the injected traffic has to be on the targetted site... I wonder if the approach is to inject the javascript on some non-encrypted page and use it to load the encrypted known text.
So I walked into an office depot the other day. I wanted to buy a USB extension cable. I looked on the shelf and the price was high for a short cable. I grabbed something else I needed and ordered the cable from newegg on my phone while I waited in the check out line.
Tools like Amazon's UPC scanner are greatly helpful. Google goggles as well. As OP said though, unless you're LaForge, the ARoverlay is more cumbersome than it's worth.
They do it because the company that makes the dental floss pays them to. It's advertising, not a luxury.
This just sucks all around. I feel for Hastings. Netflix started to get big and the content companies, (scared of another iTunes), started to rachet up content prices. His response was to jack up consumer cost which reminded people they had netflix and promptly cancelled it.
That said, this solution is terrible. I have 2 disks + bluray + streaming. I honestly might have kept it. I like getting movies on bluray. I almost LIVE off of netflix movies. However, amazon prime is looking a LOT nicer now. I'd probably get hulu too if I didn't know that it would be putting money directly in the pockets of the people who screwed netflix. I don't want to reward them for their actions.
Find some place that collects e-waste in a business-heavy area (or military area). You can usually find racks for cheap.
Since there have been a lot of rack mount suggestions, I might throw in my personal experience. I bought got a half-height portable rack for $500 a few years ago. I put it in a closet with a free-standing portable AC unit ($400) and vented it into the dryer vent. (If you lack dryer vents, a closet with a window will do fine. I'd recommend talking to building maintenance to see make sure the rack and the AC unit can power off the same circuit, but otherwise you should be fine.
I also created a small lab (about 25 laptop hosts and 12 pieces of network equipment. It ran free-standing in a room with no modifications for cooling/electricity. At the size you're talking, I wouldn't worry about heat/power.
There is one very reliable "counter-Jammer".
Apple's fundamental problem is that they don't know how to MANAGE security. They don't know how to communicate. They don't know how to be up-front and honest about what they're doing. They don't know how to set clear expectations. Microsoft learned this a long time ago. (Incidentally, Linus won a pwnie for his silent patching a few years back I think.)
As for CAs that don't comply, simply put all their certs in a bucket along with self certs. They can still be used, but your computer will warn you.
Sounds like a great fing idea. Payment systems have manditory controls. Health systems have manditory controls. Government systems have manditory controls. SCADA systems have defined controls. the CA system is so important, they clearly should be following some controls (NIST's are pretty good) and be demonstrating compliance as a prerequisite to having their certs included in browsers. Also, as painful as it is (and even though Moxie suggested it couldn't practically be done), the browsers should either completely pull or at least warn (similar to self-signed certs) of any cert signed by a CA who hasn't demosntrated compliance.
And as compliance != security, regular operational security audits should be required. I don't want to trust a CA that can't prove they can detect, react and recover from attacks.
I assume someone has already pointed out that the mac mini's problem isn't active cooling but too small of fans (a mistake I"ve made before as well).
What I'd suggest is longer cables. Specifically, I normally put my TV-connected computers in a different room and just run a USB cable and HDMI cable to them. If your cables can't reach, for $50 you can extend HDMI over 2 cat-6 cables. You can also get self-powered USB repeater cables which can let you extend USB out pretty far. Then your computer can be as big, loud, and ugly as you want. At your entertainment center all you have is a USB hub (with a USB sound card and bluetooth receiver) and the cable going to your TV.
The ball's in your court.
The only people who can truely make this happen are the major browser vendors. Until the built in ability to use convergence and direct DNSSEC retrieval of certs along with the CA chain into their browsers, this won't take off. However, it would be very easy to have the CA chain internally as well as the DNSSEC trust chain (and simple self-signed certs) and then use convergence to double-check them. Most users would never know what was going on. Advanced and security concious users could go and actually adjust their trust relationships as they wished. All it would take is one or two of the browser vendors to implement (similar to do-not-track cookies but actually useful) to get the rest to join in.
Moxie's talk as well as the blog post he wrote mid-summer explain the issue with DNS. Your registrars are the same as (verisign) or worse than (godaddy) your CAs.
I don't think that's true. In the talk, Moxie points out that you could have a notary which checks perspective, one that checks the SSL observatory, one that checks DNSSEC, and one that checks CA signatures. It is unlikely a spoofed website could fool all of these. If it did not, (including if all notaries agree on the legit cert), you'd be encrypting your traffic in a way the phishing site would not be able to unencrypt.
Ultimately, all encryption will have to be tracked back to an OS vendor's root certificate. Your actual chain of trust is something like:
Install OS with root cert->install browser signed with OS cert->receive other root certs from signed browser including browser manufacturer's root cert.
Any of the 3 certs (OS, browser, other) can be used to anchor downloading more root certs, preferably for notaries, but they all anchor with the OS cert. A good thing to remember the next time you think about running a chinese operating system.
One of the benefits of Moxie's approach is that you don't have to trust anyone you don't want to. (Granted, you have to trust your OS and browser provider, but since you're running their code, including to validate certificates, you implicitly trust them anyway.)
I suspect there are far easier ways to kill someone than what they are doing.
Not only could they use this to promote "scrolls", Skyrim, and Oblivion. It's also a chance to promote Quake 3 and Rage. You couldn't ASK for a better PR event.
Moxie's point is that, even if you use DNSSEC and SSL, you're still trusting your registrar, the TLD, and ICANN implicitly. If you can't trust all those certificate authorities, why would you trust the DNS hierarchy? I think he's got a great point given how the US Gov's been using DNS to block illegal content.
Personally, I favor a blended economy that phases out CAs. Let DNSSEC + certificate distribution exist. This helps cut CAs out and make certificates accessable to the masses. Next, add on the convergence/perspectives process for retrieving certs. If you are lazy, your browser gets the cert directly only. However, the more you manage your notaries, the more secure your connection becomes. And we can get rid of the CAs.
And this MUST happen. As user endpoints become almost exclusively wireless (cellular, wifi, whatever), the ability to be the man in the middle becomes extremely worrysome. Add to that the fact that apps are communicating flexibly over the internet with little user insight and you have a huge storm brewing. The big companies have no problem getting the certs they need, but what if every single blog you visit has a MitM iframe inserted. What if hackers sit, record network traffic from every app, fuzz it, and then MitM injects into the apps? The answer is you NEED SSL on every connection, period. You can only get that if certs can be securely distributed free which means the CA system HAS TO CHANGE.
This points that the last bastion of security (secure transport layers provided by the transporter) is no longer viable. MITM is apperently practical on most wireless networks, even the adnvaced cellular ones. In that case, you MUST authenticate every location every app goes to. This means EVERYONE needs certs. I wish there was more info on Moxie's new tool because it may be an absolute necessity in the very near future. (Unless the CAs are going to start giving out free certs.)
It seems that, while android can be encrypted, it's typically irrelevant since the system is always on. To deal with that, could you run a second environment? I see it's common to run linux chrooted on android. Could you do something similar, except the second environment is encrypted when not running? This way, quick but unsecure information is immediately available. Sensitive information is slower to access but is secured?
And so that you didn't have to regularly encrypt/decrypt the secure environment, could you use a bluetooth dongle to authenticate as well as signal when the environment should remain decrypted? When it's near, the unsecure environment knows to keep the secure environment decrypted. When the bluetooth system disassociates, the unsecure environment encrypts the secure environment. When the bluetooth dongle comes back, you push a button on the dongle and it provides the decryption key to the unsecure environment.
I see the researchers pointing out that the public key information can be agregated and visualized. However, bitcoin's anonymity lies in a lack of connection between public key and flesh and blood person. If the person keeps that tie anonymous, they stay anonymous. This is all implicit in the system as well as obvious.
He can say what he wants. I just bought Oblivion 5 year edition and a bunch of DLC. I also will hit Skyrim HARD. I like games I can get 'lost' in. However, I do drop out of games that piss me off.
(SPOILER ALERT for DA2)
I quit Dragon Age 2 at the very end because my only healer did something very naughty and I had to either keep him (and be able to beat the final battles) or leave him (as I would prefer to do) and have no healer and no hope of making it through. The game basically let me choose between winning and keeping my morals. I kept my morals, screw the game. I don't need to beat it.
The US really should accept that it doesn't need one of everything and there is no shame using the resources of other countries rather than duplicating them.
No-one accuses a store with a glass window of being "asleep at the wheel' with respect to security just because they don't have bars in the window. Cyber security's mentality that if you haven't implemented all security features you have somehow invited the attack is simply unfair and removes the mentality of malice from those who are breaking the law. Ultimately, a culture shift to seeing those breaking into websites as common criminals to be dispised needs to happen. High-value targets will always need bars on the windows, but the rest of the internet should be able to get by without an IPS, web app security gateway, etc, etc, etc.
Can someone please provide an appropriate Ocean's 11 joke? This thread is lacking without it.
The problem with Meego was never likely to be the OS. Instead it's the same problem Microsoft has, the ecosystem. There simply isn't room for another mobile platform (behind iOS, Android, Win 7 Mobile, blackberry OS, and the less recognized WebOS, Symbian, and QNX). While two years ago, it was ok to just have a great mobile OS, now it is imperitive that the entire software and services ecosystem exist around that OS.
Nokia can't do it. They tried it with Symbian and OVI and failed miserably. Microsoft can do it. The combination of microsoft's OS (which I think will be even more impressive as windows 8 becomes a multi-form factor reality) and nokia's hardware as well as microsoft's money creating the ecosystem will provide a very competitive brand. One I'd expect to take 3rd in the mobile OS wars.
I do lament the loss of Meego though. I want a phone thats also a computer. Meego's promise of true linux on a phone is extremely tempting. Hell, maybe I'll find a meego phone just to be my persnoal computer. As for now, I'll stick to my Epic 4g until I see windows 8 on a phone or a VERY compelling android upgrade.