I have Privoxy set up on my Mac. I've configured it to block some well-known ad sites, although ads.osdn.com, along with some other ones that support sites I like, is specifically whitelisted (want/. to be supported).
More importantly, I have it set to de-animate GIF images. While I don't mind banner ads much, I really hate the ones that flash in lots of colors. Especially the ones about "If this banner is flashing, you've won!" and the jittery fake Windows message boxes. The sites still get paid for the deanimated ads so long as they're not blocked, since they still get sent to my computer anyway.
I don't care so much about cookie-crunching and the like, but Privoxy also supports them, and it supports custom regexp filters. It's a very nice, fast, free personal proxy and works with any browser that supports proxies.
Fiber is getting so cheap now that local governments or the like will soon be able to run a fair amount of it around cities with tax $$. This will make for cheap and blazing-fast intra-city networks and reasonably fast networking to elsewhere. I think ISPs as such will eventually either die out or be forced to use cheaper connections.
As for spamming, I think that defensive technology will eventually get the upper hand on this issue. With a change in protocol for mail, possibly to one involving identity-based signatures or something similar, spamming can be drastically reduced. (An identity-based signature is one in which the public key can be computed from the sender's name and the server's public key, and similarly for the private keys. This means you only need to have infrastructure for the servers' keys.)
Security will probably continue to be an issue, but it can certainly be lessened with better system design. More modular systems and ones with better security models will be produced, and that will reduce the impact of most individual breaches to an acceptable level. For instance, finer-grained access control might obviate the need for a true root account, like in SELinux.
Symantec's Norton AntiVirus for Mac totally sucks. Harvard recommended it for all students, and I was intending to use it to scan for known trojans and for Word macro viruses. However, it peridocially (once a month or so) caused kernel panics (it installs a kext; the first I found out about this kext was from the panic logs), the UI is terrible, and the scanning is ridiculously slow. The automatic updates happen in the foreground and don't close when they're done. Same for automatic scans; the window doesn't even have a close box. It's just not worth it with so few Mac viruses and trojans. Furthermore, the uninstaller doesn't work, so you have to look all over the system for broken pieces.
When you register with Symantec, they spam you. There is a "spam me" option which is on by default. However, it is not on the registration page (or it wasn't when I registered). Instead, you can change your preferences after you register, and changes take up to 90 days to take effect. So they spammed me (for Windows products) once I registered, but didn't stop after the 90 days. Their unsubscribe links don't work either. I ended up getting rid of their spam by emailing abuse@symantec.com and threatening to report them for lying in their privacy policy.
Fortunately, Macs come with built-in ipfw, which is a very nice firewall. Basic configuration can be done with system prefs; more advanced config can be done in the shell or with third-party apps.
Yes, but how do we know this wasn't intentional? Maybe the employee in charge of the redacting wanted that part of the memo to get out, so he deliberately redacted improperly.
This would be a brilliant idea to spread false information. Instead of just publishing false information, write false information into a PDF and cover it with black rectangles. Not only do you have all the conspiracy theorists believiing whatever BS you wrote, you also have have a defense should anyone find out: it was blacked out, you weren't supposed to read it.
now IE is really the number one browser for Windows and Apple machines (although Safari is coming along nicely on the Apple side)
I would have to disagree with that statement. I don't know anyone who uses IE on the Mac except as a last resort when a site doesn't render in Safari or perhaps in Camino (Chimera, or whatever they're calling it these days). The fact is, both of these apps have popup-blocking and tabbed browsing, and both of them have more Mac-like interfaces than Internet explorer. They're also faster, and use less memory. What they principally lack is webmaster attention: everyone make sure their malformed HTML/CSS and MS-proprietary JavaScript and ActiveX and Flash render right in Explorer, but they don't check Gecko or Safari.
I expect that Camino will languish or die as its features are basically absorbed into Safari, but my point stands.
Ingredints: large pumpkin one mini-ITX motherboard. 200 watts of Power supply. 2 gigs of disk space 256 megs of RAM 2 gigahertz of Athlon 1 heat sink (large) 1 tsp heat-transfer jelly 1 CPU fan Linux distribution (to taste) Ethernet and power cables
Directions: Mount Athlon on ITX; glaze with heat transfer jelly. Cover with heat sink and fan. Add RAM and disk space, and connect to power supply. Gently stir in Linux of your preferred flavor, paying particular attention to Apache.
Carve out pumpkin in an artistic design; roast the seeds in the oven for later use. Place computer in case^H^H^H^Hbaking pan, and insert into pumpkin. Connect power and ethernet cables.
Post to Slashdot and let roast for one hour or until brown around the edges.
You can quote dead white men all you like, but it doesn't change the fact that in the past two hundred odd years society has changed significantly and a single individual's ability to wreak widespread havoc has been increased million-fold.
A friend and I had a discussion about this proposition last year; specifically, suppose you have a group of terrorists/whatever and want to kill a lot of people. It doesn't have to be specific ones; random will do. What, then, is the ratio of the number of people you can kill to the number in your organization? And I'm talking more or less average people, perhaps with some moderate funds, not Bill Gates or people with access to nuclear labs.
We concluded that it was on the order of 10 to 1, with more if you're really lucky or think up a creative new attack, and has been true for a long time. For example:
Police protection has dramatically increased, especially in response time. You used to be able to get a small group with crude weapons and go on a killing spree; this does not work anymore.
The organization directly required to finance, find and train suicide bombers, and forge documents for the September 11 attacks may be assumed to be a couple hundred, so this attack also falls into the order of 10:1.
Even if the Aum nerve-gas attack in the Tokyo subway had worked, it would be hard-pressed to kill ten people for every cult member whose finances and expertise it used.
The fires in California were started by a handful of arsonists, and killed a couple dozen (will continue to rise?). In the past, about the same would be true: the fire would spread wider but kill fewer due to density.
The Unabomber only killed 3 people. The Trenchcoat Mafia killed 13 at Columbine; even if they had succeeded in the bombings, the would have only killed a few dozen. Palestinian terrorists typically kill no more than a few dozen in their suicide attacks, and these require several people to coordinate.
To kill a lot of random people with a high-tech attack, bombs or poison would have to be the way to go, but even with the Anarchist's Cookbook, you'd be hard-pressed to kill very many. The only attack I've been able to find that has far exceeded this killing ratio has been the Oklahoma City bombing, at 168:3 or so. I will assume that this is more or less an outlier: bombings are fairly random, and there have been many carbombings with far less spectacular results, including the recent ones in Iraq.
There are much worse attacks predicted as a worst-case scenario, but even these, with moderate estimates, can be shown to be about 10:1 or so effective. A nuclear bomb in New York would require a government's cooperation; stealing one would be near-impossible, and if you could buy one on the black market, Osama would have by now. Nerve gas in crop-dusters might work, but it would be terribly hard to pull off, would require a large technical staff (as Aum found out, the stuff isn't easy to make) and a brisk wind would save a city. Poisoning the water supply is much trickier these days than it used to be, and probably wouldn't kill many more people than it used to because they would notice quickly. Starting an epidemic is better understood nowadays, but also much easier to treat and contain.
So, your point needs some modification. High-tech stuff is not that much more effective at killing people than guns.
Disclaimer: I'm interested in becoming a security researcher. I don't plan on implementing any of these measures, and any criminal (certainly any terrorist) could probably think of better ones.
The problem with most algorythmic random number generators is that if you can collect enough samples you can figure out what function created those samples, and reproduce the original OTP and decrypt the original message.
Yes, but with a decent strong pseudo-random number generator, this is equivalent to breaking the crypto algorithm they're based on. Consider even the most basic counter-mode cipher, where output block n is e_k(n), where k is the secret key. Predicting the next output from a bunch of data (other than that it's not one of the ones you've already seen) is equivalent to a known-plaintext attack on the cipher.
There are ciphers called "stream ciphers" that generate random-looking data from a short key, then you XOR it with your message. RC4 is the best-known one, and many programmers have the (very simple) algorithm memorized. There is no publically-known way to figure out the key from the samples.
More complex messages would require more complex codes being sent. A CD, or a DVD would potentially provide enough raw space as a code book...
This is just silly. If you want theoretical unbreakability, you put a one-time pad on the CD. If you want practical unbreakability (as far as anyone knows outside the government), you encrypt the message with a symmetric key, then encrypt the symmetric key with the recipient's public key and send it.
The longstanding myth was that you could recognize the Russian spy operatives because they always carried around big heavy books. War and Peace might have been long, dull and boring for a reason.
War and Peace would make a lousy codebook, because anyone can get a copy. Once they guess you're using War and Peace, and how you're using it, the code is broken, so the secret might as well be just the code itself.
Right. But the physical Apple Store that I went to refused to give me the discount on Panther, for whatever reason. They said I had to order it online.
... don't give educational discounts. You have to order online for that. So if you're a student, don't go trucking out to the store... you can't get it for $70 there.
One thing that Apple does is that when you turn on the service, it unblocks it at the firewall. But the point is that the service must be turned on.
As for the keychain, I don't know how secure it is. It may be that someone can write an exploit that would look at your keychain and read it. But it is possible to write a program that does protect the user unless the attacker can get root. You make the keyfile readable only by root, and identify programs in some secure way (MD5 or what, but you have to make sure a malicious program can't run, and then replace itself with a link to atrusted app), and if you do it all perfectly, no program can automatically decrypt stuff.
This is a bad analogy. Stealing a car is wrong. Illegally copying music is wrong. But I fail to see how it's wrong to point out that for all the shiny electronic locks on some car, it can still be slimjimmed. The thieves almost certainly know that already, and the company's customers have a right to know that the fancy locks don't protect them.
You don't have to cat it, that's what the redirection operators are for. Also, as far as I recall, CDRecord takes the name of the file to record as an argument, not the name of the disk to burn to.
I haven't seen anyone use Telnet in a while. People do, however, still transmit sensitive data along non-SSL connections.
However, here's a solution that I would propose. Make it hard for beginning users to do dangerous things. It can be something as simple as chmod 755. Something that won't bug advanced users too much, but still makes it non-trivial to execute an email attachment unless you know something about your system. Same with setting up personal webservers. Let people make such servers, but limit how much damage they can do to themselves without knowing anything about config files. Don't run as root by default. Don't put services on until people turn them on. Ship with a good firewall. Give a damn about security.
In terms of sensitive data, a root-owned encryptor that can decrypt messages without making the key available (to non-root anyway, or to non-ring-0), and verifying the applications before allowing it. Something like Keychain, but more advanced. It could be used to encrypt mail, sensitive directories, etc. You'd still have to warn people about sensitive information over the internet, but this would be a step in the right direction.
I use the UNIX side of things on my Mac as well. I have a lot of software installed through Fink or simply from tarballs, including perl 5.8, QMail, TeTeX, nmap, and a host of minor utilities. I have backups scripted with hfstar (a Mac-enabled version of GNUtar) and cdrecord. I serve HTTP off Apache 2.
I know that Fink does not yet support Panther. In part this is due to GCC3.3. But how badly will I be screwed if I upgrade? Will I have to wait for Fink to catch up and recompile everyhing? That would probably add up to days of compiling, even with GCC3.3 (my eMac is hardly top-of-the-line).
Slashdot Mirror
This in not new.
/. to be supported).
I have Privoxy set up on my Mac. I've configured it to block some well-known ad sites, although ads.osdn.com, along with some other ones that support sites I like, is specifically whitelisted (want
More importantly, I have it set to de-animate GIF images. While I don't mind banner ads much, I really hate the ones that flash in lots of colors. Especially the ones about "If this banner is flashing, you've won!" and the jittery fake Windows message boxes. The sites still get paid for the deanimated ads so long as they're not blocked, since they still get sent to my computer anyway.
I don't care so much about cookie-crunching and the like, but Privoxy also supports them, and it supports custom regexp filters. It's a very nice, fast, free personal proxy and works with any browser that supports proxies.
Fiber is getting so cheap now that local governments or the like will soon be able to run a fair amount of it around cities with tax $$. This will make for cheap and blazing-fast intra-city networks and reasonably fast networking to elsewhere. I think ISPs as such will eventually either die out or be forced to use cheaper connections.
As for spamming, I think that defensive technology will eventually get the upper hand on this issue. With a change in protocol for mail, possibly to one involving identity-based signatures or something similar, spamming can be drastically reduced. (An identity-based signature is one in which the public key can be computed from the sender's name and the server's public key, and similarly for the private keys. This means you only need to have infrastructure for the servers' keys.)
Security will probably continue to be an issue, but it can certainly be lessened with better system design. More modular systems and ones with better security models will be produced, and that will reduce the impact of most individual breaches to an acceptable level. For instance, finer-grained access control might obviate the need for a true root account, like in SELinux.
Symantec's Norton AntiVirus for Mac totally sucks. Harvard recommended it for all students, and I was intending to use it to scan for known trojans and for Word macro viruses. However, it peridocially (once a month or so) caused kernel panics (it installs a kext; the first I found out about this kext was from the panic logs), the UI is terrible, and the scanning is ridiculously slow. The automatic updates happen in the foreground and don't close when they're done. Same for automatic scans; the window doesn't even have a close box. It's just not worth it with so few Mac viruses and trojans. Furthermore, the uninstaller doesn't work, so you have to look all over the system for broken pieces.
When you register with Symantec, they spam you. There is a "spam me" option which is on by default. However, it is not on the registration page (or it wasn't when I registered). Instead, you can change your preferences after you register, and changes take up to 90 days to take effect. So they spammed me (for Windows products) once I registered, but didn't stop after the 90 days. Their unsubscribe links don't work either. I ended up getting rid of their spam by emailing abuse@symantec.com and threatening to report them for lying in their privacy policy.
Fortunately, Macs come with built-in ipfw, which is a very nice firewall. Basic configuration can be done with system prefs; more advanced config can be done in the shell or with third-party apps.
Too late, slashdotters all over the web will copy the PDF to their archives, just like the Diebold memos...
Yes, but how do we know this wasn't intentional? Maybe the employee in charge of the redacting wanted that part of the memo to get out, so he deliberately redacted improperly.
This would be a brilliant idea to spread false information. Instead of just publishing false information, write false information into a PDF and cover it with black rectangles. Not only do you have all the conspiracy theorists believiing whatever BS you wrote, you also have have a defense should anyone find out: it was blacked out, you weren't supposed to read it.
Thanks. I've been considering building a mini-fileserver, and a cheap CD ROM drive would be handy.
now IE is really the number one browser for Windows and Apple machines (although Safari is coming along nicely on the Apple side)
I would have to disagree with that statement. I don't know anyone who uses IE on the Mac except as a last resort when a site doesn't render in Safari or perhaps in Camino (Chimera, or whatever they're calling it these days). The fact is, both of these apps have popup-blocking and tabbed browsing, and both of them have more Mac-like interfaces than Internet explorer. They're also faster, and use less memory. What they principally lack is webmaster attention: everyone make sure their malformed HTML/CSS and MS-proprietary JavaScript and ActiveX and Flash render right in Explorer, but they don't check Gecko or Safari.
I expect that Camino will languish or die as its features are basically absorbed into Safari, but my point stands.
Can you link me to those stores? I haven't seen such a drive for less than $40.
How to make a nice hot and crispy pumkin pie:
Ingredints:
large pumpkin
one mini-ITX motherboard.
200 watts of Power supply.
2 gigs of disk space
256 megs of RAM
2 gigahertz of Athlon
1 heat sink (large)
1 tsp heat-transfer jelly
1 CPU fan
Linux distribution (to taste)
Ethernet and power cables
Directions:
Mount Athlon on ITX; glaze with heat transfer jelly. Cover with heat sink and fan. Add RAM and disk space, and connect to power supply. Gently stir in Linux of your preferred flavor, paying particular attention to Apache.
Carve out pumpkin in an artistic design; roast the seeds in the oven for later use. Place computer in case^H^H^H^Hbaking pan, and insert into pumpkin. Connect power and ethernet cables.
Post to Slashdot and let roast for one hour or until brown around the edges.
Serves about 50,000.
You can quote dead white men all you like, but it doesn't change the fact that in the past two hundred odd years society has changed significantly and a single individual's ability to wreak widespread havoc has been increased million-fold.
A friend and I had a discussion about this proposition last year; specifically, suppose you have a group of terrorists/whatever and want to kill a lot of people. It doesn't have to be specific ones; random will do. What, then, is the ratio of the number of people you can kill to the number in your organization? And I'm talking more or less average people, perhaps with some moderate funds, not Bill Gates or people with access to nuclear labs.
We concluded that it was on the order of 10 to 1, with more if you're really lucky or think up a creative new attack, and has been true for a long time. For example:
Police protection has dramatically increased, especially in response time. You used to be able to get a small group with crude weapons and go on a killing spree; this does not work anymore.
The organization directly required to finance, find and train suicide bombers, and forge documents for the September 11 attacks may be assumed to be a couple hundred, so this attack also falls into the order of 10:1.
Even if the Aum nerve-gas attack in the Tokyo subway had worked, it would be hard-pressed to kill ten people for every cult member whose finances and expertise it used.
The fires in California were started by a handful of arsonists, and killed a couple dozen (will continue to rise?). In the past, about the same would be true: the fire would spread wider but kill fewer due to density.
The Unabomber only killed 3 people. The Trenchcoat Mafia killed 13 at Columbine; even if they had succeeded in the bombings, the would have only killed a few dozen. Palestinian terrorists typically kill no more than a few dozen in their suicide attacks, and these require several people to coordinate.
To kill a lot of random people with a high-tech attack, bombs or poison would have to be the way to go, but even with the Anarchist's Cookbook, you'd be hard-pressed to kill very many. The only attack I've been able to find that has far exceeded this killing ratio has been the Oklahoma City bombing, at 168:3 or so. I will assume that this is more or less an outlier: bombings are fairly random, and there have been many carbombings with far less spectacular results, including the recent ones in Iraq.
There are much worse attacks predicted as a worst-case scenario, but even these, with moderate estimates, can be shown to be about 10:1 or so effective. A nuclear bomb in New York would require a government's cooperation; stealing one would be near-impossible, and if you could buy one on the black market, Osama would have by now. Nerve gas in crop-dusters might work, but it would be terribly hard to pull off, would require a large technical staff (as Aum found out, the stuff isn't easy to make) and a brisk wind would save a city. Poisoning the water supply is much trickier these days than it used to be, and probably wouldn't kill many more people than it used to because they would notice quickly. Starting an epidemic is better understood nowadays, but also much easier to treat and contain.
So, your point needs some modification. High-tech stuff is not that much more effective at killing people than guns.
Disclaimer: I'm interested in becoming a security researcher. I don't plan on implementing any of these measures, and any criminal (certainly any terrorist) could probably think of better ones.
The problem with most algorythmic random number generators is that if you can collect enough samples you can figure out what function created those samples, and reproduce the original OTP and decrypt the original message.
Yes, but with a decent strong pseudo-random number generator, this is equivalent to breaking the crypto algorithm they're based on. Consider even the most basic counter-mode cipher, where output block n is e_k(n), where k is the secret key. Predicting the next output from a bunch of data (other than that it's not one of the ones you've already seen) is equivalent to a known-plaintext attack on the cipher.
There are ciphers called "stream ciphers" that generate random-looking data from a short key, then you XOR it with your message. RC4 is the best-known one, and many programmers have the (very simple) algorithm memorized. There is no publically-known way to figure out the key from the samples.
More complex messages would require more complex codes being sent. A CD, or a DVD would potentially provide enough raw space as a code book...
This is just silly. If you want theoretical unbreakability, you put a one-time pad on the CD. If you want practical unbreakability (as far as anyone knows outside the government), you encrypt the message with a symmetric key, then encrypt the symmetric key with the recipient's public key and send it.
The longstanding myth was that you could recognize the Russian spy operatives because they always carried around big heavy books. War and Peace might have been long, dull and boring for a reason.
War and Peace would make a lousy codebook, because anyone can get a copy. Once they guess you're using War and Peace, and how you're using it, the code is broken, so the secret might as well be just the code itself.
The Japanese are committing genocide in other universes!! They must be stopped!!
Right. But the physical Apple Store that I went to refused to give me the discount on Panther, for whatever reason. They said I had to order it online.
No, it absolutely does not mean that.
First of all, if the NSA could break this by whatever means, then it would indicate that they think nobody else can.
Second, it could mean they've broken RSA, and so don't want to use it.
And quantum computers don't break ECC as far as I know.
[nt]
... don't give educational discounts. You have to order online for that. So if you're a student, don't go trucking out to the store... you can't get it for $70 there.
You do understand that these images are copyright them, and they explicitly say not to mirror them?
...oh, UNIX... Still, point stands...
didn't read the word "own"
One thing that Apple does is that when you turn on the service, it unblocks it at the firewall. But the point is that the service must be turned on.
As for the keychain, I don't know how secure it is. It may be that someone can write an exploit that would look at your keychain and read it. But it is possible to write a program that does protect the user unless the attacker can get root. You make the keyfile readable only by root, and identify programs in some secure way (MD5 or what, but you have to make sure a malicious program can't run, and then replace itself with a link to atrusted app), and if you do it all perfectly, no program can automatically decrypt stuff.
This is a bad analogy. Stealing a car is wrong. Illegally copying music is wrong. But I fail to see how it's wrong to point out that for all the shiny electronic locks on some car, it can still be slimjimmed. The thieves almost certainly know that already, and the company's customers have a right to know that the fancy locks don't protect them.
You don't have to cat it, that's what the redirection operators are for. Also, as far as I recall, CDRecord takes the name of the file to record as an argument, not the name of the disk to burn to.
Yeah. And Apple, and every Linux distributor, because you can use their software to circumvent it too...
I haven't seen anyone use Telnet in a while. People do, however, still transmit sensitive data along non-SSL connections.
However, here's a solution that I would propose. Make it hard for beginning users to do dangerous things. It can be something as simple as chmod 755. Something that won't bug advanced users too much, but still makes it non-trivial to execute an email attachment unless you know something about your system. Same with setting up personal webservers. Let people make such servers, but limit how much damage they can do to themselves without knowing anything about config files. Don't run as root by default. Don't put services on until people turn them on. Ship with a good firewall. Give a damn about security.
In terms of sensitive data, a root-owned encryptor that can decrypt messages without making the key available (to non-root anyway, or to non-ring-0), and verifying the applications before allowing it. Something like Keychain, but more advanced. It could be used to encrypt mail, sensitive directories, etc. You'd still have to warn people about sensitive information over the internet, but this would be a step in the right direction.
Stuff like this is why I use a Mac.
I use the UNIX side of things on my Mac as well. I have a lot of software installed through Fink or simply from tarballs, including perl 5.8, QMail, TeTeX, nmap, and a host of minor utilities. I have backups scripted with hfstar (a Mac-enabled version of GNUtar) and cdrecord. I serve HTTP off Apache 2.
I know that Fink does not yet support Panther. In part this is due to GCC3.3. But how badly will I be screwed if I upgrade? Will I have to wait for Fink to catch up and recompile everyhing? That would probably add up to days of compiling, even with GCC3.3 (my eMac is hardly top-of-the-line).