First, you can recognize your peer's voice. As for the man in the middle, for real time, voice conversation, the delay would be too big to go undetected.
Funny guy. Just in case you were serious, a MIM attack against this phone would tap in the data path with 0 delay, there is no need for an actual "man" in the middle. Eve makes the key agreement with both Alice and Bob (different keys), and then decrypts and re-encrypts the data stream on the fly.
Vanilla Diffie-Hellman is susceptible to man in the middle attacks because it provides no authentication. The only way to have true security is to cache the public key of the other party on first call (a la ssh), or better, to have the phones exchange keys through IR when they are placed one next to the other.
No. That sort of coincidence happens all the time.
If you express your mathematical results with 4 digits, there is a 1 in 9000 chance to get 3141. If you take, say, 9 "magic" numbers like e, phi, pi, 1, sqrt(2), etc. there is still only a 1 in 1000 chance to get a match. So it should not happen all the time, and if it does, there is something fishy about it.:)
Come on, what do readers think...I know there's got to be some way to use BS software and reroute things through an Onion style network to fight back.
The fact that Blue Security has failed does not surprise me. They were a business, and this kind of vigilante justice cannot be made profitable. What we need is to implement an open source p2p DOS network. Everybody can submit a link that they found in SPAM mail, with their DOS client. This way, the more a site is spamvertised, the more it is DOS-ed. Of course, the amount of DOS the site gets should be comparable with the bandwidth needed to send the spams, so there are no abuses of the system. Just send their crap back to the sites they run.
There's a lot of studies out there that say that most sexual abuses happen within the extended family.
That's not relevant to the discussion. Since I don't abuse my kid or nephews, I don't care much for that statistic.
That's not to say the idea is anything short of moronic, but it does appeal to the average voter. More important, what politician would oppose it, and then risk being called Satan's little helper when the next (one in a million, statistically irrelevant) MySpace kid is raped and killed?
As a teacher, you should do your homework and install proper filtering software on the schools computers. It's not rocket sience, nor is it very expensive. The ease of which a 12 y/o can access porn using his dad's computer is no buisness of yours.
That means that to break a QC key exchange, S will need only to cut the fiber and link both ends to his computer.
There are practical implications. Any kind of repeater I can think of, built using today's technology, like transistors and integrated circuits, will insert a very high delay.
Suppose there is a 100Km quantum line between two points, and that the speed of light in the line is 200.000 Km/s, this will generate a very stable latency of 0.5 msec.
So depending on the accuracy of measuring this latency, and it's dispersion with temperature and other factors, it could very well mean that it's technologically impossible to build a repeater that cannot be detected.
It seems pretty extreme to me to receive a 1 million $ grant to build what is basically a long wave radio coupled with a CELP encoder (these can compress voice down to 1200 bps). I'm sure there are lots of practical difficulties though.
It's important to observe that most ads are delivered from diferent servers. The content site only places a few inline frames on it's pages. So to do what you propose, the logs from multiple servers/organizations must be corelated. It could work for online comunities to do this scan once in a while, but the average add-infested website would need a constant link with the adserver to check for this and instantly refuse service to a surfer that blocks adds. Also note that the adservers have litle incentive to suport this. They usualy only care about the clicks, not the number of impressions. No add displayed, no clicks, no money for the content site.
Enough whith Coverity allready. It's like the 50th slashdot article that talks about this. FYI, it costs about 50.000 $ for a medium sized project (500.000 lines), and is no more than a lint on steroids. Here is a somewhat cheaper competitor. None of this tools is a mach for a manual audit performed by a professional.
You are wrong on so many levels. Besides what's already been said, I would add the fact that lead acid bateries have much lower power density. That is, you need a much heavier battery for the same capacity (Ah). That figures, since lead is, uh... heavy.
It seems everyone agrees they should sign up for BlueSecurity, now that the spammers are so pissed by it. I'm afraid it could be a Trojan horse. It is well known that "do not spam" whitelists do not work: even if you give spammers only 1-way hashes of the emails, they can easily set-up a dictionary attack against the database. They already do this with remote mail servers; it's infinitely easier to do this against a local database, since they have almost limitless computing power for such an attack. So my conspiracy theory is that the spammers are trying to provoke exactly such a response and make people sign up. So I would advise anyone to download and use the client, but only subscribe with a disposable email address.
You are absolutely right. The problem is highly asymmetrical : the spammer needs spambots and webservers worth a few thousand $, and can flood the Internet with crap. If every recipient is to spend a few minutes to do a mDOS (manual denial of service), it sums up to tens of millions of lost minutes, or millions of $ in lost productivity. We need an automated descentralized P2P network to attack the spammers and the spam-friendly ISPs.
Remember, EU is the place where "Intellectual Property" without restrictions was to be protected by the new constitution on the same level (or rather: above) more usual constitutional rights, such as freedom of speech and right to live.
Title II makes no such claims. It simply states: "Intellectual property shall be protected.", towards it's end.
As a programmer, I am certainly aware that the right to live or the right to an education is useless for me without protection of the intelectual property, since I will not aford living or getting that education.
Not even the GPL works without protection of the intelectual property.
> But we have learned that for encryption to be ubiquitous and reliable, the algorithm must be open.
Encryption works between Alice and Bob: Eve should not eavesdrop, Eve does not have the secret key, so the source won't help her. DRM works between Alice and Eve: Alice "is allowed" by Eve only some rights but not others. It follows that Alice must have the key in some form or another. So Eve either obfuscates the algorithm so the key Alice has is useless (MS-DRM), or hides they key in tamper-proof hardware (TCPA).
Mozilla has bugs to. Lots of them. The difference, however is the time it takes to patch them.
Folks like Secunia can profit only when the patch takes a long time to develop. As long as it is a secret vulnerability, it has value. This vulnerability is the perfect example: MS was notified about this on 13/02/2006, 40 days ago. They had all the opportunity to fix it in this month's security patch, but thy did not. So the patch will come no earlier than 2 months after discovery - that's a huge window of exposure.
It was only when I have rediscovered the bug, and posted an inquiry about it on the Full Disclosure mailing list, that Secunia rushed to finally publish the advisory. I must note that I did not develop the exploit independently, I simply piked it up on underground forums.
I say this is not "responsible disclosure", and that it is *irresponsible* to keep a bug of this magnitude unpatched for 2 months. Because there is a high risk that it will be found by the bad guys in the meantime - just like it happened with this bug.
Slashdot Mirror
Funny guy.
Just in case you were serious, a MIM attack against this phone would tap in the data path with 0 delay, there is no need for an actual "man" in the middle. Eve makes the key agreement with both Alice and Bob (different keys), and then decrypts and re-encrypts the data stream on the fly.
Vanilla Diffie-Hellman is susceptible to man in the middle attacks because it provides no authentication.
The only way to have true security is to cache the public key of the other party on first call (a la ssh), or better, to have the phones exchange keys through IR when they are placed one next to the other.
I'm afraid it has already started. Just look at what Greenpeace thinks about fusion:
Nuclear fusion reactor project in France: an expensive and senseless nuclear stupidity
BTW, the things stated there are plain stupid, i.e. they don't have any idea what they are talking about. Hippie magic at work.
...are frustrated actors?
Great, the language troll. No, I'm not new here.
If you express your mathematical results with 4 digits, there is a 1 in 9000 chance to get 3141. If you take, say, 9 "magic" numbers like e, phi, pi, 1, sqrt(2), etc. there is still only a 1 in 1000 chance to get a match.
So it should not happen all the time, and if it does, there is something fishy about it.
The fact that Blue Security has failed does not surprise me. They were a business, and this kind of vigilante justice cannot be made profitable.
What we need is to implement an open source p2p DOS network. Everybody can submit a link that they found in SPAM mail, with their DOS client. This way, the more a site is spamvertised, the more it is DOS-ed.
Of course, the amount of DOS the site gets should be comparable with the bandwidth needed to send the spams, so there are no abuses of the system. Just send their crap back to the sites they run.
There's a lot of studies out there that say that most sexual abuses happen within the extended family. That's not relevant to the discussion. Since I don't abuse my kid or nephews, I don't care much for that statistic. That's not to say the idea is anything short of moronic, but it does appeal to the average voter. More important, what politician would oppose it, and then risk being called Satan's little helper when the next (one in a million, statistically irrelevant) MySpace kid is raped and killed?
As a teacher, you should do your homework and install proper filtering software on the schools computers. It's not rocket sience, nor is it very expensive.
The ease of which a 12 y/o can access porn using his dad's computer is no buisness of yours.
RD/VNC from the top of a mountain to my home desktop machine
That's overkill. Even if the service offers only a HTTP proxy, there are still methods to do IM over HTTP.
Am I the only one who was very excited by the idea of a 40% discount?
The most important part is deciding who to sue(press next)
Here's that command for you:
(linux) ping -i 0.2 -w 0.2 -s 65000 www.specialham.com
That means that to break a QC key exchange, S will need only to cut the fiber and link both ends to his computer.
There are practical implications. Any kind of repeater I can think of, built using today's technology, like transistors and integrated circuits, will insert a very high delay.
Suppose there is a 100Km quantum line between two points, and that the speed of light in the line is 200.000 Km/s, this will generate a very stable latency of 0.5 msec.
So depending on the accuracy of measuring this latency, and it's dispersion with temperature and other factors, it could very well mean that it's technologically impossible to build a repeater that cannot be detected.
It seems pretty extreme to me to receive a 1 million $ grant to build what is basically a long wave radio coupled with a CELP encoder (these can compress voice down to 1200 bps).
I'm sure there are lots of practical difficulties though.
It's important to observe that most ads are delivered from diferent servers. The content site only places a few inline frames on it's pages.
So to do what you propose, the logs from multiple servers/organizations must be corelated. It could work for online comunities to do this scan once in a while, but the average add-infested website would need a constant link with the adserver to check for this and instantly refuse service to a surfer that blocks adds.
Also note that the adservers have litle incentive to suport this. They usualy only care about the clicks, not the number of impressions. No add displayed, no clicks, no money for the content site.
Enough whith Coverity allready. It's like the 50th slashdot article that talks about this.
FYI, it costs about 50.000 $ for a medium sized project (500.000 lines), and is no more than a lint on steroids. Here is a somewhat cheaper competitor.
None of this tools is a mach for a manual audit performed by a professional.
You are wrong on so many levels.
t her_batteries
Besides what's already been said, I would add the fact that lead acid bateries have much lower power density. That is, you need a much heavier battery for the same capacity (Ah). That figures, since lead is, uh... heavy.
http://en.wikipedia.org/wiki/NiCd#Comparison_to_o
Here's the dld link:r ogSetup.exe
http://download.bluesecurity.com/ds/generic/BlueF
It seems everyone agrees they should sign up for BlueSecurity, now that the spammers are so pissed by it.
I'm afraid it could be a Trojan horse. It is well known that "do not spam" whitelists do not work: even if you give spammers only 1-way hashes of the emails, they can easily set-up a dictionary attack against the database. They already do this with remote mail servers; it's infinitely easier to do this against a local database, since they have almost limitless computing power for such an attack.
So my conspiracy theory is that the spammers are trying to provoke exactly such a response and make people sign up. So I would advise anyone to download and use the client, but only subscribe with a disposable email address.
You are absolutely right. The problem is highly asymmetrical : the spammer needs spambots and webservers worth a few thousand $, and can flood the Internet with crap. If every recipient is to spend a few minutes to do a mDOS (manual denial of service), it sums up to tens of millions of lost minutes, or millions of $ in lost productivity.
We need an automated descentralized P2P network to attack the spammers and the spam-friendly ISPs.
Are you claiming Google is a monopoly? We're not free to use Yahoo and MSN search as we desire? That's news to me!
By the same logic, are you claiming that Microsoft is a monopoly? We're not free to use Linux or FreeBSD as we desire?
Remember, EU is the place where "Intellectual Property" without restrictions was to be protected by the new constitution on the same level (or rather: above) more usual constitutional rights, such as freedom of speech and right to live.
Title II makes no such claims. It simply states: "Intellectual property shall be protected.", towards it's end.
As a programmer, I am certainly aware that the right to live or the right to an education is useless for me without protection of the intelectual property, since I will not aford living or getting that education.
Not even the GPL works without protection of the intelectual property.
> But we have learned that for encryption to be ubiquitous and reliable, the algorithm must be open.
Encryption works between Alice and Bob: Eve should not eavesdrop, Eve does not have the secret key, so the source won't help her.
DRM works between Alice and Eve: Alice "is allowed" by Eve only some rights but not others. It follows that Alice must have the key in some form or another. So Eve either obfuscates the algorithm so the key Alice has is useless (MS-DRM), or hides they key in tamper-proof hardware (TCPA).
Mozilla has bugs to. Lots of them. The difference, however is the time it takes to patch them.
Folks like Secunia can profit only when the patch takes a long time to develop. As long as it is a secret vulnerability, it has value. This vulnerability is the perfect example: MS was notified about this on 13/02/2006, 40 days ago. They had all the opportunity to fix it in this month's security patch, but thy did not. So the patch will come no earlier than 2 months after discovery - that's a huge window of exposure.
It was only when I have rediscovered the bug, and posted an inquiry about it on the Full Disclosure mailing list, that Secunia rushed to finally publish the advisory. I must note that I did not develop the exploit independently, I simply piked it up on underground forums.
I say this is not "responsible disclosure", and that it is *irresponsible* to keep a bug of this magnitude unpatched for 2 months. Because there is a high risk that it will be found by the bad guys in the meantime - just like it happened with this bug.
--
Stelian ENE