So when someone breaks into your house, do you have the walls rebuilt from architects' plans, just to make sure that they haven't left any hidden weaknesses in your security?
When someone is charged with breaking and entering, do they have to pay for the rebuilding of the house?
No? So there's no analagy for the same actions done through the use of a computer.
"Another example: people are fine with handing their car keys over when their car needs a service."
Our car (Citroen Xantia) you can allocate a temorary immobiliser-code to the mechanic who repairs your car, then revoke it afterwards: your normal code remains valid throughout.
"...allow trained professionals to administer customers' boxes, all included in the price."
I have an idea. How about we give the root access rights and private keys to Microsoft Update, and then the trustworthy people at microsoft trustworthy computing can keep our computers secure.
And yes, I know that "trusted" by definition means a system with the ability to cheat on you.
"Here's the deal. RedHat Linux isn't anymore difficult to install than WinXP"
Windows is a right bitch to install. Problem is, most windows users have never installed windows.
"Can't use linux, it's hard to install" people say (it's not) -- have any of them used a copy of windows that the shop didn't install and setup for them?
With XP, there's so much license-signing and registration to do after it's been preinstalled by the shop, that most people will see these configuration screens and assume that it is an installation, and that they managed to install windows by themselves. So then, the actual linux installation gets compared to that. Luckily, a Mandrake installation is as easy as a WinXP configuration, so no problem there, but it's a different perception of things.
The issue with Flash is not one of security, nor of time; it one of having to endure animated adverts flashing at every site I go to, were I to be so idiotic as to allow the Flash-player on my machine.
"Asking for permission before DOS'ing someone's site via a link here would at the least be polite."
Okay, this is a free, front-page advert on one of the geeks' largest news sites, to the commercial page of someone who's selling things on the internet that slashdot visitors are likely to be interested in.
On the contrary, I think the site's owner would be overjoyed to see so much traffic, especially as it'll appear on slashdot for a few days now, and some people will even link from their own sites to it (not to mention the google-boost from appearing on slashdot)
This isn't some kid's lego project on a geocities site: this is a commercial internet-mail-order site. They'll be kicking themselves for not preparing for so many customers, but they certainly can't complain
"This kit would work best with apple keyboards - they are translucent plastic and would let you discern the key legend in the dark."
You've not tried the 'painting your keyboard all blue and not writing the letters back on' trick, have you? Who needs the legends anyway? They're only there to pander to non-typists.
[Keyboard flashes blue-red-blue-red] "You have a special offer to sign up for a pre-approved credit card!" [browser starts up and connects to the internet]
We'd best make it part of palladium, so those pesky hardware hackers can't interfere with it...
(my reccommendation for an illuminated desktop is to use an optical mouse; then you get the added advantage of an accurate mouse that you don't need to clean the crap out of, as well as a glowing mouse)
Is it just my imagination, or can I really not be bothered to install shockwave flash on this computer to see their photos.
(mutters about these upstart webdesigners with their fancy flashy new animations...) now maybe when mozilla gets the ability to turn Flash on and off on demand, I might be persuaded to install it, rather than using someone else's computer whenever I need to run an insecure plugin...
"The First Amendment's freedom of speech guarantee should apply to individuals, not corporations."
A corporation is legally the same type of entity as an individual (or a married couple) -- it's the context of the speech which is important, not who said it.
If I stand on a soap-box and say that communism sucks, that's 1st amendment (or the equivalent in your country). If I stand on the same soap-box and say "these are genuine gold rings I'm selling", then that's regulated commercial speech (i.e. you face punishment if you can't prove it's true)
Same person, same soap-box, different types of speech. And corporations are the same as individuals, that's why you're allowed to take them to court.
"I would support any other company that makes a sneaker that is as comfortable and lasts as long."
If you were to need real (black leather) shoes, you can almost certainly get ones made by individuals, or very small companies, for not so much more than some of the nike trainers. There's also a lot more manufacturers to choose from, and most of them aren't american.
I presume your question is because you already have 'normal' shoes, and need some trainers for sports? As you say, there's not so much competition in that market, but you can always try internet mail-order. Let the government know that asian sweatshops aren't as american as nike would like you to think they are, and proving the point by importing from reputable countries.
Note: Try to avoid italian shoemakers: they have smaller feet than you!
"You could very easily write a script uses some way to check for code red... then email the person, all automated."
The most obvious attack that I can see is that I could write to your customers: "Hiya, this is your ISP: we've noticed abnormal traffic, think you have a virus: can you check your system for reg.dat, look at it's properties, and if it was changed within the last 36 hours, you need to delete the infected file and download a fresh copy from www.mywebsite.com/downloads/reg.dat"
And don't reply to this with digital signatures and passwords: your typical ISP wouldn't know a PGP signature if you slapped them with one.
Email seems to have declined as a way of communicating. For every serious email, there are a dozen identical-looking fraudulent ones. Try telephoning the infected customers, and agreeing a password in advance.
It's almost certainly an easier thing for the ISP to do:: your implicit assumption that everyone's a BSD-user with 30 years of security experience is not that appropriate when describing people who got a PC for christmas and had to get a friend to show them how to plug the monitor in... and these people do need the net just as much as we do, before we get the élitists flaming back as reply to this.
The ISP will typically be spending more time than is healthy measuring peoples' bandwidth anyway, even if for nothing better than to check they've not got an uncapped modem. So when someone who typically browses a few web-pages a minute suddenly starts requesting files at 300 per second, it's pretty easy to see they're either testing a spider, or they got infected.
The credit-card companies seem to manage such pattern-matching, although admittedly that's not real-time.
Conversely, the ISPs will need to be smart enough to realise that if someone's playing RavenShield then there's a good reason for them to be pinging the same computer twice a second, and sending unnatural amounts of data. But then, that's not such a hard problem to solve. Neural networks and all that... (says someone who's never had to program a neural network!)
And arguably, it's more useful than the tecchies spending all their waking hours trying to detect connection-sharing, or rogue linux machines on their network.
Well, the article takes your points on the root DNS reliability, but raises you on the point of other domains (country ones,.com ones, even company ones like *.sony.jp) being more vulnerable because their database is larger and more volatile -- it's an interesting feature that one of the reasons that the.com DNS is less robust is because of reluctance by its operators to share their responsibilites... haven't we been talking about the problems with TLD operators for a few years now?
The other reason given to TLD's vulnerability is that they're so large. Millions of.com domains, but only 200 top-level ones. Again, the technical community realised long ago that significantly increasing the number of top-level domains was necessary, and such a move would solve this DNS bottleneck at the same time.
The only other issue mentioned was rate-limiting, which is a technical solution, and already being operated. As usual, it's the political problems that are harder to work around than the technical ones.
Maybe it's time to remind the department of homeland security just what a weakness ICANN is to american internet availability.
Slashdot Mirror
So when someone breaks into your house, do you have the walls rebuilt from architects' plans, just to make sure that they haven't left any hidden weaknesses in your security?
When someone is charged with breaking and entering, do they have to pay for the rebuilding of the house?
No? So there's no analagy for the same actions done through the use of a computer.
"Another example: people are fine with handing their car keys over when their car needs a service."
Our car (Citroen Xantia) you can allocate a temorary immobiliser-code to the mechanic who repairs your car, then revoke it afterwards: your normal code remains valid throughout.
Nice when people think of security: not many do.
"...allow trained professionals to administer customers' boxes, all included in the price."
I have an idea. How about we give the root access rights and private keys to Microsoft Update, and then the trustworthy people at microsoft trustworthy computing can keep our computers secure.
And yes, I know that "trusted" by definition means a system with the ability to cheat on you.
"Here's the deal. RedHat Linux isn't anymore difficult to install than WinXP"
Windows is a right bitch to install. Problem is, most windows users have never installed windows.
"Can't use linux, it's hard to install" people say (it's not) -- have any of them used a copy of windows that the shop didn't install and setup for them?
With XP, there's so much license-signing and registration to do after it's been preinstalled by the shop, that most people will see these configuration screens and assume that it is an installation, and that they managed to install windows by themselves. So then, the actual linux installation gets compared to that. Luckily, a Mandrake installation is as easy as a WinXP configuration, so no problem there, but it's a different perception of things.
"I would rather see ONE good desktop linux package than ten substandard ones."
Mandrake with WindowMaker
That is all. Thankyou.
The issue with Flash is not one of security, nor of time; it one of having to endure animated adverts flashing at every site I go to, were I to be so idiotic as to allow the Flash-player on my machine.
49 uses for an illuiminated keyboard
Anyone working in California (UPS required)
Line up a set of them to guide you to the bathroom
To see what you're typing while looking cool in sunglasses in the office
"Asking for permission before DOS'ing someone's site via a link here would at the least be polite."
Okay, this is a free, front-page advert on one of the geeks' largest news sites, to the commercial page of someone who's selling things on the internet that slashdot visitors are likely to be interested in.
On the contrary, I think the site's owner would be overjoyed to see so much traffic, especially as it'll appear on slashdot for a few days now, and some people will even link from their own sites to it (not to mention the google-boost from appearing on slashdot)
This isn't some kid's lego project on a geocities site: this is a commercial internet-mail-order site. They'll be kicking themselves for not preparing for so many customers, but they certainly can't complain
"This kit would work best with apple keyboards - they are translucent plastic and would let you discern the key legend in the dark."
You've not tried the 'painting your keyboard all blue and not writing the letters back on' trick, have you? Who needs the legends anyway? They're only there to pander to non-typists.
"Lucky its not microsoft made"
[Keyboard flashes blue-red-blue-red] "You have a special offer to sign up for a pre-approved credit card!" [browser starts up and connects to the internet]
We'd best make it part of palladium, so those pesky hardware hackers can't interfere with it...
(my reccommendation for an illuminated desktop is to use an optical mouse; then you get the added advantage of an accurate mouse that you don't need to clean the crap out of, as well as a glowing mouse)
But all I see is keyboards with annoying buttons I press at the [most] inconvenient moment
Yeah, who would be without a "Go to Microsoft's home page" button right where the escape key should be?#
Is it just my imagination, or can I really not be bothered to install shockwave flash on this computer to see their photos.
(mutters about these upstart webdesigners with their fancy flashy new animations...) now maybe when mozilla gets the ability to turn Flash on and off on demand, I might be persuaded to install it, rather than using someone else's computer whenever I need to run an insecure plugin...
"The First Amendment's freedom of speech guarantee should apply to individuals, not corporations."
A corporation is legally the same type of entity as an individual (or a married couple) -- it's the context of the speech which is important, not who said it.
If I stand on a soap-box and say that communism sucks, that's 1st amendment (or the equivalent in your country). If I stand on the same soap-box and say "these are genuine gold rings I'm selling", then that's regulated commercial speech (i.e. you face punishment if you can't prove it's true)
Same person, same soap-box, different types of speech. And corporations are the same as individuals, that's why you're allowed to take them to court.
"I would support any other company that makes a sneaker that is as comfortable and lasts as long."
If you were to need real (black leather) shoes, you can almost certainly get ones made by individuals, or very small companies, for not so much more than some of the nike trainers. There's also a lot more manufacturers to choose from, and most of them aren't american.
I presume your question is because you already have 'normal' shoes, and need some trainers for sports? As you say, there's not so much competition in that market, but you can always try internet mail-order. Let the government know that asian sweatshops aren't as american as nike would like you to think they are, and proving the point by importing from reputable countries.
Note: Try to avoid italian shoemakers: they have smaller feet than you!
"You could very easily write a script uses some way to check for code red... then email the person, all automated."
The most obvious attack that I can see is that I could write to your customers: "Hiya, this is your ISP: we've noticed abnormal traffic, think you have a virus: can you check your system for reg.dat, look at it's properties, and if it was changed within the last 36 hours, you need to delete the infected file and download a fresh copy from www.mywebsite.com/downloads/reg.dat"
And don't reply to this with digital signatures and passwords: your typical ISP wouldn't know a PGP signature if you slapped them with one.
Email seems to have declined as a way of communicating. For every serious email, there are a dozen identical-looking fraudulent ones. Try telephoning the infected customers, and agreeing a password in advance.
"No, that is YOUR responsibility, not the ISP's"
It's almost certainly an easier thing for the ISP to do:: your implicit assumption that everyone's a BSD-user with 30 years of security experience is not that appropriate when describing people who got a PC for christmas and had to get a friend to show them how to plug the monitor in... and these people do need the net just as much as we do, before we get the élitists flaming back as reply to this.
The ISP will typically be spending more time than is healthy measuring peoples' bandwidth anyway, even if for nothing better than to check they've not got an uncapped modem. So when someone who typically browses a few web-pages a minute suddenly starts requesting files at 300 per second, it's pretty easy to see they're either testing a spider, or they got infected.
The credit-card companies seem to manage such pattern-matching, although admittedly that's not real-time.
Conversely, the ISPs will need to be smart enough to realise that if someone's playing RavenShield then there's a good reason for them to be pinging the same computer twice a second, and sending unnatural amounts of data. But then, that's not such a hard problem to solve. Neural networks and all that... (says someone who's never had to program a neural network!)
And arguably, it's more useful than the tecchies spending all their waking hours trying to detect connection-sharing, or rogue linux machines on their network.
"Long outages would change the whole thing. Imagine that we could't read slashdot for a whole week!"
Yeah, like slashdot.org isn't so hard-coded into your hosts file that if you took out your SIMM you could probably still see it engraved in solder.
Well, the article takes your points on the root DNS reliability, but raises you on the point of other domains (country ones, .com ones, even company ones like *.sony.jp) being more vulnerable because their database is larger and more volatile -- it's an interesting feature that one of the reasons that the .com DNS is less robust is because of reluctance by its operators to share their responsibilites... haven't we been talking about the problems with TLD operators for a few years now?
.com domains, but only 200 top-level ones. Again, the technical community realised long ago that significantly increasing the number of top-level domains was necessary, and such a move would solve this DNS bottleneck at the same time.
The other reason given to TLD's vulnerability is that they're so large. Millions of
The only other issue mentioned was rate-limiting, which is a technical solution, and already being operated. As usual, it's the political problems that are harder to work around than the technical ones.
Maybe it's time to remind the department of homeland security just what a weakness ICANN is to american internet availability.
"I sincerely hope that was a joke. Ping is one of the most used, and most effective, ways to test conectivity between places on the internet"
Yeah, we wouldn't want congress hearing that Ping was the terrorist tool used to bring down the internet's most critical servers, would we?
In related news, spinning wheels are now banned on the basis that sleeping beauty's finger was pricked.
Why not buy free software with the vouchers? Hell, you could even go the whole way and buy a FSF or EFF membership with it.
"...and have the box email you when the logs show a drive is about to fail."
Out of interest (sorry if it's offtopic), how do you setup logs to tell you if a hard-disk is about to fail?
"Or if you compress files and lock them with a password"
Takes between a few seconds and an hour or so to crack on a single-processor pentium-3. See the elcomsoft site for details and software.
I presume that's a joke from somebody who knows that they're equal?
But it's pretty cold to sleep out on the ice in, I seem to remember...
The good news is that hard drives are a dollar per gigabyte. The bad news is that you still can't buy hard drives for a dollar.
So where's this moore's law going anyway? I want my 256-node array of 386's for twenty pounds, like the equations say they should cost.
"Tea, Earl Grey, Hot."
"Computer! Get us away from this space-monster!"
"Beep. Computing why the human wants leaves in hot water...."