NAT won't help at all.
Most malware comes through mail, browser vulnerabilities or users that click on everthing without thinking (while logged in as admin of course).
Besides, with forced NAT, people would start complaining that their favourite P2P or online game won't work.
You are probably looking at OS'es from the wrong perspective. My interpretation is that the Win98 percentage is so high because users don't like the hassle of switching their OS.
I guess most "end-users" don't know how they install XP or 2000 except for buying a new computer, so they stick to what they have. (And amazingly there are many win98's out there that run without a flaw)
The credits (or call it "karma") can consist of many things. I'd like to up/download in it because it happens quite often that some users complain that they upload all day but don't manage to get that last percent of a file. So they should be bumped to the top of the queue. Not always, but sometimes and not too often. Hard to say. well. the idea doesn't sound so good anymore.:-/
Talking about trust, look at the usual swapping channels in IRC:
"good guys" are easily identified because they stay longer in the channel, thus gaining trust/fame (whatever you call it). But within an almost anonymous P2P-Network there is no central authority (like chanops in IRC who give +v to good guys). I'd really like to see some kind of web of trust in P2P, but making it unforgeable seems difficult to me. Perhaps some kind of micropaymentsystem: For each byte I download from you, I give you 1 digitally signed credit that raises your possibilities (like better search, skipping queues...) But then we need a central signing authority, otherwise people would do multiple accounts and gain lots of credits by "downloading" from their own machine.
The decentralisation of P2P makes it independent from central servers but at the same time it raises the ability to abuse the system.
One of the problems current P2P-Networks have are "hacked" clients (or add-ons like the eDonkey-Bot). Clients that pretend to meet your quality criteria but don't.
All P2P-Networks so far worked for a while, then the anti-social elements increased bringing the overall network quality down.
Guess why they want to make it a virus. Once it managed to get into one of your computers, it will find a way to infect anything you have contact with. Perhaps it puts a boot-sector virus on any disc you copy, inserts itself as macrovirus in the mail you just copied. Even your Laptop might need a software update some time and then you can't be sure the update is "clean".
For the way out: It could copy the data it collected or integrate it into its virus code, so that it can send your keys whenever it gets a internet (or whatever) connection from another system.
It generally sounds like a good idea, but can you be sure that your disconnected system is "clean" in the first place? Can you be sure that there will never be any possibilty for unwanted data to leak in or out your system? Normally you can't. You'll try very hard to do so, but all it takes is one little glitch (or someone else using your disconnected system) and "they" got you.
There is no defence against a sufficiently funded and determined attacker
I've decided that I'd prefer to make it a little more difficult to prove any bad attitude [jwz.org] really is mine. Granted, there's other ways to try and link email to an individual. But why make it a habit to provide that trail for every mail list post, friendly banter, and interoffice discussion message you fire off?
Ever tried using different email addresses with different keys?
I don't think of signatures as a "trail" for every mail I wrote, but as a mean of authenticating to the recipient of the mail. "on the net" that works quite nice, since most of the time your postings to a mailing list can't be traced to your real identity. But it's a sure way to prevent someone faking your posts. (and thats good even for trivial matters)
But you are right about the unexpected long-term storage of mails. At least it can be a comfort to know that you will be quoted correctly.:-/
OTOH you can always revoke your key and proclaim that it has been compromised.
Last time I bothered to install a Windows version of PGP it automatically tried to upload the newly generated keys to a keyserver. The infrastructure is alive, but it isn't trusted.
You can't trust the average user with key signing since most of them just don't get what it's all about. So you end up with people signing keys just because it stops the annoying "could not verify.." message. That's what ruins the PKI infrastructure.
The idea of a "web of trust" between PGP-keys works only if you can trust that everyone who has signed a key knows what he does. Many don't. Luckily there are trustcenters or other authorities who can sign your keys. But most of them want to be paid, that's what renders them useless for most of the end users since it's too expensive or cumbersome to get a certificate.
The current PGP-PKI may be ruined because of many non-trustable signatures, but that can easily fixed if some trustcenters would issue free or at least cheap signatures for home use. (Wouldn't it be nice to have your PGP-Fingerprint in your passport?)
Using encryption software is a good idea, but it would only be useful if it were widespread and ready to use.
Most of the persons I'm sending mail to aren't using PGP because they don't want to take the effort to install it! And since they don't understand the software (or don't want to) they start sending me their private key (instead of the public one, no joke!) or just sign every key they have because so they get rid of the "invald signature" message.
It always seems the same to me: the good stuff is there, but no one uses it because it's easier the other way. When urging people to use encryption I hear arguments like the alltime favorite "I don't have anything to hide" or "It's too complicated" (Perhaps soon we will hear "It's terrorist stuff")
Using PGP is good, no doubt, but when only the "activists" use it, they are running the risk to be marked as crypto-users with weird ideas of privacy. Surely thats not what we want. We want everyone to be a crypto-user like everyone uses envelopes. Any idea how to accomplish that?
Those convicted of providing "advice or assistance" to cyber crooks, or harboring or concealing a computer intruder, would face the same legal repercussions as an intruder
Does it mean that I could be convicted if I show you how to code in Perl and show you where you can read Bugtraq??
/me 's quite happy not to live in the USA.
Alter the applications when changing the keys!
on
Pyramid Shaped Keyboard
·
· Score: 3, Insightful
Ever thought about that most software was designed for the qwerty-layout? (think about some emacs shortcuts...)
So switching to another layout comes with a double effort: you have to learn new letter positions (for typing) and even more annoying the key-combos (CTRL-C, CTRL-A, CTRL-E...) aren't where they feel right.
The journalist slightly misinterpreted my remarks, and missed the shades
of grey in some of what I said. I did *not* say that I was overwhelmed
with guilt over PGP. I told her about my crying, just as everyone else
I knew had cried over what had happened. I also told her about the
hate mail, and that I "felt bad" that the terrorists may have used PGP.
Indeed I do feel bad about that. But feeling bad about them using it is not
the same as feeling that PGP was a mistake, or that I have changed my principles
about human rights and crypto. I thought I had also made it clear that
I had no regrets about developing PGP. She did not report any individual
facts incorrectly in her article. But I think she connected the dots
in a slightly different way, and seemed to conclude that I was wallowing
in guilt over PGP. I'm sure she meant no harm.
I am still very much aware that PGP was a good thing, and that strong crypto
helps more than hurts. I have been saying that to the press all
week. I just said it again in two more interviews I had before breakfast
this morning, and will continue to say it. It seems I have to say it more
forcefully.
I will prepare a statement on this later today. In the meantime, feel
free to let our colleagues know that I have not gone soft on civil liberties.
Slashdot Mirror
NAT won't help at all. Most malware comes through mail, browser vulnerabilities or users that click on everthing without thinking (while logged in as admin of course). Besides, with forced NAT, people would start complaining that their favourite P2P or online game won't work.
You are probably looking at OS'es from the wrong perspective. My interpretation is that the Win98 percentage is so high because users don't like the hassle of switching their OS.
I guess most "end-users" don't know how they install XP or 2000 except for buying a new computer, so they stick to what they have. (And amazingly there are many win98's out there that run without a flaw)
The credits (or call it "karma") can consist of many things. I'd like to up/download in it because it happens quite often that some users complain that they upload all day but don't manage to get that last percent of a file. So they should be bumped to the top of the queue. Not always, but sometimes and not too often. Hard to say. well. the idea doesn't sound so good anymore. :-/
The usual problem with ratios ;-)
You have to give some initial credit, but then one could simply reinstall the software, and so on.
No. up/download ratio can't be the solution. Perhaps a little part of it, but no more.
Talking about trust, look at the usual swapping channels in IRC:
"good guys" are easily identified because they stay longer in the channel, thus gaining trust/fame (whatever you call it). But within an almost anonymous P2P-Network there is no central authority (like chanops in IRC who give +v to good guys). I'd really like to see some kind of web of trust in P2P, but making it unforgeable seems difficult to me. Perhaps some kind of micropaymentsystem: For each byte I download from you, I give you 1 digitally signed credit that raises your possibilities (like better search, skipping queues...) But then we need a central signing authority, otherwise people would do multiple accounts and gain lots of credits by "downloading" from their own machine.
The decentralisation of P2P makes it independent from central servers but at the same time it raises the ability to abuse the system.
One of the problems current P2P-Networks have are "hacked" clients (or add-ons like the eDonkey-Bot). Clients that pretend to meet your quality criteria but don't. All P2P-Networks so far worked for a while, then the anti-social elements increased bringing the overall network quality down.
The Wondershaper: http://lartc.org/wondershaper/
Works nice for me
- servnix (for the webserver)
- routnix (the router)
- zaehlnix (for the accounting. german "zaehl"=="to count").
- ...
Easy to remember and when the server is down you can always blame it on the name. ("servnix"=="serves nothing")It will not work.
Guess why they want to make it a virus. Once it managed to get into one of your computers, it will find a way to infect anything you have contact with. Perhaps it puts a boot-sector virus on any disc you copy, inserts itself as macrovirus in the mail you just copied. Even your Laptop might need a software update some time and then you can't be sure the update is "clean".
For the way out: It could copy the data it collected or integrate it into its virus code, so that it can send your keys whenever it gets a internet (or whatever) connection from another system.
It generally sounds like a good idea, but can you be sure that your disconnected system is "clean" in the first place? Can you be sure that there will never be any possibilty for unwanted data to leak in or out your system? Normally you can't. You'll try very hard to do so, but all it takes is one little glitch (or someone else using your disconnected system) and "they" got you.
There is no defence against a sufficiently funded and determined attacker
Ever tried using different email addresses with different keys?
I don't think of signatures as a "trail" for every mail I wrote, but as a mean of authenticating to the recipient of the mail. "on the net" that works quite nice, since most of the time your postings to a mailing list can't be traced to your real identity. But it's a sure way to prevent someone faking your posts. (and thats good even for trivial matters)
But you are right about the unexpected long-term storage of mails. At least it can be a comfort to know that you will be quoted correctly.OTOH you can always revoke your key and proclaim that it has been compromised.
Last time I bothered to install a Windows version of PGP it automatically tried to upload the newly generated keys to a keyserver. The infrastructure is alive, but it isn't trusted.
You can't trust the average user with key signing since most of them just don't get what it's all about. So you end up with people signing keys just because it stops the annoying "could not verify.." message. That's what ruins the PKI infrastructure.
The idea of a "web of trust" between PGP-keys works only if you can trust that everyone who has signed a key knows what he does. Many don't. Luckily there are trustcenters or other authorities who can sign your keys. But most of them want to be paid, that's what renders them useless for most of the end users since it's too expensive or cumbersome to get a certificate.
The current PGP-PKI may be ruined because of many non-trustable signatures, but that can easily fixed if some trustcenters would issue free or at least cheap signatures for home use. (Wouldn't it be nice to have your PGP-Fingerprint in your passport?)
In the case of PGP you could use an additional public key, wich belongs to the secret police.
Any message thats being encrypted will be encrypted with the recipients AND the escrowed key.
Software that allows Messages to be encrypted with only the recipients key is outlawed then. (and only outlaws have privacy, oh yeah)
In this case they would surely be better of with simple code phrases over the phone. No need for encryption then.
Using encryption software is a good idea, but it would only be useful if it were widespread and ready to use.
Most of the persons I'm sending mail to aren't using PGP because they don't want to take the effort to install it! And since they don't understand the software (or don't want to) they start sending me their private key (instead of the public one, no joke!) or just sign every key they have because so they get rid of the "invald signature" message.
It always seems the same to me: the good stuff is there, but no one uses it because it's easier the other way. When urging people to use encryption I hear arguments like the alltime favorite "I don't have anything to hide" or "It's too complicated" (Perhaps soon we will hear "It's terrorist stuff")
Using PGP is good, no doubt, but when only the "activists" use it, they are running the risk to be marked as crypto-users with weird ideas of privacy. Surely thats not what we want. We want everyone to be a crypto-user like everyone uses envelopes. Any idea how to accomplish that?
Does it mean that I could be convicted if I show you how to code in Perl and show you where you can read Bugtraq??
Ever thought about that most software was designed for the qwerty-layout? (think about some emacs shortcuts...)
So switching to another layout comes with a double effort: you have to learn new letter positions (for typing) and even more annoying the key-combos (CTRL-C, CTRL-A, CTRL-E...) aren't where they feel right.
From: "Sandy Sandfort" <sandfort@mindspring.com>
To: "Cypherpunks" <cypherpunks@lne.com>
Subject: PHIL ZIMMERMANN
Date: Fri, 21 Sep 2001 11:23:55 -0700
I just wrote Phil about the Washington Post interview. The following is his response:
No. It's a big challenge to the software engineers to make the usage of these machines as simple as possible.