I think the argument they were making is that the javascript security concerns are largely due to the nature of the "untrusted code in a sandbox" model, and the particulars of that sandbox (HTML DOM, cookies, XMLHttpRequest).
Further they asked precisely what you're asking. How can you improve web scripting without throwing out modern browser design? Only they asked in more detail. What security concerns can be addressed without discarding modern browser principles? They are not simple nay-sayers saying it can't be done. They are experts in the field saying it doesn't seem possible, this is why.
My answer is, maybe they are planning to throw it all away, and are building a platform to migrate to. They have a browser with significant market share. They have the initiative and power to change the web scripting model to something a little less hacked together, even if they have to significantly change HTML itself to do it. Of course that's all a wild-assed guess. Maybe they just don't like semicolons.
The thing is, oil prices are incredibly manipulated. You have huge market movers, a coalition of governments forming a near monopoly, people manipulating the supply, and so on. In any other market, high prices (compared to history), and low volume would be a bubble about to pop.
To me, the oil market just doesn't "feel" right, and gas prices don't "feel" right. 6 years ago, there were complaints of price gouging wrt gas stations. Today, every gas station is selling gas for nearly the same price that was considered unethical 6 years ago.
1K = 1024 bytes, because of bits for memory addressing and pins and whatnot. It started with memory. It had nothing to do with shift operations. Further, changing KB from 1024 to 1000 increases inaccuracy, as you will never which standard someone is referring to.
You only know this now that you have seen the password... come on. Before a couple days ago you thought this password was a random 256-character sequence.
I assume the only part of my argument you disagreed with is the last paragraph. I would bet he used a similar system for all of his other pass-phrases for any other files he distributed. So, if Mallory managed to get a copy of one of his encrypted files, and managed to see the piece of paper with the key, Mallory would only need to run a very simple and quick dictionary based attack to find the spoken component and actually crack the file.
BTW,/. messed up my Google cut & paste. It should have read "7.6 x 10^13 years".
Password entropy is not intuitive. This is my estimate of the entropy of the password. "ACollectionOfDiplomaticHistorySince_1966_ToThe_PresentDay#"
Capital Letters at the start of every word: 1 bit 10 domain specific words in grammatical context: 6 bits each = 60 bits Year in recent history: 7 bits Random no-space or underscore between words: 9 bits punctuation mark at the end: 4 bits
1+60+7+9+4 = 81 bits of entropy 2^81 / 1000 / 86400 / 365 = 7.6Ã--10^13 years to brute force @ 1000 guesses per second
Length trumps gibberish. It is not a bad pass-phrase.
With all that said, the extra verbal word, "Diplomatic" adds 10 bits of entropy, which is pretty much inconsequential. (6 for the word, 4 for position) It's a privacy lock, pretty much only good for keeping out the curious and people who stumble upon it.
In Florida, homes are theoretically built to survive up to category 3 storms. After that, it's a question of how far you are from the shore, and how far you are from the eye of the storm, and whether or not there was any non-approved construction. Even newer trailer homes are built to survive hurricanes. The eye-wall has the most intense winds, which is followed by an eerie calm for a few hours, followed by some more of the most intense winds. Wind speed dies off rapidly as you get farther away from the eye-wall.
As far as building techniques are concerned, the main thing is windows are required to be "hurricane windows", meaning that they will stop a 10-foot long, 15-pound, wooden 2x4 traveling at 100 miles flying through the air (they break in the process), and have a film on them so that when they break, they don't shatter into small sharpened projectiles. Roofs also have some additional structural support so that they don't get pulled off. (Simpson Ties) And there are some things regarding elevation above sea level.
The states in Irene's path don't build for hurricanes as Florida does. So, in Florida, a cat 2 is something you sleep through, in New York, it can cause some damage.
OTOH, I do agree. Tempest in a teapot. Damage will be severely localized, mostly right next to the shore, particularly at the point it makes landfall. Of course, that is where all of the reporters will put their cameras.
Breaking the law != being immoral. They tend to coincide, but there are plenty of immoral things that are legal, and plenty of illegal things that aren't immoral.
My family bought 3 HP Laptops. 2 of them lost both their power supply and battery very shortly after the warranty expired. The third one lost both power supply and battery during the warranty period, and was repaired under warranty. That third one then had a motherboard failure in warranty, was shipped to HP, and they held on to it for 2 months until the warranty expired, then shipped it back, unfixed.
Of course, these are consumer models, and you said "business".
Increasing key size is not simply a matter of encoding things twice, as there may be an attack where they can take a shortcut, reducing the practical key strength.
To be fair, Microsoft hasn't attacked with patents either. Although they have used patents in proxy fights, advertising/PR, and in counter-attacks, I haven't seen then sue anyone directly without provocation.
The premise is that if you have access to the keychain, you can decrypt the stored passwords. The keychain is, as you say, just another layer of security. It adds complexity to the system, making it harder to get the password back out, but it doesn't add any security; if someone has access to the keychain, it only requires a token amount of additional effort to acquire the password.
"Secrets are fragile; once they're lost, they're lost forever. Security that relies on secrecy is also fragile; once secrecy is lost there's no way to recover security. Trying to base security on secrecy is simply bad design. " Bruce Schneier
The thing is, they are not picking targets and then hacking them, rather they are mass scanning to see what is vulnerable then picking through the list to find stuff they find interesting. With that said, you would expect a military organization not to be the "low hanging fruit".
I have to agree regarding staying away from hardware raid. We even saw the same model number, same part number have completely different firmware, hardware and driver.
It can be done. Give each person a code that they can later use to check that their vote was counted. eg. "Thank you for your vote, your verification code is F00FC7C8", the user then looks the code up in the newspaper the next day, and can see that code F00FC7C8 voted for... at time...
This system has some other flaws, specifically regarding vote selling, but it is secret and verifiable.
My mistake, I missed the part about TPM. However, in this case, BitLocker doesn't add to security, as TPM by itself would protect you from an MBR threat.
Not necessarily. The way a typical virus like this works is that it copies the original MBR somewhere (usually at the tail end of the HDD) and calls the original MBR after it installs itself.
If you boot into the repair tools on the HDD, you have to load the code in the MBR first. Once you load the code in the MBR, you're hosed, as it just rootkits all calls to read and write the MBR.
Slashdot Mirror
Alternately,
https://encrypted.google.com/search?q=c*60ns
the speed of light * 60 nanoseconds = 17.9875475 meters
Beep codes vary depending on the BIOS manufacturer. See http://support.microsoft.com/kb/261186 for an extreme example.
Where would you get the public key from? And how would you know they aren't compromised?
Last I heard, the problem is that when electrodes are implanted in neural tissue, the neural tissue surrounding the electrode dies in a few years.
I think the argument they were making is that the javascript security concerns are largely due to the nature of the "untrusted code in a sandbox" model, and the particulars of that sandbox (HTML DOM, cookies, XMLHttpRequest).
Further they asked precisely what you're asking. How can you improve web scripting without throwing out modern browser design? Only they asked in more detail. What security concerns can be addressed without discarding modern browser principles? They are not simple nay-sayers saying it can't be done. They are experts in the field saying it doesn't seem possible, this is why.
My answer is, maybe they are planning to throw it all away, and are building a platform to migrate to. They have a browser with significant market share. They have the initiative and power to change the web scripting model to something a little less hacked together, even if they have to significantly change HTML itself to do it. Of course that's all a wild-assed guess. Maybe they just don't like semicolons.
The thing is, oil prices are incredibly manipulated. You have huge market movers, a coalition of governments forming a near monopoly, people manipulating the supply, and so on. In any other market, high prices (compared to history), and low volume would be a bubble about to pop.
To me, the oil market just doesn't "feel" right, and gas prices don't "feel" right. 6 years ago, there were complaints of price gouging wrt gas stations. Today, every gas station is selling gas for nearly the same price that was considered unethical 6 years ago.
I'm sorry. You're wrong.
1K = 1024 bytes, because of bits for memory addressing and pins and whatnot. It started with memory. It had nothing to do with shift operations. Further, changing KB from 1024 to 1000 increases inaccuracy, as you will never which standard someone is referring to.
https://secure.wikimedia.org/wikipedia/en/wiki/Binary_prefix
He also claims to 0wn four more 'high-profile' CAs
http://it.slashdot.org/story/11/09/06/1245214/Possible-Diginotar-Hacker-Comes-Forward
You only know this now that you have seen the password... come on. Before a couple days ago you thought this password was a random 256-character sequence.
I assume the only part of my argument you disagreed with is the last paragraph. I would bet he used a similar system for all of his other pass-phrases for any other files he distributed. So, if Mallory managed to get a copy of one of his encrypted files, and managed to see the piece of paper with the key, Mallory would only need to run a very simple and quick dictionary based attack to find the spoken component and actually crack the file.
BTW, /. messed up my Google cut & paste. It should have read "7.6 x 10^13 years".
http://xkcd.com/936/
Password entropy is not intuitive. This is my estimate of the entropy of the password. "ACollectionOfDiplomaticHistorySince_1966_ToThe_PresentDay#"
Capital Letters at the start of every word: 1 bit
10 domain specific words in grammatical context: 6 bits each = 60 bits
Year in recent history: 7 bits
Random no-space or underscore between words: 9 bits
punctuation mark at the end: 4 bits
1+60+7+9+4 = 81 bits of entropy
2^81 / 1000 / 86400 / 365 =
7.6Ã--10^13 years to brute force @ 1000 guesses per second
Length trumps gibberish. It is not a bad pass-phrase.
With all that said, the extra verbal word, "Diplomatic" adds 10 bits of entropy, which is pretty much inconsequential. (6 for the word, 4 for position) It's a privacy lock, pretty much only good for keeping out the curious and people who stumble upon it.
In Florida, homes are theoretically built to survive up to category 3 storms. After that, it's a question of how far you are from the shore, and how far you are from the eye of the storm, and whether or not there was any non-approved construction. Even newer trailer homes are built to survive hurricanes. The eye-wall has the most intense winds, which is followed by an eerie calm for a few hours, followed by some more of the most intense winds. Wind speed dies off rapidly as you get farther away from the eye-wall.
As far as building techniques are concerned, the main thing is windows are required to be "hurricane windows", meaning that they will stop a 10-foot long, 15-pound, wooden 2x4 traveling at 100 miles flying through the air (they break in the process), and have a film on them so that when they break, they don't shatter into small sharpened projectiles. Roofs also have some additional structural support so that they don't get pulled off. (Simpson Ties) And there are some things regarding elevation above sea level.
The states in Irene's path don't build for hurricanes as Florida does. So, in Florida, a cat 2 is something you sleep through, in New York, it can cause some damage.
OTOH, I do agree. Tempest in a teapot. Damage will be severely localized, mostly right next to the shore, particularly at the point it makes landfall. Of course, that is where all of the reporters will put their cameras.
Breaking the law != being immoral. They tend to coincide, but there are plenty of immoral things that are legal, and plenty of illegal things that aren't immoral.
My family bought 3 HP Laptops. 2 of them lost both their power supply and battery very shortly after the warranty expired. The third one lost both power supply and battery during the warranty period, and was repaired under warranty. That third one then had a motherboard failure in warranty, was shipped to HP, and they held on to it for 2 months until the warranty expired, then shipped it back, unfixed.
Of course, these are consumer models, and you said "business".
Increasing key size is not simply a matter of encoding things twice, as there may be an attack where they can take a shortcut, reducing the practical key strength.
Some additional reading:
http://x5.net/faqs/crypto/q61.html
http://x5.net/faqs/crypto/q85.html
The NSA called. They deny that any such data center exists.
Ah, you must live in California.
To be fair, Microsoft hasn't attacked with patents either. Although they have used patents in proxy fights, advertising/PR, and in counter-attacks, I haven't seen then sue anyone directly without provocation.
The premise is that if you have access to the keychain, you can decrypt the stored passwords. The keychain is, as you say, just another layer of security. It adds complexity to the system, making it harder to get the password back out, but it doesn't add any security; if someone has access to the keychain, it only requires a token amount of additional effort to acquire the password.
"Secrets are fragile; once they're lost, they're lost forever. Security that relies on secrecy is also fragile; once secrecy is lost there's no way to recover security. Trying to base security on secrecy is simply bad design. "
Bruce Schneier
The thing is, they are not picking targets and then hacking them, rather they are mass scanning to see what is vulnerable then picking through the list to find stuff they find interesting. With that said, you would expect a military organization not to be the "low hanging fruit".
I have to agree regarding staying away from hardware raid. We even saw the same model number, same part number have completely different firmware, hardware and driver.
It can be done. Give each person a code that they can later use to check that their vote was counted. eg. "Thank you for your vote, your verification code is F00FC7C8", the user then looks the code up in the newspaper the next day, and can see that code F00FC7C8 voted for ... at time ...
This system has some other flaws, specifically regarding vote selling, but it is secret and verifiable.
My mistake, I missed the part about TPM. However, in this case, BitLocker doesn't add to security, as TPM by itself would protect you from an MBR threat.
Not necessarily. The way a typical virus like this works is that it copies the original MBR somewhere (usually at the tail end of the HDD) and calls the original MBR after it installs itself.
If you boot into the repair tools on the HDD, you have to load the code in the MBR first. Once you load the code in the MBR, you're hosed, as it just rootkits all calls to read and write the MBR.