Pity I couldn't see the result of the link without an account. I'm genuinely curious if the officer is issuing invalid tickets. That sounds like a story in itself.
Agreed and well said. I'd add on that personally I'm offended that so many people think the cop is the problem for doing his job and enforcing the law.
Yay! Finally someone gets it... oh, wait, nope, what a let down. See, you started off so good, because yes, a cop should do his job. But then you totally miss the point by going on to talk about why this particular set of laws should be enforced as if the cop should be able to decide which ones he enforces and which ones he ignores.
Do you really want a country where every cop enforces the laws he likes and ignores the ones he doesn't? Do you even realize that is what you're advocating when you mix your message of applauding a cop for doing his job with your message of how the laws you like are good ones?
Pick a side people, do you want liberty? Or do you want laws that just make you feel safer?
Do you want justice? Or do you want cops to enforce the laws they agree with?
(Yes I know, of course you think anti-texting laws make you feel safer and I know you think they work. But first, I was speaking more generally and second, actual scientific studies on their effectiveness don't necessarily back that up.)
No, enforcing the law is not stupid, having a stupid law is stupid.
Seriously folks, this is exactly why we have such terrible government at every level. Voters blame the officer who is actually doing his job to follow the law rather than the morons who write and pass bad laws.
You unintentionally make a good point. Poster 0111 1110 didn't get into the intention behind causing someone irritation in return for being irritated, but did say "slowpokes don't like it when the tables are turned." It might not have been immediately obvious to you, but another way to put it would be "people who slow down traffic are causing irritation, possibly without realizing it; however, you can help them understand the reason it is irritating by demonstrating to them how it feels by slowing them down the same way they slow other people down."
The point you unintentionally make is that people who cause irritation to other drivers by behaving in a noncomformist way are probably too dense to understand the object lesson they're being given.
I suspect further that there is merit to your implied argument that irritating someone who is irritating you probably does little to improve their habits. People who feel frustration with driving are less likely to introspectively examine whether they might be guilty of the same thing, while being much more likely to spread the frustration on to other drivers.
I've seen exactly that behavior in people I consider courteous and reasonable drivers most of the time. They'll experience rude driving behavior and as it sours their mood, they will then be less inclined to be courteous to other drivers. "Well if nobody is going to let me merge, I'm not going to let anyone merge either."
Because it works. As sad as it is, that's what people want to hear about when they turn on their TV or radio.
The biggest problem is that it actually makes sense. Do you want to be represented by someone who has proven they're untrustworthy? Do you want to be represented by someone who has admitted they have a history of mental instability?
It doesn't even matter what her campaign might have looked like because they were playing whack-a-mole. Seriously, that's how they referred to it. Read the article.
I agree with quite a bit of your post, and the most of the things I disagree with, I believe are rational positions that I can agree somebody reasonable can hold even if I don't. But you led off with the single thing that I take exception to.
The debate is over what's an effective way to protect our security.
Sorry. No. That IS NOT what the debate is over.
The debate is over what right people have to privacy from their government.
The person asking the question thinks the solution to needing to provide Wifi Hotspots is to use cellular based devices and maybe try to find a way to get better 4G coverage.
You're trying to solve the wrong problem. Using 4G to provide wifi has several drawbacks, first is cost. Second, you can't get the bandwidth you really need, and third, you have to compete with every device there trying to connect to thier cellular provider. Provide hotspots with Wifi Routers getting their connections from a wired source instead. Ideally, you'd run wires to your wifi access points but if you can't do that very well in some places, use wifi repeaters.
If putting wires to the places you need access points is really a serious problem that you can't solve with wifi repeaters, then use microwave. It's not too expensive to set up and it can give you a no-wires high bandwidth internet connection for long distances.
Since the wrong question was asked, it is hard to provide the right answer, but here are some tips:
If money isn't the problem, let AT&T provide Wifi. It might even be the cheapest option since you may not have to buy the equipment. At least find out how much it will cost you. (Other service providers might work as well, I just haven't had others offer to provide proposals in the last few years.)
If you don't need that kind of range, and just need better wifi coverage, look into Wifi repeaters, like this one from Radioshack for $99.99: Amped Wireless® High-Power Wireless-N 600mW Smart Repeater, Model:SR10000 Catalog #: 55055046
Agreed and I'd like to expand on the "test my custom" to "everything."
At work I run and admin web servers, mostly Apache. I choose Apache because I have the most experience with it and have developed a feeling for how much I can trust various configurations. I don't have that level of experience with Nginx. However, I like Nginx better and feel like it would be better suited to meeting our business needs. So I need to spend a couple years getting better aquainted with Nginx, what can go wrong, how they find and handle security issues, how quickly patches come out, how easy it is to handle stop-gap measures, etc.
I can only do that somewhat freely at work because there are different restrictions on what I can do with machines at work and what I'm willing to have fail at work. If I can run Nginx at home for a couple years, I don't have those restrictions. It's hardly reasonable to consider my hobby tinkering a business and unreasonable for me to have to upgrade to a business class service just to give me the ability to ensure I understand how to configure the hardware, software and services I am trying to learn.
I tried FreeBSD for a while at home. I absoutely love some aspects of it. After a couple years, I decided I didn't like the upgrade cycle, but I didn't learn that at work and shouldn't have to. I tried OpenBSD too and discovered some drivers didn't like some of the hardware I was using and that would have been a misuse of my time to discover at work since they don't pay me to play around learning new stuff. I'm a better admin professionally because of my hobby experience at home.
I too had to ask and answer "what is a server?" I have an old Cisco router a couple switches and a 1U server with no onboard hard disk. The Ciscos have built in telnet and web server interfaces. Even my wifi router has an onboard web server for configuation. Surely they wouldn't consider the Ciscos and wifi router servers? Of course not. The 1U dell needs a tftp server to function and can run various systems but none of them necessariy have to offer externally available software servers of any sort. That doesn't sound like a server to me either. In the end, I try to keep my homework limited to a couple things I'm tinkering with and not offer anything the general public might be interested in from my home connection and I believe I'm operating within the spirit of the rules. That doesn't stop me from wishing that the rules were actually more clearly established along reasonable lines. As an admin of a network myself, I believe that it is my job to ensure not only that we have clear rules about what is allowed and what isn't but also to ensure that dangerous or abusive use is curtailed by technology, not a "you find out that you broke the rules only after you've gone far enough to be punished" approach.
Sufficient participation may not be direct control, but knowledge about the participants is certainly some sort of control. If I really believed that Bitcoin represented a better currency than the fiat stuff we have with the dollar, I could almost wish for it to be government supported. I'm not quite that devout.
I don't disagree with your assessment that the NSA is likely unable to hack into every single computer running every OS. That isn't the end of the story though. I read an article recently that you might find enlightening. It was with a hacker who works for the government. The NSA wasn't actually identified, but I believe that the interviewee who works for an unnamed agency has essentially the same access to tools that they do. (The veracity of the claim is debatable, but the article gives me sufficient information to believe it is likely true.) Assuming that is the case, they have the ability to hack into most computers connected to the Internet, or at least most servers. I doubt they have the manpower and motivation but I don't doubt the capability.
I like to believe I'm pretty good at security. I use SELinux correctly, keep it current and I set up servers to minimize exposure and I do layered security, but I know what some of the weaknesses I leave are as well. There is software that I run that hasn't had the level of expert peer-review that I wish it did. I don't always have BIOS passwords and I rarely require them to boot and I don't usually encrypt the OS. I understand the vulnerabilities that my choices leave and accept them based on a risk analysis. I make systems that are exposing services to the Internet more secure and segregate them from ones that aren't intended to act as servers. I put anti-virus and firewalls where appropriate and use secure settings on workstations. I try to maintain good physical security. Still, I know enough to know how I'd go about breaking into the systems I set up and I honestly believe that if the NSA decided to, that they could get past my defenses. I don't know if it would be easy for them and I think most hackers would find it extremely difficult. That's what I aim for. I try to make it very likely to be very difficult for most hackers.
I don't kid myself though. Is there a 0-day for up-to-date OpenSSH? Is there a browser insecurity that would allow privilege escalation from a machine that someone has used to access a compromised website and then used to access a secured system? Has someone I work with done something sufficient to be targeted by an agency willing to sneak into their home and install keyloggers on their machines? Has my company been served a secret order to let them install hardware I didn't see? I don't think so but I can't be absolutely certain. I can think of literally dozens of scenarios where even the best security I can think of could be compromised and I try to think of them so I can determine reasonable defenses, but certainty is not something it gives me.
All my opinions of the potential value my systems and what is reasonable security could be completely thrown out of whack if the NSA or a similar agency decides my systems have more value as mining machines than I have assumed.
I've wondered about this myself. Basically I agree in principle with the idea that Bitcoin is not controlled by the government, but to say it couldn't be? The government has an awful lot of processing power in the computers they do and could control. The NSA has hacks for pretty much every system so they could, if there was sufficient motivation, take sufficient control of enough private computers to add significant but clandestine mining capabilities and active processes to them.
I'm almost inclined to stop posting at this point at the thought "don't give them any ideas." However, I assume that there are plenty of people smarter than I am who are willing to consider the possibilities that I'm not contributing anything novel.
So what if, just what if, the NSA was given permission to "attempt to take control of the bitcoin market." Lets consider what would happen if they turned their massive processing power in the machines they control toward mining. Just for kicks, add in the idea that they would clandestinely add bitcoin mining to business and home computers that they hacked into. There would be some indication that massive bitcoin mining was being done, but it would be nearly impossible to know it was being done by the government due to the nature of Bitcoin. Soon enough, the government would own a substantial percentage of the bitcoins on the market, but it doesn't stop there. They could buy a pretty substantial portion of the bitcoins on the market without needing to spend a noticable percentage of tax revenue.
Now imagine the government has such control. With their access to information combined with their virtual monopoly on the market, they could identify with some reasonable assurance most transaction parties. So at the end, the government would essentially own and be able to observe details about pretty much all transactions.
Now, pretend that everything I've described has already happened. What do they need to do in order to start using their power in ways that benefit them? Why, that's easy, start getting Bitcoin recognized as a currency. You have a couple authorities have a quiet word with a judge about the logic and the secret aims of the government, and he sees how his current case can and should help start making Bitcoin part of a government regulated system.
You'll pardon any spelling and grammar issues I trust, my tinfoil hat was getting a little tight.
Remembering a couple passwords and using an authentication they already have is more effort? I don't get how you come to that conclusion. They address the problem of having to create a new ID and prove humanness via CAPTCHA, which is rather the point of the discussion.
They move the authentication process to a few providers rather than hundreds. The few used are more likely to be secure and less likely to need complex authentication each time.
I prefer to use one or two accounts to having to create a new one for every site I go to, yes. I prefer to trust one or two well designed systems rather than every half-baked cowboy coder, yes. I think that most people don't care much what system they use and are more likely to trust twitter than john's-favorite-blog system. They're also more likely to remember a password to a couple of sites they regularly use than use a complex system to generate new ones for each of the dozen ones they otherwise.
Plus, with most of those options, I don't have to process a CAPTCHA each time.
I have talked about the same goal several times, but any new system must be backwards compatible because there are around 14 million (SWAG) businesses that rely on free SMTP.
While you're chewing on that, Thunderbird is absolutely critical in that process. Most businesses don't want to think about email, calendaring, and shared address books but they get that with Exchange and Outlook. I've been interested in moving our company off of Exchange for some time but we're addicted to Outlook and need a simple to use replacement with the same features if we're going to stop using it. It's almost a chicken and egg problem, but just recently I have been getting close to a viable replacement on the client side with Thunderbird. As a bonus, it does digital signatures and encryption compatible with Outlook. The downside is the complexity of setup. Sure, I can set it up, but not the average user. I keep trying to find ways to make it easy though because if we can get off Outlook without much pain, we can get off Exchange later as well.
I don't know the solution yet, but I imagine Mailpile (or roundcube or similar) is part of it. Another piece is going to have to be a ranking system. For the next ten to twenty years, people are going to require the ability to receive messages sent with unauthenticated SMTP, but if you build security ranking into email, you can begin to phase that out by having messages with a trust ranking system. Give +10% for digitally signed messages, +10% for encryption, +20% for a verified sender system, +20% for reputation, +20% for willingness to buy into a pay-per-message system and assign the remaining 20% on factors like how the local email client and associates have handled mail from that sender in the past. You can even make the percentages variable if you have sensible defaults because most people will never change the defaults.
Sidenote, on the pay-per-message system, you pay 2 cents (or equivilant) per message sent outside your company and receive the same per message received on the same system. One of the historical problems that seemed insurmountable was the problem with the cost of microtransactions being too high. It costs around 30 cents to do an electronic transaction, so anything smaller costs more than it yields, but that's not the case anymore with something like bitcoin and you could do a twice daily cash-out with Coinbase to avoid the pain of volatility. For me that's been the single most important and too often overlooked appeal of crypto-currency. It allows for mico-transactions to be a commercially viable option. You could do it with fractional payments through a traditional bank as well, but none want to handle it when there is still income to be had by having eveyone use a system that pays them more.
I don't really care if it is Thunderbird, Coinbase, Bitcoin and Mailpile, they're just examples of types that I'm using due to my own familiarity. Feel free to substitue alternatives for any of them if it makes more sense for implementation or discussion.
My first thought: "Oh crap, that's me." I use a few passwords across multiple sites, basically determining how unique and how complicated by how much I consider a breach a danger and how much I trust the site to keep the password info secure. Generally, I hate forums that build their own password systems rather than using OpenID or Google Sign In or even Facebook login, and don't trust them much. Still, I tend to trust Unix minded people to care about security.
This means I might have been silly enough to use a password I care to keep secret, so I checked. Nope. Obviously I thought they were idiots to set up their own system and used a password so bad it is obvious that I don't even care if a random guess might get it. I don't use Ubuntu but I have and sometimes I might want to comment in a forum when issues cross distributions.
I hope others learn from this.. but I don't hold out tremendous hope.
I'm glad to see a few rational thinkers on this forum, but that's not the end of the story. If the NSA or Chinese government really really wanted to see all you are up to, they wouldn't be trying to decrypt your password. They'd probably just hack into your system because they have 0-day hacks that you can't know about and install a keylogger. If you're really paranoid and you boot from CD and run everything from RAM, they can still install a physical keylogger if they care enough to get physical access. They'd sneak into your office or home and install a keylogger or other monitoring service. If they're really really interested, they'd put a device in your wall or monitor so that they can see what you do as you do it and closed blinds and RAM only OS isn't enough to keep them from getting the info. There could be a device in my monitor and in the keyboard connection and in my mouse connection right now and if they really really care enough to send the very best, I'd have no way of knowing they can see eveything my screen shows and every thing my keyboard types and every movement my mouse makes.
What you can do is determine what level of paranoia is justified:
Boot only with a password provided to BIOS with password protection for changes and also alarm on case opening - makes the attacker have to have the expense of physical access and expensive parts to see what you're typing or an unusual BIOS hack
Use a secure unusual system - makes the attacker have to have a less well tested toolset for breaking into the system with bonus points for a custom port knock system
Run your OS from RAM - makes physical snooping practically required
Work in a faraday cage - makes the attacker need something complex in order to get a signal sufficient to watch active sessions
So you have carefully reviewed Slax (OS from RAM) and made some modifications, and your computer is set to boot only from CD and only with a password, and you set it to alarm for an opened case and you put it all inside a closet with a variety of secret alarms and you've made the closet a pretty solid faraday cage. You modified a firefox browser and you only connect to the internet through a VPN to Switzerland and only through a proxy in Romania and you only go to secured sites.. now what? How can this system still be compromised by a determined NSA agent?
NSA agent does the following:
Gives your SSL providers a letter - SSL compromised
Breaks into your house and BIOS because they're really good at detecting potential alarms and bypassing them
Sets up a keylogger and remote screen monitor
Hacks the ISP for the Swiss VPN and substitues their own proxy for the Romanian one, a feat requiring them to pay one of the proxy guys a couple dozen bitcoins
Wait
The NSA agent now sees everything you do, everything you type and can show you anything they like on your screen.... if they really, really want to.
My passwords are often stored in Lastpass which stores them in a way that they cannot decrypt and only I can. They could change the way it works and I might never know, but I trust them based on how they've handled security issues in the past.
I can retrieve my passwords, but the company providing the service can't and I like it that way. I always turn off the "remember passwords" options in browsers because I don't trust that it couldn't be reversed by someone who gains physical access to my machine.
Now if you get physical access to my machine, you will have to boot off of your own media and that means that you'll need to pull the hard drive out or wipe my bios in order to install a keylogger so that you can catch my password as I put it into lastpass. That's a fairly high barrier, but it is a little better than most other methods. You'll also need to know what to target and you can target my KeePass database the same way, but with those specifics, you'll need to be somebody who has really done their homework to get to my passwords.
If you're after me and you are the NSA, then you can send in a coder and some documents and reprogram the way LastPass works and not tell me. I accept that risk because if you're the NSA, you can also watch my monitor from across the street even after I close my blinds and likely break into about any system I might have so I have little choice but to accept that if they really want to see what I'm doing, they absolutely can. For the script-kiddies though, it is a hard hack. I seriously doubt even the NSA has a chance of getting into my LastPass database so I store it in a cloud service and they're welcome to poke at as an exercise in futility... if they want me they will have to break into *my* system, not the cloud, not Google and not anybody else. But they're the NSA, if they *want* you, they will get everything they want because what they have the ability to do is awe inspring. (You hear that guys? I'm not afraid of you, but I am freakin respectful so lets leave my browser history out of it okay? Please?)
So full circle, Google could say "Pick any of the following systems for backup retrieval: LastPass, KeePass URL, iTunes, Amazon, My Little Backup Pony or None" and optionally encrypt the backups but they probably figured (rightly) that 99.99% of their users wouldn't ever know or care that they were backing up their phones in a way that Google can access all the info on it.
I remember when I discovered how PKI works and I was stunned at how many uses there are for it. I am surprised that there isn't already some provision to use it with more things, WIFI included. Ideally each person connecting should get prompted that they need to provide a public key, the phone or tablet or whatever should automatically generate one and then they would be prompted to enter a passphrase for it, then it would be used for that wifi from then on. You could add a "offer to this phone" or "next connection" or "confirm with this code" option to the process to ensure security and you could add a key manager (love pagent) tool to the mix so that you'd only need to enter your passphrase once per reboot and wifi administrators could disable keys on a per person basis. It is worth noting that Radius servers do something close enough to that already, but who has time to manage a Radius server if it isn't built into the Wifi controls and so far as I can tell, none of the Wifi manufacturers do that.
Good for you for recognizing the obviousness of the situation. There are ways around it; they could have set up a password for your backup that means everything backed up is encrypted, but then you'd need a password you would likely forget by the time you need it, or they could tie it to a requirement that you lock your phone with a PIN/password, but then a lot of people would be frustrated that it wasn't as easy to use their phone if they want a backup. The situation as it is, that you want your system backed up by google and they want to offer it means that there has to be some sort of compromise and they went for the one that would be easiest for the most users.
I wish they'd given an option, but then I don't worry about my wifi passwords getting out since I treat this wifi stuff as a whole seperate domain of insecurity to begin with.
Slashdot Mirror
Pity I couldn't see the result of the link without an account. I'm genuinely curious if the officer is issuing invalid tickets. That sounds like a story in itself.
Agreed and well said. I'd add on that personally I'm offended that so many people think the cop is the problem for doing his job and enforcing the law.
I've long wanted to take a paintball gun to offending motorists. Maybe we can get together and start a newsletter.
Yay! Finally someone gets it... oh, wait, nope, what a let down. See, you started off so good, because yes, a cop should do his job. But then you totally miss the point by going on to talk about why this particular set of laws should be enforced as if the cop should be able to decide which ones he enforces and which ones he ignores.
Do you really want a country where every cop enforces the laws he likes and ignores the ones he doesn't? Do you even realize that is what you're advocating when you mix your message of applauding a cop for doing his job with your message of how the laws you like are good ones?
Pick a side people, do you want liberty? Or do you want laws that just make you feel safer?
Do you want justice? Or do you want cops to enforce the laws they agree with?
(Yes I know, of course you think anti-texting laws make you feel safer and I know you think they work. But first, I was speaking more generally and second, actual scientific studies on their effectiveness don't necessarily back that up.)
No, enforcing the law is not stupid, having a stupid law is stupid.
Seriously folks, this is exactly why we have such terrible government at every level. Voters blame the officer who is actually doing his job to follow the law rather than the morons who write and pass bad laws.
You unintentionally make a good point. Poster 0111 1110 didn't get into the intention behind causing someone irritation in return for being irritated, but did say "slowpokes don't like it when the tables are turned." It might not have been immediately obvious to you, but another way to put it would be "people who slow down traffic are causing irritation, possibly without realizing it; however, you can help them understand the reason it is irritating by demonstrating to them how it feels by slowing them down the same way they slow other people down."
The point you unintentionally make is that people who cause irritation to other drivers by behaving in a noncomformist way are probably too dense to understand the object lesson they're being given.
I suspect further that there is merit to your implied argument that irritating someone who is irritating you probably does little to improve their habits. People who feel frustration with driving are less likely to introspectively examine whether they might be guilty of the same thing, while being much more likely to spread the frustration on to other drivers.
I've seen exactly that behavior in people I consider courteous and reasonable drivers most of the time. They'll experience rude driving behavior and as it sours their mood, they will then be less inclined to be courteous to other drivers. "Well if nobody is going to let me merge, I'm not going to let anyone merge either."
Because it works. As sad as it is, that's what people want to hear about when they turn on their TV or radio.
The biggest problem is that it actually makes sense. Do you want to be represented by someone who has proven they're untrustworthy? Do you want to be represented by someone who has admitted they have a history of mental instability?
It doesn't even matter what her campaign might have looked like because they were playing whack-a-mole. Seriously, that's how they referred to it. Read the article.
I agree with quite a bit of your post, and the most of the things I disagree with, I believe are rational positions that I can agree somebody reasonable can hold even if I don't. But you led off with the single thing that I take exception to.
Sorry. No. That IS NOT what the debate is over.
The debate is over what right people have to privacy from their government.
shhh
The person asking the question thinks the solution to needing to provide Wifi Hotspots is to use cellular based devices and maybe try to find a way to get better 4G coverage.
You're trying to solve the wrong problem. Using 4G to provide wifi has several drawbacks, first is cost. Second, you can't get the bandwidth you really need, and third, you have to compete with every device there trying to connect to thier cellular provider. Provide hotspots with Wifi Routers getting their connections from a wired source instead. Ideally, you'd run wires to your wifi access points but if you can't do that very well in some places, use wifi repeaters.
If putting wires to the places you need access points is really a serious problem that you can't solve with wifi repeaters, then use microwave. It's not too expensive to set up and it can give you a no-wires high bandwidth internet connection for long distances.
Since the wrong question was asked, it is hard to provide the right answer, but here are some tips:
Agreed and I'd like to expand on the "test my custom" to "everything."
At work I run and admin web servers, mostly Apache. I choose Apache because I have the most experience with it and have developed a feeling for how much I can trust various configurations. I don't have that level of experience with Nginx. However, I like Nginx better and feel like it would be better suited to meeting our business needs. So I need to spend a couple years getting better aquainted with Nginx, what can go wrong, how they find and handle security issues, how quickly patches come out, how easy it is to handle stop-gap measures, etc.
I can only do that somewhat freely at work because there are different restrictions on what I can do with machines at work and what I'm willing to have fail at work. If I can run Nginx at home for a couple years, I don't have those restrictions. It's hardly reasonable to consider my hobby tinkering a business and unreasonable for me to have to upgrade to a business class service just to give me the ability to ensure I understand how to configure the hardware, software and services I am trying to learn.
I tried FreeBSD for a while at home. I absoutely love some aspects of it. After a couple years, I decided I didn't like the upgrade cycle, but I didn't learn that at work and shouldn't have to. I tried OpenBSD too and discovered some drivers didn't like some of the hardware I was using and that would have been a misuse of my time to discover at work since they don't pay me to play around learning new stuff. I'm a better admin professionally because of my hobby experience at home.
I too had to ask and answer "what is a server?" I have an old Cisco router a couple switches and a 1U server with no onboard hard disk. The Ciscos have built in telnet and web server interfaces. Even my wifi router has an onboard web server for configuation. Surely they wouldn't consider the Ciscos and wifi router servers? Of course not. The 1U dell needs a tftp server to function and can run various systems but none of them necessariy have to offer externally available software servers of any sort. That doesn't sound like a server to me either. In the end, I try to keep my homework limited to a couple things I'm tinkering with and not offer anything the general public might be interested in from my home connection and I believe I'm operating within the spirit of the rules. That doesn't stop me from wishing that the rules were actually more clearly established along reasonable lines. As an admin of a network myself, I believe that it is my job to ensure not only that we have clear rules about what is allowed and what isn't but also to ensure that dangerous or abusive use is curtailed by technology, not a "you find out that you broke the rules only after you've gone far enough to be punished" approach.
Sufficient participation may not be direct control, but knowledge about the participants is certainly some sort of control. If I really believed that Bitcoin represented a better currency than the fiat stuff we have with the dollar, I could almost wish for it to be government supported. I'm not quite that devout.
I don't disagree with your assessment that the NSA is likely unable to hack into every single computer running every OS. That isn't the end of the story though. I read an article recently that you might find enlightening. It was with a hacker who works for the government. The NSA wasn't actually identified, but I believe that the interviewee who works for an unnamed agency has essentially the same access to tools that they do. (The veracity of the claim is debatable, but the article gives me sufficient information to believe it is likely true.) Assuming that is the case, they have the ability to hack into most computers connected to the Internet, or at least most servers. I doubt they have the manpower and motivation but I don't doubt the capability.
I like to believe I'm pretty good at security. I use SELinux correctly, keep it current and I set up servers to minimize exposure and I do layered security, but I know what some of the weaknesses I leave are as well. There is software that I run that hasn't had the level of expert peer-review that I wish it did. I don't always have BIOS passwords and I rarely require them to boot and I don't usually encrypt the OS. I understand the vulnerabilities that my choices leave and accept them based on a risk analysis. I make systems that are exposing services to the Internet more secure and segregate them from ones that aren't intended to act as servers. I put anti-virus and firewalls where appropriate and use secure settings on workstations. I try to maintain good physical security. Still, I know enough to know how I'd go about breaking into the systems I set up and I honestly believe that if the NSA decided to, that they could get past my defenses. I don't know if it would be easy for them and I think most hackers would find it extremely difficult. That's what I aim for. I try to make it very likely to be very difficult for most hackers.
I don't kid myself though. Is there a 0-day for up-to-date OpenSSH? Is there a browser insecurity that would allow privilege escalation from a machine that someone has used to access a compromised website and then used to access a secured system? Has someone I work with done something sufficient to be targeted by an agency willing to sneak into their home and install keyloggers on their machines? Has my company been served a secret order to let them install hardware I didn't see? I don't think so but I can't be absolutely certain. I can think of literally dozens of scenarios where even the best security I can think of could be compromised and I try to think of them so I can determine reasonable defenses, but certainty is not something it gives me.
All my opinions of the potential value my systems and what is reasonable security could be completely thrown out of whack if the NSA or a similar agency decides my systems have more value as mining machines than I have assumed.
I have mod points, and you deserve a mod bump for Funny for that, but I fear that many people wouldn't realize why it is funny.
I've wondered about this myself. Basically I agree in principle with the idea that Bitcoin is not controlled by the government, but to say it couldn't be? The government has an awful lot of processing power in the computers they do and could control. The NSA has hacks for pretty much every system so they could, if there was sufficient motivation, take sufficient control of enough private computers to add significant but clandestine mining capabilities and active processes to them.
I'm almost inclined to stop posting at this point at the thought "don't give them any ideas." However, I assume that there are plenty of people smarter than I am who are willing to consider the possibilities that I'm not contributing anything novel.
So what if, just what if, the NSA was given permission to "attempt to take control of the bitcoin market." Lets consider what would happen if they turned their massive processing power in the machines they control toward mining. Just for kicks, add in the idea that they would clandestinely add bitcoin mining to business and home computers that they hacked into. There would be some indication that massive bitcoin mining was being done, but it would be nearly impossible to know it was being done by the government due to the nature of Bitcoin. Soon enough, the government would own a substantial percentage of the bitcoins on the market, but it doesn't stop there. They could buy a pretty substantial portion of the bitcoins on the market without needing to spend a noticable percentage of tax revenue.
Now imagine the government has such control. With their access to information combined with their virtual monopoly on the market, they could identify with some reasonable assurance most transaction parties. So at the end, the government would essentially own and be able to observe details about pretty much all transactions.
Now, pretend that everything I've described has already happened. What do they need to do in order to start using their power in ways that benefit them? Why, that's easy, start getting Bitcoin recognized as a currency. You have a couple authorities have a quiet word with a judge about the logic and the secret aims of the government, and he sees how his current case can and should help start making Bitcoin part of a government regulated system.
You'll pardon any spelling and grammar issues I trust, my tinfoil hat was getting a little tight.
Remembering a couple passwords and using an authentication they already have is more effort? I don't get how you come to that conclusion. They address the problem of having to create a new ID and prove humanness via CAPTCHA, which is rather the point of the discussion.
They move the authentication process to a few providers rather than hundreds. The few used are more likely to be secure and less likely to need complex authentication each time.
I prefer to use one or two accounts to having to create a new one for every site I go to, yes. I prefer to trust one or two well designed systems rather than every half-baked cowboy coder, yes. I think that most people don't care much what system they use and are more likely to trust twitter than john's-favorite-blog system. They're also more likely to remember a password to a couple of sites they regularly use than use a complex system to generate new ones for each of the dozen ones they otherwise.
Plus, with most of those options, I don't have to process a CAPTCHA each time.
I like it. I hadn't done any quality research, but it is nice to see work done toward making a non-corporate and easier option.
Twilio. Facebook Connect. Twitter @Anywhere. OAuth. OpenID.
I wasn't posting that, but it is kinda obvious what some better ideas are.
I have talked about the same goal several times, but any new system must be backwards compatible because there are around 14 million (SWAG) businesses that rely on free SMTP.
While you're chewing on that, Thunderbird is absolutely critical in that process. Most businesses don't want to think about email, calendaring, and shared address books but they get that with Exchange and Outlook. I've been interested in moving our company off of Exchange for some time but we're addicted to Outlook and need a simple to use replacement with the same features if we're going to stop using it. It's almost a chicken and egg problem, but just recently I have been getting close to a viable replacement on the client side with Thunderbird. As a bonus, it does digital signatures and encryption compatible with Outlook. The downside is the complexity of setup. Sure, I can set it up, but not the average user. I keep trying to find ways to make it easy though because if we can get off Outlook without much pain, we can get off Exchange later as well.
I don't know the solution yet, but I imagine Mailpile (or roundcube or similar) is part of it. Another piece is going to have to be a ranking system. For the next ten to twenty years, people are going to require the ability to receive messages sent with unauthenticated SMTP, but if you build security ranking into email, you can begin to phase that out by having messages with a trust ranking system. Give +10% for digitally signed messages, +10% for encryption, +20% for a verified sender system, +20% for reputation, +20% for willingness to buy into a pay-per-message system and assign the remaining 20% on factors like how the local email client and associates have handled mail from that sender in the past. You can even make the percentages variable if you have sensible defaults because most people will never change the defaults.
Sidenote, on the pay-per-message system, you pay 2 cents (or equivilant) per message sent outside your company and receive the same per message received on the same system. One of the historical problems that seemed insurmountable was the problem with the cost of microtransactions being too high. It costs around 30 cents to do an electronic transaction, so anything smaller costs more than it yields, but that's not the case anymore with something like bitcoin and you could do a twice daily cash-out with Coinbase to avoid the pain of volatility. For me that's been the single most important and too often overlooked appeal of crypto-currency. It allows for mico-transactions to be a commercially viable option. You could do it with fractional payments through a traditional bank as well, but none want to handle it when there is still income to be had by having eveyone use a system that pays them more.
I don't really care if it is Thunderbird, Coinbase, Bitcoin and Mailpile, they're just examples of types that I'm using due to my own familiarity. Feel free to substitue alternatives for any of them if it makes more sense for implementation or discussion.
My first thought: "Oh crap, that's me." I use a few passwords across multiple sites, basically determining how unique and how complicated by how much I consider a breach a danger and how much I trust the site to keep the password info secure. Generally, I hate forums that build their own password systems rather than using OpenID or Google Sign In or even Facebook login, and don't trust them much. Still, I tend to trust Unix minded people to care about security.
This means I might have been silly enough to use a password I care to keep secret, so I checked. Nope. Obviously I thought they were idiots to set up their own system and used a password so bad it is obvious that I don't even care if a random guess might get it. I don't use Ubuntu but I have and sometimes I might want to comment in a forum when issues cross distributions.
I hope others learn from this.. but I don't hold out tremendous hope.
I'm glad to see a few rational thinkers on this forum, but that's not the end of the story. If the NSA or Chinese government really really wanted to see all you are up to, they wouldn't be trying to decrypt your password. They'd probably just hack into your system because they have 0-day hacks that you can't know about and install a keylogger. If you're really paranoid and you boot from CD and run everything from RAM, they can still install a physical keylogger if they care enough to get physical access. They'd sneak into your office or home and install a keylogger or other monitoring service. If they're really really interested, they'd put a device in your wall or monitor so that they can see what you do as you do it and closed blinds and RAM only OS isn't enough to keep them from getting the info. There could be a device in my monitor and in the keyboard connection and in my mouse connection right now and if they really really care enough to send the very best, I'd have no way of knowing they can see eveything my screen shows and every thing my keyboard types and every movement my mouse makes.
What you can do is determine what level of paranoia is justified:
So you have carefully reviewed Slax (OS from RAM) and made some modifications, and your computer is set to boot only from CD and only with a password, and you set it to alarm for an opened case and you put it all inside a closet with a variety of secret alarms and you've made the closet a pretty solid faraday cage. You modified a firefox browser and you only connect to the internet through a VPN to Switzerland and only through a proxy in Romania and you only go to secured sites.. now what? How can this system still be compromised by a determined NSA agent?
NSA agent does the following:
The NSA agent now sees everything you do, everything you type and can show you anything they like on your screen.... if they really, really want to.
Lastpass.
My passwords are often stored in Lastpass which stores them in a way that they cannot decrypt and only I can. They could change the way it works and I might never know, but I trust them based on how they've handled security issues in the past.
I can retrieve my passwords, but the company providing the service can't and I like it that way. I always turn off the "remember passwords" options in browsers because I don't trust that it couldn't be reversed by someone who gains physical access to my machine.
Now if you get physical access to my machine, you will have to boot off of your own media and that means that you'll need to pull the hard drive out or wipe my bios in order to install a keylogger so that you can catch my password as I put it into lastpass. That's a fairly high barrier, but it is a little better than most other methods. You'll also need to know what to target and you can target my KeePass database the same way, but with those specifics, you'll need to be somebody who has really done their homework to get to my passwords.
If you're after me and you are the NSA, then you can send in a coder and some documents and reprogram the way LastPass works and not tell me. I accept that risk because if you're the NSA, you can also watch my monitor from across the street even after I close my blinds and likely break into about any system I might have so I have little choice but to accept that if they really want to see what I'm doing, they absolutely can. For the script-kiddies though, it is a hard hack. I seriously doubt even the NSA has a chance of getting into my LastPass database so I store it in a cloud service and they're welcome to poke at as an exercise in futility... if they want me they will have to break into *my* system, not the cloud, not Google and not anybody else. But they're the NSA, if they *want* you, they will get everything they want because what they have the ability to do is awe inspring. (You hear that guys? I'm not afraid of you, but I am freakin respectful so lets leave my browser history out of it okay? Please?)
So full circle, Google could say "Pick any of the following systems for backup retrieval: LastPass, KeePass URL, iTunes, Amazon, My Little Backup Pony or None" and optionally encrypt the backups but they probably figured (rightly) that 99.99% of their users wouldn't ever know or care that they were backing up their phones in a way that Google can access all the info on it.
I remember when I discovered how PKI works and I was stunned at how many uses there are for it. I am surprised that there isn't already some provision to use it with more things, WIFI included. Ideally each person connecting should get prompted that they need to provide a public key, the phone or tablet or whatever should automatically generate one and then they would be prompted to enter a passphrase for it, then it would be used for that wifi from then on. You could add a "offer to this phone" or "next connection" or "confirm with this code" option to the process to ensure security and you could add a key manager (love pagent) tool to the mix so that you'd only need to enter your passphrase once per reboot and wifi administrators could disable keys on a per person basis. It is worth noting that Radius servers do something close enough to that already, but who has time to manage a Radius server if it isn't built into the Wifi controls and so far as I can tell, none of the Wifi manufacturers do that.
Good for you for recognizing the obviousness of the situation. There are ways around it; they could have set up a password for your backup that means everything backed up is encrypted, but then you'd need a password you would likely forget by the time you need it, or they could tie it to a requirement that you lock your phone with a PIN/password, but then a lot of people would be frustrated that it wasn't as easy to use their phone if they want a backup. The situation as it is, that you want your system backed up by google and they want to offer it means that there has to be some sort of compromise and they went for the one that would be easiest for the most users.
I wish they'd given an option, but then I don't worry about my wifi passwords getting out since I treat this wifi stuff as a whole seperate domain of insecurity to begin with.