I guess plenty of Slashdotters learned a bit about computing from minor cracks - almost everyone has changed a save game file with a text or hex editor. Insecure network shares at your school network. Getting your neighbors' insecure Wifi passwords, someone probably thinks MAC filtering alone is safe. Modifying Flash games to give yourself 2^31 - 1 points on the high score board. Getting root on random poorly secured UNIX terminals in tech expos. Getting into someone else's IIS and read his local files via the canonical path bug many years ago. etc.
Sure it's not healthy if all you do are these minor thing and you keep doing these stuff for years. But it's a good inlet for kids to learn computing nevertheless.
Well, if you happen to be an open source developer, the "FOSS guy" label is much better than "hacker" anyway. None of the confusion, and people still respect you as much.
bosses act the same, they typically ignore your team mates and zero in on you.
This is necessary given your teammates' AI. If the enemies did anything that made sense your teammates would have been dead within 3 seconds for all combats.
At first I was unconvinced as well. An RPG without a complicated system like D&D or SPECIAL?
But after playing it for a few hours, it's still an RPG and it has all the fun of an RPG. The role playing in ME2 is in your conversations and in the cinematic. There're still some leeway for you to optimize (e.g. Geth Pulse Rifle for your squad, upgrades) if you still want to do character optimization.
Btw, unless you're playing on insanity, adept is a lot of fun too.
The politicians can't be bothered with minor problems like the technology lead of the US. So let's just solve it the capitalist way.
Get the financial industry into the game, set up mutual funds and exchange traded funds to support patent trolls, get the investment banks into the game.
Once this gets started, within 6 months all the technology companies in the US will be able to do nothing. Then here's the smartest bit of the plan: the whole tech industry ask White House for a bailout because we've collectively become yet another too big to fail. So we get the money while we sit our asses doing nothing. No more death marches.
The perfect win-win situation! Wall Street wins, Silicon Valley wins!
On the bright side, as China's populace want a better standard of living and become more educated, the corruption and the real reasons for censoring may finally come under the sun and disappear due to popular demand. It's not like the more developed countries started out free of corruption and other types of censoring in the beginning.
But of course, it's just as probable that things can all go the wrong way.
And the irony is.. if you've been a moderately successful pirate, the navies would actually want to hire you, thus eliminating all the problems about job seeking.
The first page says... to get a job, you need to find a vacancy.wow!
The second page says... to get a job, you need to pay attention to the job description.damn! this is awesome!
The third page says... to get a job, you need to submit your CV and wait.holy shit! it never occurred to me that I need to submit a CV!
The fourth page says... to get a job, you need to talk relevant things during the interview.oh noes! I always talk about movies during interviews!
The fifth page says... to get a job, smart casual is a safe choice.This tip is godlike! Most other applicants dress in bikini and that's why they didn't get a job!
If there's a debate on whether this technology can work, it goes like this...
Chuck Norris roundhouse kicked conservation of energy in the nuts, and he charged up his iPhone from his WiFi router's signal in 1 minute, 100 meters away!
If you're getting -70dBm, and Chuck Norris's iPhone is getting -70dBm, Chuck Norris is getting more power than you!
If someone got root on your box via some "sideband" attack as opposed to actually doing it the hard way by decrypting it from whatever hash you put in place - it's still a valid attack with all the practical implications.
So that's what I've been saying all along - you consider the real, practical environment in addition to what the textbooks have to say about SSL. If the MITM can be exposed in the practical environment, then it's not good.
If you're the Chinese government, you aren't just pulling MITM to just one person. You're pulling it off to millions of users, against millions of HTTPS sites, - some of them may have their own organization-specific CA.
So the practical problem for you is, you have to make your MITM attack invisible to the million of users, who're allowed to try to detect you by any means necessary. A website having two different fingerprints with two different access methods is already suspect enough.
The practical implication for a detected MITM attack attempt is, the users who you're really interested in eavesdropping in, would use another communication channel - thus, shooting yourself in the foot.
No. Check my other reply. You still don't have the website's private key, which means your public key is still different, which means your certificate is still different from the original website's - even though it has a valid signature - which means all the problems about being detectable.
Your point doesn't really invalidate anything. If you know the CA's signature, then yes, you can forge another server certificate with a valid CA signature. But the problem is, it is still a different server certificate and thus, detectable - if your group of users have another means to contact the secure website.
The problem with your argument is that, you assume you're just trying to pull MITM on one person with just one set of vulnerable computer configuration. The reality is, this MITM attack has to be pulled upon millions of people without being detected. Plenty of Chinese Internet users have VPNs or "fanqiang" (translated literally, "wall toppling") softwares to get around your router. This is going to make your scheme clearly visible.
I know what you're talking about - see my next response to the same post.
It IS possible to get an SSL website to display with the scheme above. The problem is, it's not perfect. If anybody finds a way to go around your router, then your little scheme is exposed - which means anybody interested in privacy would take additional caution and find a way to go around your router too. Also, does this purported Chinese-operated CA exist in Firefox's list of trusted CAs?
The thing is, if you're trying to pull off a man-in-a-middle attack, you have to make it undetectable. Otherwise, the parties who're really interested in hiding things from you would just find another communications channel, like, Tor.
Ok.. looks like the mods aren't convinced that the parent's method doesn't work in reality. Maybe I should put it in a more layman's language.
So, what the parent proposed is this... you have a router that pretends to be an HTTPS server between you and https://www.bank.com./ So, when you connect to the website, you're actually negotiating an SSL session with the router while the router negotiates another SSL session with www.bank.com.
This sounds all well and dandy.. except, how can the router in between convince your browser that it isn't really the bank's website?
So the parent's argument is... the organization who owns the router, controls the CA who signed www.bank.com's certificate too. However, even this would give you problems...
As I've said, the CA doesn't own www.bank.com's private key - the CA only has its own private key.
The guy with the router still has to generate a different private key for generating the crack certificate - knowing the CA's private key doesn't help here.
And thus, the crack certificate will end up with e different fingerprint.
Add in the fact that you have plenty of people in China who have found ways to bypass the GFW, and that browsers seeing different fingerprints from the same website's certificates would give out red warning screens, your scheme is already not working well.
Next, it's about the CAs themselves. Every major OS and browser comes with a list of trusted CAs. Do you see many Chinese names there? No? And seeing Green Dam's PR disaster - if the Chinese government bothers to "coerce" foreign CAs to give them private keys, you can guess what the response is.
So, the reality is, even the Chinese government has no way of pulling out the already imperfect man-in-the-middle I described above. Yes, they can still give you a website with a different CA and probably with a self-signed cert, but again any sensible browser would jump up and down about it, which is definitely a strong motivator for anyone interested in privacy to somehow get foreign VPN access or simply just go to a Tor-like network.
Next common question... the textbook version of DH can be man-in-the-middled. While it is theoretically possible to MITM basic non-authenticated Diffie-Hellman without touching all the cert related stuff, it's not really practical since anonymous Diffie-Hellman is disabled by most web servers (e.g. the !ADH SSL cipher suite option in default Apache config) and I think most modern browsers wouldn't allow it anyway. What most real web servers do during SSL key exchange these days is either fixed DH or ephemeral DH, which aren't known to be susceptible to MITM unless the authentication in question isn't meaningful (e.g. self-signed certs, again, which is guaranteed to give you browser warnings)
Yeah, try to do some POSTURING in front of any important political monument the next time you go to Beijing, come back and tell us how you were treated by the friendly police officers.
Your theory doesn't sound plausible to me at all. The CAs don't generate private keys for the SSL transaction - HTTPS servers have their own private keys that aren't shared with the CAs. Also, the client generates and negotiates its own private key via the Diffie Hellman protocol with the server before a transaction, which means the real private keys used during transactions shouldn't be known by a router in the middle (with caveats, see next paragraph).
Now, if you've looked up the basics about the Diffie Hellman key exchange protocol, you'll find that it's possible to attack it with a man-in-the-middle. But that only applies if there's no meaningful authentication in the protocol (e.g. the server uses a self-signed cert). HTTPS servers (e.g. Apache) usually come with anonymous Diffie-Hellman disabled these days, so as long as the server's cert is signed by a well known non-Chinese CA (seriously, do you see any Chinese CA in your browser's list?), there should be no known way to man-in-the-middle it without at least invoking security warnings in the browser.
"That's the way God... using copy & paste? If you really think about it...hacked together in 6 days, spaghetti code where 80% seems to be junk that doesn't even do anything, and is incredibly hard to decipher...
So what the Creationists are saying is basically...
God is a either a chump working at Microsoft, or a really bad software contractor who writes Perl?
Slashdot Mirror
Stealing bank passwords is one thing, how to transfer the money to your account without being traceable is a much bigger problem.
I guess plenty of Slashdotters learned a bit about computing from minor cracks - almost everyone has changed a save game file with a text or hex editor. Insecure network shares at your school network. Getting your neighbors' insecure Wifi passwords, someone probably thinks MAC filtering alone is safe. Modifying Flash games to give yourself 2^31 - 1 points on the high score board. Getting root on random poorly secured UNIX terminals in tech expos. Getting into someone else's IIS and read his local files via the canonical path bug many years ago. etc.
Sure it's not healthy if all you do are these minor thing and you keep doing these stuff for years. But it's a good inlet for kids to learn computing nevertheless.
Well, if you happen to be an open source developer, the "FOSS guy" label is much better than "hacker" anyway. None of the confusion, and people still respect you as much.
Probably for copying useful code snippets.
But otherwise if you're a hacker and you can't find out how to write C# from the documentations and from Google, it's kinda duh...
bosses act the same, they typically ignore your team mates and zero in on you.
This is necessary given your teammates' AI. If the enemies did anything that made sense your teammates would have been dead within 3 seconds for all combats.
At first I was unconvinced as well. An RPG without a complicated system like D&D or SPECIAL?
But after playing it for a few hours, it's still an RPG and it has all the fun of an RPG. The role playing in ME2 is in your conversations and in the cinematic. There're still some leeway for you to optimize (e.g. Geth Pulse Rifle for your squad, upgrades) if you still want to do character optimization.
Btw, unless you're playing on insanity, adept is a lot of fun too.
Beats Fallout 1 and 2, beats Bauldur's Gate, beats even Planescape Torment.
This game rocks! Brings back the memories!
The politicians can't be bothered with minor problems like the technology lead of the US. So let's just solve it the capitalist way.
Get the financial industry into the game, set up mutual funds and exchange traded funds to support patent trolls, get the investment banks into the game.
Once this gets started, within 6 months all the technology companies in the US will be able to do nothing. Then here's the smartest bit of the plan: the whole tech industry ask White House for a bailout because we've collectively become yet another too big to fail. So we get the money while we sit our asses doing nothing. No more death marches.
The perfect win-win situation! Wall Street wins, Silicon Valley wins!
On the bright side, as China's populace want a better standard of living and become more educated, the corruption and the real reasons for censoring may finally come under the sun and disappear due to popular demand. It's not like the more developed countries started out free of corruption and other types of censoring in the beginning.
But of course, it's just as probable that things can all go the wrong way.
Agree.
And the irony is.. if you've been a moderately successful pirate, the navies would actually want to hire you, thus eliminating all the problems about job seeking.
Well, this can actually be a tactic on the interviewer's side to make the megacorp look like it's highly desirable. :)
Of course... not many people can actually execute it right.
The first page says... to get a job, you need to find a vacancy.wow!
The second page says... to get a job, you need to pay attention to the job description.damn! this is awesome!
The third page says... to get a job, you need to submit your CV and wait.holy shit! it never occurred to me that I need to submit a CV!
The fourth page says... to get a job, you need to talk relevant things during the interview.oh noes! I always talk about movies during interviews!
The fifth page says... to get a job, smart casual is a safe choice.This tip is godlike! Most other applicants dress in bikini and that's why they didn't get a job!
If there's a debate on whether this technology can work, it goes like this...
Chuck Norris roundhouse kicked conservation of energy in the nuts, and he charged up his iPhone from his WiFi router's signal in 1 minute, 100 meters away!
If you're getting -70dBm, and Chuck Norris's iPhone is getting -70dBm, Chuck Norris is getting more power than you!
Is totally gonna charge up your battery and run your cell phone for days.
The inverse square law and dBm being a logarithmic unit can all go to hell.
If someone got root on your box via some "sideband" attack as opposed to actually doing it the hard way by decrypting it from whatever hash you put in place - it's still a valid attack with all the practical implications.
So that's what I've been saying all along - you consider the real, practical environment in addition to what the textbooks have to say about SSL. If the MITM can be exposed in the practical environment, then it's not good.
One-client argument again.
If you're the Chinese government, you aren't just pulling MITM to just one person. You're pulling it off to millions of users, against millions of HTTPS sites, - some of them may have their own organization-specific CA.
So the practical problem for you is, you have to make your MITM attack invisible to the million of users, who're allowed to try to detect you by any means necessary. A website having two different fingerprints with two different access methods is already suspect enough.
The practical implication for a detected MITM attack attempt is, the users who you're really interested in eavesdropping in, would use another communication channel - thus, shooting yourself in the foot.
First, have you ever gone to China? Last time I checked the Firefox downloaded "natively" in Bejing and via VPN have the same hash.
Second, what's stopping me from carrying my MacBook Pro with FF3.6 RC1 pre-installed, from Hong Kong?
Again, you need to make it 100% undetectable by any means...
No. Check my other reply. You still don't have the website's private key, which means your public key is still different, which means your certificate is still different from the original website's - even though it has a valid signature - which means all the problems about being detectable.
Typo: "If you know the CA's private key"
Your point doesn't really invalidate anything. If you know the CA's signature, then yes, you can forge another server certificate with a valid CA signature. But the problem is, it is still a different server certificate and thus, detectable - if your group of users have another means to contact the secure website.
The problem with your argument is that, you assume you're just trying to pull MITM on one person with just one set of vulnerable computer configuration. The reality is, this MITM attack has to be pulled upon millions of people without being detected. Plenty of Chinese Internet users have VPNs or "fanqiang" (translated literally, "wall toppling") softwares to get around your router. This is going to make your scheme clearly visible.
I know what you're talking about - see my next response to the same post.
It IS possible to get an SSL website to display with the scheme above. The problem is, it's not perfect. If anybody finds a way to go around your router, then your little scheme is exposed - which means anybody interested in privacy would take additional caution and find a way to go around your router too. Also, does this purported Chinese-operated CA exist in Firefox's list of trusted CAs?
The thing is, if you're trying to pull off a man-in-a-middle attack, you have to make it undetectable. Otherwise, the parties who're really interested in hiding things from you would just find another communications channel, like, Tor.
So, what the parent proposed is this... you have a router that pretends to be an HTTPS server between you and https://www.bank.com./ So, when you connect to the website, you're actually negotiating an SSL session with the router while the router negotiates another SSL session with www.bank.com.
This sounds all well and dandy.. except, how can the router in between convince your browser that it isn't really the bank's website?
So the parent's argument is... the organization who owns the router, controls the CA who signed www.bank.com's certificate too. However, even this would give you problems...
Add in the fact that you have plenty of people in China who have found ways to bypass the GFW, and that browsers seeing different fingerprints from the same website's certificates would give out red warning screens, your scheme is already not working well.
Next, it's about the CAs themselves. Every major OS and browser comes with a list of trusted CAs. Do you see many Chinese names there? No? And seeing Green Dam's PR disaster - if the Chinese government bothers to "coerce" foreign CAs to give them private keys, you can guess what the response is.
So, the reality is, even the Chinese government has no way of pulling out the already imperfect man-in-the-middle I described above. Yes, they can still give you a website with a different CA and probably with a self-signed cert, but again any sensible browser would jump up and down about it, which is definitely a strong motivator for anyone interested in privacy to somehow get foreign VPN access or simply just go to a Tor-like network.
Next common question... the textbook version of DH can be man-in-the-middled. While it is theoretically possible to MITM basic non-authenticated Diffie-Hellman without touching all the cert related stuff, it's not really practical since anonymous Diffie-Hellman is disabled by most web servers (e.g. the !ADH SSL cipher suite option in default Apache config) and I think most modern browsers wouldn't allow it anyway. What most real web servers do during SSL key exchange these days is either fixed DH or ephemeral DH, which aren't known to be susceptible to MITM unless the authentication in question isn't meaningful (e.g. self-signed certs, again, which is guaranteed to give you browser warnings)
Yeah, try to do some POSTURING in front of any important political monument the next time you go to Beijing, come back and tell us how you were treated by the friendly police officers.
Your theory doesn't sound plausible to me at all. The CAs don't generate private keys for the SSL transaction - HTTPS servers have their own private keys that aren't shared with the CAs. Also, the client generates and negotiates its own private key via the Diffie Hellman protocol with the server before a transaction, which means the real private keys used during transactions shouldn't be known by a router in the middle (with caveats, see next paragraph).
Now, if you've looked up the basics about the Diffie Hellman key exchange protocol, you'll find that it's possible to attack it with a man-in-the-middle. But that only applies if there's no meaningful authentication in the protocol (e.g. the server uses a self-signed cert). HTTPS servers (e.g. Apache) usually come with anonymous Diffie-Hellman disabled these days, so as long as the server's cert is signed by a well known non-Chinese CA (seriously, do you see any Chinese CA in your browser's list?), there should be no known way to man-in-the-middle it without at least invoking security warnings in the browser.
"That's the way God ... using copy & paste? If you really think about it...hacked together in 6 days, spaghetti code where 80% seems to be junk that doesn't even do anything, and is incredibly hard to decipher...
So what the Creationists are saying is basically...
God is a either a chump working at Microsoft, or a really bad software contractor who writes Perl?
This sucks, I want a refund.