My bank, utility providers, and lots more send me emails with information related to my account in them. They pretend to be more secure by not specifically mentioning the account or asking for my password.
However, they usually provide a link to their website in the email! On the other end of that link they DO ask for your password. I never click that link no matter how legitimate it looks. You should use your own bookmarks to type the URL to their homepage yourself.
You can't tack in a magnetic field. Well, you could, but it would require an actual change in the magnetic field. Remember, you can't make a net gain of energy in a closed system.
There's that. But even if you pass emissions (and hey, at 100 MPG you probably can), these guys made 1 car. Er... way to go. I've seen individual cars drive themselves without a driver, and Slashdot reports on car/plane commuter combos once in a while. Making one of something is neat, but it's not what manufacturers do. They're a bit behind leading edge technology, and make a hell of a lot more cars.
I've worked with the Joint Architecture for Unmanned Systems (JAUS) before. It attempted to define common messages between components, like a global position message from a GPS/IMU component, and control messages to joints and motors.
Ideally this was to lead to off the shelf components that you can throw together. In reality, we found ourselves writing and extending a lot of messages since robotics doesn't conform to the abstract as well as some other fields of software. And some communication happened off of the JAUS network. But the JAUS network did help us connect some of the simpler, more universal robotic functions together in an understandable architecture. And some components could well have been replaced with equivalent components speaking the same protocol.
I haven't touched it in a couple years, but I think it's still a long way from prime-time.
Once you jailbreak the touch or iPhone you get things like ssh, scp, sftp, and rsync. And this can all be done over wifi, so no cable and more clients and availability.
In fact, many of them have insisted that they have no ability at all to identify and block individual messages.
They may be telling the truth that they don't have that kind of capabilities. However, that's just an obvious implementation oversight. For something as much an embedded system as a cell phone (lacking firewalling capabilities on its own) and tied so closely to the cellular networks, they should have designed something akin to snort rules for anything in packet based communications so they could filter attacks at the network level. It's not rocket science. It's just how you protect networked systems that are difficult to quickly patch or otherwise secure.
Look on the bright side, a dead zone is carbon sequestering! Organics that should rightly be metabolized into CO2 are left out of the atmosphere since there's no O2 hanging around!
I know! Personally my rates are pretty low since I drive only once or twice a week. I'm under the impression that they verify with the DMV here (we have yearly emissions inspections that also verify odometer readings) that the car is only traveling my self-rated low mileage per year.
Do you have to enter your credit card number every time you want to access your computer? No? Well that's why it's in your wallet and not more easily accessible.
This is a really stupid idea. Batteries for cars can costs upwards of $20-30k. What happens when some crook swaps out a fake battery for a real one? Are these stations really going to check the quality, retention, chemical composition, and other physical properties of every battery in 45 seconds?
No, but they will check the RFID located in the battery pack.
Get a good one and it'll do enough crypto to authenticate itself and then it'll relay any messages from the tamper resistance sensors located all around the pack. You could probably do this today for less than $20 extra per pack.
Note that after you type your username in, you're taken to a secure page.
No, you might be taken to a secure page. It's hard to tell and you can't trust that somebody hasn't messed with the connection yet.
But just because banks are doing it doesn't make it smart. It's really a bad and insecure practice. The fact that my bank, Wachovia, has one of these insecure logins on their homepage makes me worry about my account and information. Though I don't use that login. You can find one that actually uses SSL deeper on the site (or https to the exact same homepage kind of works too).
And yet, if it was the case that a lot of people didn't now how to lock their doors or didn't think it was necessary, you just might be doing a public service by checking all the doors of your neighbors and educating people how and why to lock their doors correctly.
Also, if you saw your neighbor's front door didn't have a deadbolt and you lived in a city where crime was an issue, it should be your responsibility to educate this person about the dangers and solutions you know about. If you aren't using hacking tools I don't see this as breaking down a door, it's more like a visual inspection.
DRM doesn't do what they think it does. It encourages Piracy (by making valid copies less [valuable] than their pirated versions) . ...
Yes. In deciding to buy a game vs. download a game, people used to decide based on a few reasons.
A bought game has a better chance of working correctly on your machine when you install it. A bought game will not install unintended malware from the people you got the game from.
Now pirated games hold those advantages. And they work on machines without cd/dvd drives (I have a couple like that). Not that I like pirating games, but I have used no-cd cracks on games I actually did pay for.
Also, I really wanted to buy Spore. But I can't have things like SecuROM messing up my system. So the game's developers get less money...
So... removing features here at the last minute so they can still get it out the door before the deadline. It looks like the picked a too aggressive deadline and they're trying to cover for it now instead of spec things out correctly at the start.
Agreed! I was thinking that if the window was behaving improperly you'd better not click anything at all. I don't think the article mentioned that.
I think that for the strange dialog boxes that if half clicked 'yes' and half clicked 'no' than we have a whole lot of fail. 100% fail. Now for something there weren't any clues on I'm guessing that the machine is already running malcode so the clicking doesn't really matter.
Because not all of these sites are questionable... All it does is force these sites to buy certificates from the existing ssl certificate cartel.
Hello Bert,
I am from your bank. Remember me? I'm not questionable, you deal with us all the time.
Please use the attached self-signed certificate I just made to encrypt your username/password to me so that you can log in.
-The Bank
Now, you'd probably like to authenticate who that was before encrypting your username/password to them, right?
Anyway, signed certificates aren't so that questionable sites can look reputable. It's so internet criminals cannot appear to be a reputable company. If you cannot authenticate who you're sending data to, you cannot send them any data you wouldn't want to send in clear-text.
If it's done right, perhaps what a person puts into the pool only goes out to the artists he or she listens to. So if you just listen to Radiohead and NIN, your fee (less of course some admin portion) would get split between the two bands (perhaps based on number of listens, perhaps based on actual listening time) and trailer trash skanks won't get any of your money.
'This ignores the value of simple encryption. Snooping a connection (i.e. on a wireless link) is much easier than any of the impersonation attacks that SSL authentication prevents.'
SSL does not provide wireless security. WPA and other wireless encryption schemes exist for that purpose. These don't include any false illusion of security that accepting a self signed SSL cert from a remote site would give (encryption != security, as posters above say). SSL is the wrong tool for the job here.
Think of this example: I "encrypt" some confidential data. However, I've encrypted it so that I don't know who will be able to decrypt it. Does that make any sense?
Why was I encrypting it? So a criminal couldn't steal my credit card number? What if I had just encrypted it directly to that criminal? Oops! This encryption didn't help me at all.
If I want to send someone secured data I first have to define clearly and be sure of who I am sending that confidential data to.
With a little thinking you'll find that not authenticating the end users of an encrypted channel is just moving some bits around and is only as secure as your network. Meaning you might as well be sending clear text and save some processor cycles.
Now you can accept self-signed certificates, but you had better have a different way of authenticating the cert than the rest of us use. An example of this would be something from an internal corporate network.
I'd much prefer to accept it from my current session only. Accepting it forever seems a little insecure to me.
If you're not feeling paranoid there's a thing called "first time trust". This is how you usually accept ssh certs, and can usually work well for internal network use. The idea is that every time you return to that machine it presents the same cryptographic identity.
If you were correct in your assumption that there was no man-in-the-middle attack on your first connection, then keeping that certificate around prevents future attacks. Or if it was different the next time you'd have reason to suspect that first connection and know what data you'd given up.
So accepting a certificate until its expiration has more security features than accepting for a single session.
Slashdot Mirror
My bank doesn't do that anymore. They like to be "paperless" since electronic is cheap.
My bank, utility providers, and lots more send me emails with information related to my account in them. They pretend to be more secure by not specifically mentioning the account or asking for my password.
However, they usually provide a link to their website in the email! On the other end of that link they DO ask for your password. I never click that link no matter how legitimate it looks. You should use your own bookmarks to type the URL to their homepage yourself.
You can't tack in a magnetic field. Well, you could, but it would require an actual change in the magnetic field. Remember, you can't make a net gain of energy in a closed system.
There's that. But even if you pass emissions (and hey, at 100 MPG you probably can), these guys made 1 car. Er... way to go. I've seen individual cars drive themselves without a driver, and Slashdot reports on car/plane commuter combos once in a while. Making one of something is neat, but it's not what manufacturers do. They're a bit behind leading edge technology, and make a hell of a lot more cars.
I've worked with the Joint Architecture for Unmanned Systems (JAUS) before. It attempted to define common messages between components, like a global position message from a GPS/IMU component, and control messages to joints and motors.
Ideally this was to lead to off the shelf components that you can throw together. In reality, we found ourselves writing and extending a lot of messages since robotics doesn't conform to the abstract as well as some other fields of software. And some communication happened off of the JAUS network. But the JAUS network did help us connect some of the simpler, more universal robotic functions together in an understandable architecture. And some components could well have been replaced with equivalent components speaking the same protocol.
I haven't touched it in a couple years, but I think it's still a long way from prime-time.
Once you jailbreak the touch or iPhone you get things like ssh, scp, sftp, and rsync. And this can all be done over wifi, so no cable and more clients and availability.
A tested IQ of 151... and you think IQ is related to intelligence?
His counterexample to IQ==intelligence (the entire post you replied to, I don't know how you missed it) didn't give away what he thinks?
In fact, many of them have insisted that they have no ability at all to identify and block individual messages.
They may be telling the truth that they don't have that kind of capabilities. However, that's just an obvious implementation oversight. For something as much an embedded system as a cell phone (lacking firewalling capabilities on its own) and tied so closely to the cellular networks, they should have designed something akin to snort rules for anything in packet based communications so they could filter attacks at the network level. It's not rocket science. It's just how you protect networked systems that are difficult to quickly patch or otherwise secure.
Look on the bright side, a dead zone is carbon sequestering! Organics that should rightly be metabolized into CO2 are left out of the atmosphere since there's no O2 hanging around!
I know! Personally my rates are pretty low since I drive only once or twice a week. I'm under the impression that they verify with the DMV here (we have yearly emissions inspections that also verify odometer readings) that the car is only traveling my self-rated low mileage per year.
Do you have to enter your credit card number every time you want to access your computer? No? Well that's why it's in your wallet and not more easily accessible.
I've got . . . a motorcycle that gets . . . $350 per year in in commuting costs.
You forgot your medical bills from when you get hit by a car. They're actually pretty high.
This is a really stupid idea. Batteries for cars can costs upwards of $20-30k. What happens when some crook swaps out a fake battery for a real one? Are these stations really going to check the quality, retention, chemical composition, and other physical properties of every battery in 45 seconds?
No, but they will check the RFID located in the battery pack.
Get a good one and it'll do enough crypto to authenticate itself and then it'll relay any messages from the tamper resistance sensors located all around the pack. You could probably do this today for less than $20 extra per pack.
Note that after you type your username in, you're taken to a secure page.
No, you might be taken to a secure page. It's hard to tell and you can't trust that somebody hasn't messed with the connection yet.
But just because banks are doing it doesn't make it smart. It's really a bad and insecure practice. The fact that my bank, Wachovia, has one of these insecure logins on their homepage makes me worry about my account and information. Though I don't use that login. You can find one that actually uses SSL deeper on the site (or https to the exact same homepage kind of works too).
And yet, if it was the case that a lot of people didn't now how to lock their doors or didn't think it was necessary, you just might be doing a public service by checking all the doors of your neighbors and educating people how and why to lock their doors correctly.
Also, if you saw your neighbor's front door didn't have a deadbolt and you lived in a city where crime was an issue, it should be your responsibility to educate this person about the dangers and solutions you know about. If you aren't using hacking tools I don't see this as breaking down a door, it's more like a visual inspection.
DRM doesn't do what they think it does. It encourages Piracy (by making valid copies less [valuable] than their pirated versions) . . ..
Yes. In deciding to buy a game vs. download a game, people used to decide based on a few reasons.
A bought game has a better chance of working correctly on your machine when you install it.
A bought game will not install unintended malware from the people you got the game from.
Now pirated games hold those advantages. And they work on machines without cd/dvd drives (I have a couple like that). Not that I like pirating games, but I have used no-cd cracks on games I actually did pay for.
Also, I really wanted to buy Spore. But I can't have things like SecuROM messing up my system. So the game's developers get less money...
Don't say I can't make security holes in Java.
I can make security holes in whatever language I want! Really.
So... removing features here at the last minute so they can still get it out the door before the deadline. It looks like the picked a too aggressive deadline and they're trying to cover for it now instead of spec things out correctly at the start.
I'll bet the game ships with bugs.
Agreed! I was thinking that if the window was behaving improperly you'd better not click anything at all. I don't think the article mentioned that.
I think that for the strange dialog boxes that if half clicked 'yes' and half clicked 'no' than we have a whole lot of fail. 100% fail. Now for something there weren't any clues on I'm guessing that the machine is already running malcode so the clicking doesn't really matter.
Because not all of these sites are questionable...
All it does is force these sites to buy certificates from the existing ssl certificate cartel.
Hello Bert,
I am from your bank. Remember me? I'm not questionable, you deal with us all the time.
Please use the attached self-signed certificate I just made to encrypt your username/password to me so that you can log in.
-The Bank
Now, you'd probably like to authenticate who that was before encrypting your username/password to them, right?
Anyway, signed certificates aren't so that questionable sites can look reputable. It's so internet criminals cannot appear to be a reputable company. If you cannot authenticate who you're sending data to, you cannot send them any data you wouldn't want to send in clear-text.
If it's done right, perhaps what a person puts into the pool only goes out to the artists he or she listens to. So if you just listen to Radiohead and NIN, your fee (less of course some admin portion) would get split between the two bands (perhaps based on number of listens, perhaps based on actual listening time) and trailer trash skanks won't get any of your money.
And this is unlike iTunes or buying a CD how?
Looks like it started at 1pm yesterday.
I'm curious now, too.
'This ignores the value of simple encryption. Snooping a connection (i.e. on a wireless link) is much easier than any of the impersonation attacks that SSL authentication prevents.'
SSL does not provide wireless security. WPA and other wireless encryption schemes exist for that purpose. These don't include any false illusion of security that accepting a self signed SSL cert from a remote site would give (encryption != security, as posters above say). SSL is the wrong tool for the job here.
Problem is that "2" doesn't happen.
Think of this example: I "encrypt" some confidential data. However, I've encrypted it so that I don't know who will be able to decrypt it. Does that make any sense?
Why was I encrypting it? So a criminal couldn't steal my credit card number? What if I had just encrypted it directly to that criminal? Oops! This encryption didn't help me at all.
If I want to send someone secured data I first have to define clearly and be sure of who I am sending that confidential data to.
With a little thinking you'll find that not authenticating the end users of an encrypted channel is just moving some bits around and is only as secure as your network. Meaning you might as well be sending clear text and save some processor cycles.
Now you can accept self-signed certificates, but you had better have a different way of authenticating the cert than the rest of us use. An example of this would be something from an internal corporate network.
I'd much prefer to accept it from my current session only. Accepting it forever seems a little insecure to me.
If you're not feeling paranoid there's a thing called "first time trust". This is how you usually accept ssh certs, and can usually work well for internal network use. The idea is that every time you return to that machine it presents the same cryptographic identity.
If you were correct in your assumption that there was no man-in-the-middle attack on your first connection, then keeping that certificate around prevents future attacks. Or if it was different the next time you'd have reason to suspect that first connection and know what data you'd given up.
So accepting a certificate until its expiration has more security features than accepting for a single session.