And of course, how long it will take before the manufacturers will be having a firmware update for this. It seems that most firmware updates only add extra functionality to gain an edge over the competitors, but basic stuff like optimalisation is kind of a non-issue. I'm crossing my fingers this will be fixed shortly, but I'm having doubts about it.
From the AUSCERT advisory:
3. Workarounds/Mitigation
At this time a comprehensive solution, in the form of software or firmware upgrade, is not available for retrofit to existing devices. Fundamentally, the issue is inherent in the protocol implementation of IEEE 802.11 DSSS.
So it looks like firmware won't be able to stop it if it wants to implement the protocol correctly. There might be a grey area of course.
Personally, I don't think it's a big deal, there are already plenty of ethernet- and ip-level DoS possibilities to worry about another one at the physical level.. The symptoms will be a bit more mysterious though.
If would be a great solution if it's reliable.. But indeed, you can have different and changing signatures for every organisation you want to authenticate yourself to. It makes great sense, provided that it's reliable (against false positives/negatives), which i dare doubt however;)
It's an interesting idea, but it's too dangerous, because the whole point of biometrics is that they are tied to your person. You can't change them (eyes, fingers), you can't get new ones if your old ones are lost (eyes, fingers) or their information stolen (iris pattern, fingerprint), not everybody has them (eyes, fingers), and all scanners can probably be fooled with a little or much effort.
Another reason I don't like biometrics, however, is that you cannot compartmentalise your authentication information any more. If, say, the tax people, phone company, bank and the police all use your biometric information to authenticate you, then that provides for a massive spillover in (authentication) information that you can't control - for the same reason that it is a bad idea to have the same PIN code on your ATM card and your GSM phone PIN, it's a bad idea for everybody using the same info to authenticate you.
Nowadays, if somebody can impersonate you to the phone company, all they can do is run up high bills or get you disconnected or something. But if you're a phone company employee with access to someone's biometric info, you're a small step away from being able to impersonate that person to their bank, passport authority, etc., and take over their life.
Even worse, as above, you can't change your info if it's compromised. Remember that biometric info is just a fancy password, with all the password weaknesses, with the advantage that you don't have to remember it, and the disadvantage that you can't change it or get a new one. People can intercept and replay your password (biometric info) to scanners, it's just very simple symmetric and unreliable information in the end, relying on the trustworthiness of biometric scanners to be trustworthy. And of course the path from the scanners to the device interested in your identity..
Hm, I have that feeling with Warcraft III...
Not that I've been playing RTS's since they were invented (at all), but I do get dominated by 12-year-olds or whatever all the time and I keep trying.. embarassing.
Well, the reason I bought (!) the game was so that I could play on battle.net without worrying about CD keys, so...
Factoring what? You won't know the number you need factored until you intercept or steal the encrypted data.
Not true, because if you can factorise the modulus in the public key (which is generally easy to get), you can generate the private key.. That's the whole point to this factorisation business:)
As it happens, satisfiability algorithms can solve systems of 640 variables quite easily. No, it's true they can't solve 640-bit factorisations yet, or they would have:). The difficulty of satisfiability systems for randomly generated problems lies much more in the ratio of clauses to variables than number of variables alone.
For example, if information is going to need to be kept secret for twenty years, projects like this help you learn based on current technology, how much crypto is sufficent (or overkill).
True, although that only really matters for asymmetric (public/private, such as RSA) algorithms; for symmetric algorithms, you may as well use 256 bit keys, because it's just as fast as 128 bit keys, and minor breaks are unlikely to ever make attacks practical.
Because it's difficult to efficiently parallelize (distribute) the factorisation algorithm, especially the final step which so far has always happened on 1 machine. In fact, if you can paralellize the final
step of the GNFS (general number field sieve is generally used for these factorisations), you have yourself a PhD. thesis (in math and/or CS), I remember reading in sci.crypt.
Then she should take her money somewhere else, this is the only thing in the long run that would make ISP's police their own networks.
That's all very well if it works in the long run - I'm glad you trust your ISP to forever police their network in a way you like. In the meantime, however, we have to hop from ISP to ISP whenever our ISP deems to blacklist ranges that might try to send us (legitimate) email..
Yes, perhaps you should find someone else to email. You might not like that someone you want to email does not want to receive your communication. But it is their god damn right to do so (their line, their server, their money)
You would have been absolutely right if another human had blacklisted me, as a human - but that's not the case. It's (let's say) a site that represent thousands of humans that blacklists an ISP, representing even more thousands, who had no
say in the matter.
as I said earlier: It is not AHBL that blocks email, they only provide the list to those who whishes to do the blocking.
Then stop using the AHBL blacklisting service.
If you do not support this or can not accept such a policy, then your free to move your business to another email server that does not use AHBL or you might even set up your own email server accepting all email and spam alike.
My mother doesn't know how to run her
own email server in order to be able to
specify her own email filtering policy,
and neither should she have to.
I have no control over what blacklist
policies are used on sites I want to
send email to. If my range gets blacklisted
because my ISP doesn't crack down on
spammers, according to some self-appointed
authority that "runs out of patience",
what am I supposed to do if someone I want
to email trusts this self-proclaimed
authority? Find someone
else to email?
You really have no idea how smtp and spam blacklist's work at all do you?
If done properly, nobody knows the key. The RSA
factorisation challenges for instance have an accompanying story in the FAQ about how the primes were generated using a laptop, only the product (challenge) was recorded, the laptop destroyed. It's easy to check a factorisation (multiply:)), so no need to keep the primes around and risk having them leaked by dirty employees (or bribed, coerced etc).
As this is a public key encryption scheme, I should hope that the same has been done here.
Aha, this is sort of like what I've been looking for (while running, indeed) - a device that i can log my heartrate with, and read into a computer later on. Has to be very portable and jog-proof of course.. anyone?
That's a great way to help those who want to snoop on you in the most difficult problem they have: sifting the interesting data from the boring data.
If you're going to use cryptography, encrypt everything.
But then again, very few plumbers have to deal with users who consistently download BonziBuddy, blindly click on suspicious email attachments and use their cd trays as cupholders
This makes me wonder what is meant by 'IT professionals'. The above sounds like guys that support IT (desktop machines and network) in the office.. Well, that's only a small fraction of the work that goes on in IT, thankfully:) (or there would be nothing to support, for one thing).
Slashdot Mirror
It would have to be remote controlled by radio ;-)
Personally, I don't think it's a big deal, there are already plenty of ethernet- and ip-level DoS possibilities to worry about another one at the physical level.. The symptoms will be a bit more mysterious though.
I wonder why this is posted in the "your rights online" category ;-)
Please someone mod this man up, because he's right. :)
If would be a great solution if it's reliable.. But indeed, you can have different and changing signatures for every organisation you want to authenticate yourself to. It makes great sense, provided that it's reliable (against false positives/negatives), which i dare doubt however ;)
Another reason I don't like biometrics, however, is that you cannot compartmentalise your authentication information any more. If, say, the tax people, phone company, bank and the police all use your biometric information to authenticate you, then that provides for a massive spillover in (authentication) information that you can't control - for the same reason that it is a bad idea to have the same PIN code on your ATM card and your GSM phone PIN, it's a bad idea for everybody using the same info to authenticate you. Nowadays, if somebody can impersonate you to the phone company, all they can do is run up high bills or get you disconnected or something. But if you're a phone company employee with access to someone's biometric info, you're a small step away from being able to impersonate that person to their bank, passport authority, etc., and take over their life.
Even worse, as above, you can't change your info if it's compromised. Remember that biometric info is just a fancy password, with all the password weaknesses, with the advantage that you don't have to remember it, and the disadvantage that you can't change it or get a new one. People can intercept and replay your password (biometric info) to scanners, it's just very simple symmetric and unreliable information in the end, relying on the trustworthiness of biometric scanners to be trustworthy. And of course the path from the scanners to the device interested in your identity..
Biometrics aren't a silver bullet.
Hm, I have that feeling with Warcraft III ...
Not that I've been playing RTS's since they were invented (at all), but I do get dominated by 12-year-olds or whatever all the time and I keep trying.. embarassing.
Well, the reason I bought (!) the game was so that I could play on battle.net without worrying about CD keys, so ...
How about put options?
.. or, where do all the calculators go?
As it happens, satisfiability algorithms can solve systems of 640 variables quite easily. No, it's true they can't solve 640-bit factorisations yet, or they would have :). The difficulty of satisfiability systems for randomly generated problems lies much more in the ratio of clauses to variables than number of variables alone.
Because it's difficult to efficiently parallelize (distribute) the factorisation algorithm, especially the final step which so far has always happened on 1 machine. In fact, if you can paralellize the final step of the GNFS (general number field sieve is generally used for these factorisations), you have yourself a PhD. thesis (in math and/or CS), I remember reading in sci.crypt.
It's a very dumb assumption that all machines contain 80gb drives, and that that's all the storage they're using (what about e.g. SANs)..
tsk, loops are necessary if you want to have a flip-flop (1-bit memory).. or are there better components for that.
If done properly, nobody knows the key. The RSA factorisation challenges for instance have an accompanying story in the FAQ about how the primes were generated using a laptop, only the product (challenge) was recorded, the laptop destroyed. It's easy to check a factorisation (multiply :)), so no need to keep the primes around and risk having them leaked by dirty employees (or bribed, coerced etc).
As this is a public key encryption scheme, I should hope that the same has been done here.
Aha, this is sort of like what I've been looking for (while running, indeed) - a device that i can log my heartrate with, and read into a computer later on. Has to be very portable and jog-proof of course.. anyone?
Using itself? how could it ever be written then? The structure of RFC's has to be defined out-of-band, if you ask me.
That's a great way to help those who want to snoop on you in the most difficult problem they have: sifting the interesting data from the boring data. If you're going to use cryptography, encrypt everything.
i must stop correcting people wrongly :)
you do know it's "mana mana", don't you ;-)