and we all know how hard it is to modify a logfile
This was one reason why I was suprised that earthlink was allowed to not install carnivore but instead perform the logging themselves.
I know if I were ever prosecuted with virtual evidence (e-evidence?) I'd do my damndest to expose all the holes in the chain of gathering that evidence.
Even if carnivore's in place, it's results are only as good as the data it's being sent.
I guess the moral of the story (ie, the story we should be telling management, the moral we bash them for not understanding) is that
a legal solution requires manual intervention for every incident, while a technical solution, even with a higher up front cost, will counteract each attack automatically
Computer Security Insititute, Ninety percent of survey respondents detect cyber attacks, 273 organizations report $265,589,940 in financial losses (Mar. 22, 2000) [hereinafter CSI Survey]. The report also found that:
Ninety percent of respondents (primarily large corporations and government agencies) detected computer security breaches within the last twelve months . . . [s]eventy-four percent acknowledged financial losses due to computer breaches . . . [and] [f]orty-two percent were willing and/or able to quantify their financial losses. The losses from these 273 respondents totaled $265,589,940 (the average annual total over the last three years was $120,240,180). Id.
Does anyone care to speculate on where these losses would come from? These numbers remind me of the estimated loss valuations given to the "stolen" Ma Bell documents that turned out to be available for free from their web site... (anyone care to furnish a link?)
anyway, just a nitpick. It's not like I'm gonna read a 54 page legal document. but skipping to the conclusion, we see
Successful criminal prosecution and civil litigation will require that members of the legal community familiarize themselves with the various hacking techniques to ensure that the perpetrators are tried and convicted under the relevant statutes.... Likewise, members of the business community must understand the serious risks associated with conducting business on-line and their responsibility to the other companies for negligent maintenance of their systems.
So it looks more than a little clued in. Ugh. maybe i'll print it out for the T ride home. But 54 pages. Man. they need page limits...
if you give it a wee think, you'll realise that a low user number should correlate quite well with clue. afterall, you lurk for a while before signing up (I know I did), so the guy's been surfing the web for a while.
That said, I'm a little suprised that anyone reading a linux site for so long could be ignorant of slackware's tarball format, eh.
The african countries (and to a lesser extent also parts of asia) have lost a large part of their resources to "export" over a long time. More dramatic is the case of the former USSR, which saw basically all of its captial flee (into the swiss bank accounts of shady people who, incidentally, were friends of the people running the capitalisation) overnight.
Once the captial is gone, you are basically in the hole. Any amount of good management (read government) isn't going to make a difference if you have no resources to manage.
As common for BS, he does a bit of a Theodore Sturgeon; great ideas, not-so-great prose (well, I guess I vote with my wallet, own every one he's written, so the prose aint that bad).
Anyway, apart from litterary sniping, I wanted to point out that he introduces the concept of reputation servers. In the book, there are huge gangs of bartering hippies/gypsies/motorcycle gangs. Your status is measured by your repuation. Of course, people move from group to group, so there are these root reputation servers (and two warring protocols, yadda yadda) that allow people to vote on past experiences with others.
So helpful people get instant credibility in new groups, and slackers and layabouts get recognised for that as well. Karma, basically.
Now the karma system sucks because it is the karma system. If slashdot added to necessay hooks for 3rd party karma, then I could have the posts sorted according to my CompSci karma list (so that if Knuth ever were to post, he'd come in at +50 odd) while others might have a server that rated good use of hot grits and frightened aspiring actresses in posts. It is easy to envision how to extend the system to make it hard for people to hi-jack your karma server.
Taken to an extreme, we are almost getting to Fire-fly. The danger is that extensive user profiling (cue ominous strings) is just want marketers want. But you can design against that if you recognise it as a concern.
The error lies rather with the person who decided to offer the content as a static link, rather than hidden behind a form forcing you to read and accept the licence. I had rather assumed that amazon would have taken care of this; pay the dollar, get taken to a dynamic url to grab the pdf.
Of course, that would have completely ruined the hair(hare?) brained scheme of measuring honesty to begin with...
As it is, of course people are going to send the link to their friends, spiders that don't understand/listen to robots.txt will crawl it... complete and utter stupidity. Set up to fail, as Jamie said.
And furthermore, there is the serendipity of Dynamo to conscider. Dynamo would pay of _very_ handsomely on regular peices of code, as it could use execution traces to make accurate branch predictions.
You could imagine Intel licencing it from HP to be used in their compilers. An advanced compiler could just enable dynamo for inner loops. Thus, the irregular code wouldn't get the speed penalty implied by the interpretation, and the compiler could provide valuable hints to the Dynamo system.
Compiler writers, what info would you like to see given to dynamo? Hrm. I've half a mind to ask comp.compilers this.
Ok, just to verify your credibility, would you detail the computational resources that sort of crack would need? Please give ball-park estimates of how many bits would be needed to be bruteforced for a 1024 RSA/128 3DES PGP key?
If you could provide (once again, ballpark) numbers on aggregate MIPS availible and the time needed to perform the crack, that too would help substantiate the claim.
'cause I have to be frank here; I'm more than a little sceptical.
I don't see how your points about symmetric and asymetric encrypytion support your conclusion about the infeasability of the NSA breaking PGP (either possibly flawed implementation or ideal design).
All they does is rule out brute force and publically know attacks. It is totally possible (though I would hope not the case) that the NSA has the knowhow and resources to significantly comprimise PGP.
An unfortunate aspect of PGP is that it features both symmetric and asymmetric technologies. If either one is compromised, the system is broken. Thus we have multiple points of possible attack.
However, I do agree with your conclusion that even should they have the capability, the NSA are constrained by larger issues not to divulge this act for anything less that earth-shaking consequences.
So it is academic whether they can or not, cause they wouldn't be able to tell anyone about what they found.
Even more prosaically; DES is effectively cracked, what with the $100K brute force machine, but AFAIK, no law enforcement agency has built one. If they aren't willing to spend a measly 2 man-years in salary for something generally applicable, you have to wonder as to the level of effort they could get the NSA to put in for them.
You know, that may be one of the worst logos (the caldera one) I have ever seen. It only now dawned on me that it was a red "c" in a blue globe.
I had always seen it as a blue mickey-mouse ear on a red globe. This is probably why I have had such a hard time taking them seriously -- I've been getting submliminal messages of "Disney Linux" every time I see it.
Well, the parody sites make you ask for a particular page to be parodied. If deja had a button on each message that said "linkify post" and another that said "unlinkify post" then that would be fine.
Deja, however, make it very hard to see the original post.
There is a world of difference between framing user written content with banners and advertising, and modifying that content to include the advertising.
ok, I buy that analogy (erm, or is just a rebadged analogy from somewhere else?).
What is the legality of that, anyway? I know AMG modify mercs, but they never let people think they are buying an AMG (even when they modify it so much it has to be recertified as roadworthy).
I am allowed to slap any logo I want to on a car, but can I sell it w/o disclosing the fact that it was only a rebadged beemer? I think so.
But to keep up the analogy accurate, the beemer would have to be free, and BMW make their money by the purchaser entering the showroom.
If I go into the showroom and snag a bunch of cars to rebadge, sure, I am depriving them of income. So their response is just to stop admitting me. They have that right.
It should be easy enough for e-bay to recognise and ignore these robots, w/o needing to drag the courts into it. The courts only work in one justisticion, which is lucridously (and lucratively) easy to work around in this case.
This method would require that you type in a password ot mount your root/usr/whatever partitions. no password, the partition is just random junk.
This is already easy to do for most partitions, but not root. What sig11's trying to do is to make a boot sequence that mounts a temporary partition, asks you for the password and then remounts the encrypted root. This is kinda tricky, as it requires you to atomically ('cause you always need a root) swap root partition. I looked into this as well a few months ago, and as far as I could figure, I'd need to hack the kernel to make a swap_root_fs call or something.
Too much hassle. I found an encrypted home-dir package which was a 95% solution for 5% effort.
The real trick in all of these cases is to avoid getting the password swapped out to disk. Encrypting the swap can slow things down alot.
Now that's really interesting. It seems that real (ie, transmission by compressive waves in a nitrogen/oxygen mixture) hands-free is the only safe way to go.
Actually, the low frequency components you are referring to are probably the packets (to the tune of 40 a second on PCS) the phone sends out. Since the transmission time of such a packet is significantly less than 25ms, a monitor (or speaker or radio) would pick it up as a 40 hz buzz.
Your theory of it being the speaker is further contradicted by the fact that these emmissions are strongest before the phone rings on an incomming call. You've seen this yourself, likely. You know how you can always tell a second before the phone rings 'cause your car radio (if you keep your phone in the unused ash-tray like I tend to) starts acting up.
So I suspect you are seeing many high-frequency packets. Mind you, we'll see more of this if the spread-spectrum pulse technology comes around.
I propose that CN should show nothing but the powerpuff girls. I can never figure out when it is on, so I end up turning on the tv at weird hours hoping to catch it. It would make my life much easier if they would only show Bubbles Buttercup and Blossom over and over and over.
Maybe dexter for variety. Or what about the tunderbirds? Yeah! "G;day Ms. Penelope."
Slashdot Mirror
This was one reason why I was suprised that earthlink was allowed to not install carnivore but instead perform the logging themselves.
I know if I were ever prosecuted with virtual evidence (e-evidence?) I'd do my damndest to expose all the holes in the chain of gathering that evidence.
Even if carnivore's in place, it's results are only as good as the data it's being sent.
I guess the moral of the story (ie, the story we should be telling management, the moral we bash them for not understanding) is that
a legal solution requires manual intervention for every incident, while a technical solution, even with a higher up front cost, will counteract each attack automatically
with a user number that high, that's what you hope!
:-P
anyway, just a nitpick. It's not like I'm gonna read a 54 page legal document. but skipping to the conclusion, we see
So it looks more than a little clued in. Ugh. maybe i'll print it out for the T ride home. But 54 pages. Man. they need page limits...pooh pooh.
if you give it a wee think, you'll realise that a low user number should correlate quite well with clue.
afterall, you lurk for a while before signing up (I know I did), so the guy's been surfing the web for a while.
That said, I'm a little suprised that anyone reading a linux site for so long could be ignorant of slackware's tarball format, eh.
whatever, really.
e) long or short term resource flight.
The african countries (and to a lesser extent also parts of asia) have lost a large part of their resources to "export" over a long time. More dramatic is the case of the former USSR, which saw basically all of its captial flee (into the swiss bank accounts of shady people who, incidentally, were friends of the people running the capitalisation) overnight.
Once the captial is gone, you are basically in the hole. Any amount of good management (read government) isn't going to make a difference if you have no resources to manage.
four words:
Distraction by Bruce Sterling.
As common for BS, he does a bit of a Theodore Sturgeon; great ideas, not-so-great prose (well, I guess I vote with my wallet, own every one he's written, so the prose aint that bad).
Anyway, apart from litterary sniping, I wanted to point out that he introduces the concept of reputation servers. In the book, there are huge gangs of bartering hippies/gypsies/motorcycle gangs. Your status is measured by your repuation. Of course, people move from group to group, so there are these root reputation servers (and two warring protocols, yadda yadda) that allow people to vote on past experiences with others.
So helpful people get instant credibility in new groups, and slackers and layabouts get recognised for that as well. Karma, basically.
Now the karma system sucks because it is the karma system. If slashdot added to necessay hooks for 3rd party karma, then I could have the posts sorted according to my CompSci karma list (so that if Knuth ever were to post, he'd come in at +50 odd) while others might have a server that rated good use of hot grits and frightened aspiring actresses in posts. It is easy to envision how to extend the system to make it hard for people to hi-jack your karma server.
Taken to an extreme, we are almost getting to Fire-fly. The danger is that extensive user profiling (cue ominous strings) is just want marketers want. But you can design against that if you recognise it as a concern.
Hrm,
The error lies rather with the person who decided to offer the content as a static link, rather than hidden behind a form forcing you to read and accept the licence. I had rather assumed that amazon would have taken care of this; pay the dollar, get taken to a dynamic url to grab the pdf.
Of course, that would have completely ruined the hair(hare?) brained scheme of measuring honesty to begin with...
As it is, of course people are going to send the link to their friends, spiders that don't understand/listen to robots.txt will crawl it... complete and utter stupidity. Set up to fail, as Jamie said.
I quite liked the write up, btw.
And furthermore, there is the serendipity of Dynamo to conscider. Dynamo would pay of _very_ handsomely on regular peices of code, as it could use execution traces to make accurate branch predictions.
You could imagine Intel licencing it from HP to be used in their compilers. An advanced compiler could just enable dynamo for inner loops. Thus, the irregular code wouldn't get the speed penalty implied by the interpretation, and the compiler could provide valuable hints to the Dynamo system.
Compiler writers, what info would you like to see given to dynamo? Hrm. I've half a mind to ask comp.compilers this.
That's interesting. How did you arrive at this conclusion? I've never seen that sort of comparison done -- I supose it uses information==entropy?
How would this be affected by reversible computing?
It's not the arms that they object to, but rather the rest of the body.
:-P
Ok, just to verify your credibility, would you detail the computational resources that sort of crack would need? Please give ball-park estimates of how many bits would be needed to be bruteforced for a 1024 RSA /128 3DES PGP key?
If you could provide (once again, ballpark) numbers on aggregate MIPS availible and the time needed to perform the crack, that too would help substantiate the claim.
'cause I have to be frank here; I'm more than a little sceptical.
I don't see how your points about symmetric and asymetric encrypytion support your conclusion about the infeasability of the NSA breaking PGP (either possibly flawed implementation or ideal design).
All they does is rule out brute force and publically know attacks. It is totally possible (though I would hope not the case) that the NSA has the knowhow and resources to significantly comprimise PGP.
An unfortunate aspect of PGP is that it features both symmetric and asymmetric technologies. If either one is compromised, the system is broken. Thus we have multiple points of possible attack.
However, I do agree with your conclusion that even should they have the capability, the NSA are constrained by larger issues not to divulge this act for anything less that earth-shaking consequences.
So it is academic whether they can or not, cause they wouldn't be able to tell anyone about what they found.
Even more prosaically; DES is effectively cracked, what with the $100K brute force machine, but AFAIK, no law enforcement agency has built one. If they aren't willing to spend a measly 2 man-years in salary for something generally applicable, you have to wonder as to the level of effort they could get the NSA to put in for them.
You know, that may be one of the worst logos (the caldera one) I have ever seen. It only now dawned on me that it was a red "c" in a blue globe.
I had always seen it as a blue mickey-mouse ear on a red globe. This is probably why I have had such a hard time taking them seriously -- I've been getting submliminal messages of "Disney Linux" every time I see it.
we were amused, but out of points. Sorry.
Well, the parody sites make you ask for a particular page to be parodied. If deja had a button on each message that said "linkify post" and another that said "unlinkify post" then that would be fine.
Deja, however, make it very hard to see the original post.
Johan
There is a world of difference between framing user written content with banners and advertising, and modifying that content to include the advertising.
reference, please?
'cause that makes no sense
ok, I buy that analogy (erm, or is just a rebadged analogy from somewhere else?).
What is the legality of that, anyway? I know AMG modify mercs, but they never let people think they are buying an AMG (even when they modify it so much it has to be recertified as roadworthy).
I am allowed to slap any logo I want to on a car, but can I sell it w/o disclosing the fact that it was only a rebadged beemer? I think so.
But to keep up the analogy accurate, the beemer would have to be free, and BMW make their money by the purchaser entering the showroom.
If I go into the showroom and snag a bunch of cars to rebadge, sure, I am depriving them of income. So their response is just to stop admitting me. They have that right.
It should be easy enough for e-bay to recognise and ignore these robots, w/o needing to drag the courts into it. The courts only work in one justisticion, which is lucridously (and lucratively) easy to work around in this case.
This method would require that you type in a password ot mount your root/usr/whatever partitions. no password, the partition is just random junk.
This is already easy to do for most partitions, but not root. What sig11's trying to do is to make a boot sequence that mounts a temporary partition, asks you for the password and then remounts the encrypted root. This is kinda tricky, as it requires you to atomically ('cause you always need a root) swap root partition. I looked into this as well a few months ago, and as far as I could figure, I'd need to hack the kernel to make a swap_root_fs call or something.
Too much hassle. I found an encrypted home-dir package which was a 95% solution for 5% effort.
The real trick in all of these cases is to avoid getting the password swapped out to disk. Encrypting the swap can slow things down alot.
Now that's really interesting. It seems that real (ie, transmission by compressive waves in a nitrogen/oxygen mixture) hands-free is the only safe way to go.
Bummer.
Actually, the low frequency components you are referring to are probably the packets (to the tune of 40 a second on PCS) the phone sends out. Since the transmission time of such a packet is significantly less than 25ms, a monitor (or speaker or radio) would pick it up as a 40 hz buzz.
Your theory of it being the speaker is further contradicted by the fact that these emmissions are strongest before the phone rings on an incomming call. You've seen this yourself, likely. You know how you can always tell a second before the phone rings 'cause your car radio (if you keep your phone in the unused ash-tray like I tend to) starts acting up.
So I suspect you are seeing many high-frequency packets. Mind you, we'll see more of this if the spread-spectrum pulse technology comes around.
Not wanting to be too stupid, but I can't figure out which article you are disagreeing with.
I propose that CN should show nothing but the powerpuff girls. I can never figure out when it is on, so I end up turning on the tv at weird hours hoping to catch it. It would make my life much easier if they would only show Bubbles Buttercup and Blossom over and over and over.
Maybe dexter for variety. Or what about the tunderbirds? Yeah! "G;day Ms. Penelope."
Gotta love it.
I'm confused. I thought that nudity in cartoons was ok (came under the purview of "art" or some other sweeping excuse).
Censoring cartoons is just weird.