Very cool, and certainly beyond what I thought we would be capable of. I'm not sure how fast it runs relative to realtime, but it doesn't look like we'll need a moon sized computer to simulate an entire human brain in the not too distant future.
Yes, I've seen that too, but it doesn't protect you against a man-in-the-middle attack, which is what the original post is on about. It does help to prevent using the login information collected in one phishing session later though.
A very good point. Of course, the nice thing about ODF (or any open, standardised format) is that it's possible for anyone to produce a viewer on any platform, if the need arises. If Microsoft could have successfully played the available-viewers-for-proprietary-formats argument, they wouldn't have gone down this route.
I work in digital preservation for the UK government, and it's something we've been monitoring with interest for a while. We were basically considering migrating all office formats into their ODF equivalents, to maximise the preservation and dissemination opportunities for archived government documents. Now that Microsoft are going to support the ODF format, the risk in keeping office documents in their native formats has actually gone down! A sensible move by Microsoft, which I expect to pay off for everyone.
Nah - I think they will support the standard reasonably well. But of course, there will be "advanced" functionality that doesn't map to the feature set of the office applications, so that will be lost when you convert between them.
Government do have plans to use it at some point though. Why should every citizen have to pay a microsoft tax (e.g. buy a copy of Microsoft office) in order to read documents produced by their own government? ODF was already being looked at as an archival format for digital documentation. It's great the MS Office will be able to read and write ODF files.
The thing that is maybe not appreciated by all, is that, while government have been producing documents digitally for decades, just like the rest of us, those electronic copies weren't regarded as the actual document - it was the final print-out that was the document - the computer was just the means of production. It's only very, very recently that the (UK) government has decreed that the actual document (ie. the one that eventually might be archived) is really the digital copy.
The problem is "stealing someone else's ideas". Do you think that the OSS developers actually went out and "stole" the ideas?
No - they independently came up with the same method of doing something, because it was basically obvious. The standard for obviousness is clearly far too low. How would you do it at all if not through an O-R mapping?
Actually, I think that copyright is sufficient to protect software in general, but that's another argument.
The problem is "stealing someone else's ideas". Do you think that the OSS developers actually went out and "stole" the ideas?
No - they independently came up with the same method of doing something, because it was basically obvious. The standard for obviousness is clearly far too low. How would you do it at all if not through an O-R mapping?
Actually, I think that copyright is sufficient to protect software in general, but that's another argument.
This is entirely because any application that runs, runs with the full privileges of the user , even if those privileges are limited to only that user's resources.
Until people stop only focussing on restricting what users can do and start focussing on what individual applications can do, this problem will never go away.
But I guess it's a bit soon for that. After only decades of operating system production, MS are finally getting around to limiting user privileges a bit by default. Wake me up in another 20 years... sigh...
(for those who think I'm just MS bashing, unix has it's own set of privilege problems - setuid is not the answer to everyone's prayers!)
I agree that personal computing enabled everyone to benefit from cheap, ubiquitous computing power, which the mainframes of the day couldn't provide.
Of course, this was back before anyone realised total cost of ownership was far greater than the purchase price of the machine. And viruses and worms hadn't been invented, and you needed to be a guru to change the machine configuration, and they only ran a single application at one time, and we weren't connected to a vast global network filled with script kiddies and criminal hackers.
We aren't really going back to a central processing model. We are trying to regain some of the management and security benefits the old central processing model had by default and that general purpose networked personal computers can only acquire with a lot of hard work.
Frankly, for what most people use their PCs for at work, and given the ubiquitous network, it would be far cheaper for many enterprises to run thin client diskless workstations and actually return to a central processing model, if we hadn't already bought so heavily into the current model.
Yes, I agree it's not an ideal situation, especially in the case where you stumble upon it. If you just passively examined the operation of the system and from those public facts deduced there was a security weakness, I doubt you will have done anything wrong (laws may vary though... reverse engineering a security system?).
If you step beyond passively examining the system, then only performing "reasonably minimal actions" might serve as a mitigation in your defence, and possibly reduce your sentence if you were found guilty, but it wouldn't (and shouldn't) stop your actions being an offence in the first place.
The only safe defence is not to do anything legally questionable in the first place - i.e. you either have authorisation to perform the security evaluation, or you don't do anything.
If you are going to try to poke holes in someone else's security without authorisation from them, even if it's for the most moral reasons in the world - e.g. a company leaving extremely sensitive personal details easily avaiable to any old script kiddy, you had better do it extremely anonymously - and be aware that you are probably committing a crime, even if your motives are pure.
If you proactively find the vulnerability without authorisation, you are probably committing an offence. Having the best of intentions is no defence, otherwise everyone could simply claim that and get off.
Maybe you should care about your own security as much as you seem to about someone else's security!
That's an interesting mitigation - to only "hack" your own account. Can this access be said to be unauthorised?
It could be argued in court that by attempting to access your account by abnormal methods, that constitutes unauthorised access. The mere absence of technical security controls (or the failure of those controls to work properly) does not constitute authorisation to perform an action in the eyes of the law.
I don't think it would come to that, and they'd have to argue pretty hard - and would probably end up looking pretty stupid and mean themselves - but you could still probably be found guilty of an offence, even if the sentence was only a nominal fine.
Interesting take on it though. Personally, I would only ever perform security evaluations on systems for which I have written authorisation to do so.
If you are playing with SQL injection on systems you have not been authorised to do security evaluations on, you are almost certainly committing a crime.
Curiosity and the best of intentions can land you in a lot of trouble, so please be more careful.
The difference with the parent poster is he simply monitored what was going on - he didn't actively hack the system.
I agree that in the case of Cuthbert, what he did was really quite trivial, and that the police are going after the low hanging fruit. Although given the difficulty of prosecuting these sorts of crimes, that's maybe not so surprising.
Still, he has no defence in the court of human rights. He definitely committed a crime under section 1 of the 1990 Computer Misuse Act (unauthorised access): (a) he caused a computer to perform a function (b) he had intent (c) he knew what he was doing was unauthorised. That's all you need for a S1 CMA offence.
He broke the law, he should have known better. Tough. Whether it was really worth prosecuting him is another matter, but I guess it sends a message out.
Eeek - step 3 could get you arrested, in the UK at least. I can't see that committing a computer crime in order to report a security vulnerability is a good idea!
Admittedly the chances of being caught right now are very low, but if you're the sort of person who takes security seriously, and maybe even wants to make a career out of it, doing this sort of thing isn't going to help you very much long term.
Nope, I'd say that describes capitalism. Capitalism frequently puts the value of money and profit above life - both human and non-human life.
Greed is a human, personal emotion. Clearly greed can also value money higher than life itself.
Capitalism is an economic system - it doesn't have emotions. Its nature is to value money and profit as its highest goal - just as the original poster said.
Yes, that makes sense - a challenge-response authentication protocol. There's normally some sort of key establishment mixed in there too to allow them to communicate over a secure channel.
I think you mean authentication, not authorisation, and I'm afraid I don't get your point about not sending anything that can be used again.
You seem to be talking about mutual authentication protocols. Public key cryptography is often used in these. Mutual authentication is often combined with key exchange protocols (e.g. the Station to Station protocol). These are great to establish a secure shared session between two parties, but as you point out, who checks the server certificate? It's a secure tunnel... to who? It's just too damn complex for most users.
I quite like the PetNames tool - users enter some personal text for any secure web sites they visit, and it gets prominently displayed in the main toolbar if they visit it again. Not perfect, but useful.
While you are correct to note that there are identifiable statistical differences in gene distribution among the "races" of humanity, genetic variation between any two individuals, whether of the same race or not, is far, far higher than any race-level differences.
Bottom line: genetically you are almost certainly far more different from someone of the same race as you, than your general race is from another. The few differences you can ascribe to race are mostly down to survival characteristics that worked in a particular environment, with some random cosmetic ones thrown in.
It does not list what is legal or illegal. If you do this specifically, people will find sneaky ways around it. Better to state that any action which is not *authorised* is illegal and leave the definition of authorised to the particular context. This can be interpreted by the courts, as its meaning can vary considerably in different contexts.
The founder of Demon Internet was in court recently on charges that he and his system administrator spied on other board members emails. He tried to plead that his system administrator was *authorised* to configure the system in this way, so what he did was legal. The court disagreed - just because you have an ability to perform an action, and just because the person telling you to do it is the owner of the company, does not consitute proper authorisation.
This means we don't have to keep ammending the legislation every time a new attack is uncovered. Also note that the word "computer" is never defined in the computer misuse act, which was a piece of genius. We can still apply the same law to mobile phones, which weren't around when this law was being framed. A definition made at the time would almost certainly be out of date by now.
I'm currently studying this law for an MSc in Information Security. Section 17 (5) (Interpretation) of the Computer Misuse Act states:
"Access of any kind by any person to any program or data held in a computer is unauthorised if- (a) he is not himself entitled to control access of the kind in question to the program or data; and (b) he does not have consent to access by him of the kind in question to the program or data from any person who is so entitled."
Having said that, the definition of "unauthorised access" is pretty tricky in some cases. The recent case where someone was let off a DDOS attack on his former employer's email system was due to the judge stating that since an email system is set up to receive emails, just sending a lot of them is not unauthorised. Hence why new legislation is being proposed to cover these loopholes.
They will use whatever physical media is most appropriate at the time. Really, storage media is not the issue. You can just keep migrating data from one to the next with suitable error correction of course. Being able to interpret the data on it is a big deal.
Having said that, most strategies for dealing with long-term digital preservation also involve reasonably regular (e.g. every decade) migration of file formats to more current ones (except for strategies that involve emulation). Things like ODF are useful, because they are easier to migrate to and from a variety of formats. I don't think anyone in the digital preservation community really expects ODF files to be directly readable in 100 years time - but it is much easier to transform data encoded in open standards into new formats than it is to convert ones held in proprietary formats.
The death penalty still exists in English law for treason to "Compass the death of the King or Queen, or their eldest son and heir.". A later reform act banning capital punishment entirely overrides this, but it is still written in the original law.
You argue your case very persuasively, but I can't agree that the proposed UK identity card scheme is only a minute change from our current forms of identification.
A goal of the UK identity card scheme is to be a gold standard for identification that other forms of identity will ultimately hang off. The joining of multiple biometrics and biographical history checking and other identity verfication will make it quite hard for the normal citizen to have more than a single identity in relation to the state. This will probably stamp out some classes of obvious fraud, and push some of it elsewhere. How expensive it is for fraudulent identities to be created depends on a whole lot of things, anyone's guess really at this point.
The real problem comes when all the previously isolated government departments join up what is known about us, and an audit trail of our complete activities exist. Now all sorts of speculative, behavioural data mining can take place. I think this sort of thing has been going on in the States recently. These programs are increasing in scope, occasionally changing names, but the desire by government is there to finally know their people, in ways we might not want them to.
There may be benefits we can gain in security from this, with proper checks and balances, or there may not. But they're not just going to have it for free without some kind of debate.
Slashdot Mirror
Here's another project that will model the neurons in the neocortex of a real human brain...
c .bluegene_cognitive.html
http://domino.watson.ibm.com/comm/pr.nsf/pages/rs
Very cool, and certainly beyond what I thought we would be capable of. I'm not sure how fast it runs relative to realtime, but it doesn't look like we'll need a moon sized computer to simulate an entire human brain in the not too distant future.
Yes, I've seen that too, but it doesn't protect you against a man-in-the-middle attack, which is what the original post is on about. It does help to prevent using the login information collected in one phishing session later though.
A very good point. Of course, the nice thing about ODF (or any open, standardised format) is that it's possible for anyone to produce a viewer on any platform, if the need arises. If Microsoft could have successfully played the available-viewers-for-proprietary-formats argument, they wouldn't have gone down this route.
I work in digital preservation for the UK government, and it's something we've been monitoring with interest for a while. We were basically considering migrating all office formats into their ODF equivalents, to maximise the preservation and dissemination opportunities for archived government documents. Now that Microsoft are going to support the ODF format, the risk in keeping office documents in their native formats has actually gone down! A sensible move by Microsoft, which I expect to pay off for everyone.
Nah - I think they will support the standard reasonably well. But of course, there will be "advanced" functionality that doesn't map to the feature set of the office applications, so that will be lost when you convert between them.
Government do have plans to use it at some point though. Why should every citizen have to pay a microsoft tax (e.g. buy a copy of Microsoft office) in order to read documents produced by their own government? ODF was already being looked at as an archival format for digital documentation. It's great the MS Office will be able to read and write ODF files.
The thing that is maybe not appreciated by all, is that, while government have been producing documents digitally for decades, just like the rest of us, those electronic copies weren't regarded as the actual document - it was the final print-out that was the document - the computer was just the means of production. It's only very, very recently that the (UK) government has decreed that the actual document (ie. the one that eventually might be archived) is really the digital copy.
The problem is "stealing someone else's ideas". Do you think that the OSS developers actually went out and "stole" the ideas?
No - they independently came up with the same method of doing something, because it was basically obvious. The standard for obviousness is clearly far too low. How would you do it at all if not through an O-R mapping?
Actually, I think that copyright is sufficient to protect software in general, but that's another argument.
The problem is "stealing someone else's ideas". Do you think that the OSS developers actually went out and "stole" the ideas? No - they independently came up with the same method of doing something, because it was basically obvious. The standard for obviousness is clearly far too low. How would you do it at all if not through an O-R mapping? Actually, I think that copyright is sufficient to protect software in general, but that's another argument.
This is entirely because any application that runs, runs with the full privileges of the user , even if those privileges are limited to only that user's resources. Until people stop only focussing on restricting what users can do and start focussing on what individual applications can do, this problem will never go away. But I guess it's a bit soon for that. After only decades of operating system production, MS are finally getting around to limiting user privileges a bit by default. Wake me up in another 20 years... sigh... (for those who think I'm just MS bashing, unix has it's own set of privilege problems - setuid is not the answer to everyone's prayers!)
I agree that personal computing enabled everyone to benefit from cheap, ubiquitous computing power, which the mainframes of the day couldn't provide.
Of course, this was back before anyone realised total cost of ownership was far greater than the purchase price of the machine. And viruses and worms hadn't been invented, and you needed to be a guru to change the machine configuration, and they only ran a single application at one time, and we weren't connected to a vast global network filled with script kiddies and criminal hackers.
We aren't really going back to a central processing model. We are trying to regain some of the management and security benefits the old central processing model had by default and that general purpose networked personal computers can only acquire with a lot of hard work.
Frankly, for what most people use their PCs for at work, and given the ubiquitous network, it would be far cheaper for many enterprises to run thin client diskless workstations and actually return to a central processing model, if we hadn't already bought so heavily into the current model.
Yes, I agree it's not an ideal situation, especially in the case where you stumble upon it. If you just passively examined the operation of the system and from those public facts deduced there was a security weakness, I doubt you will have done anything wrong (laws may vary though... reverse engineering a security system?).
If you step beyond passively examining the system, then only performing "reasonably minimal actions" might serve as a mitigation in your defence, and possibly reduce your sentence if you were found guilty, but it wouldn't (and shouldn't) stop your actions being an offence in the first place.
The only safe defence is not to do anything legally questionable in the first place - i.e. you either have authorisation to perform the security evaluation, or you don't do anything.
If you are going to try to poke holes in someone else's security without authorisation from them, even if it's for the most moral reasons in the world - e.g. a company leaving extremely sensitive personal details easily avaiable to any old script kiddy, you had better do it extremely anonymously - and be aware that you are probably committing a crime, even if your motives are pure.
If you proactively find the vulnerability without authorisation, you are probably committing an offence. Having the best of intentions is no defence, otherwise everyone could simply claim that and get off.
Maybe you should care about your own security as much as you seem to about someone else's security!
That's an interesting mitigation - to only "hack" your own account. Can this access be said to be unauthorised?
It could be argued in court that by attempting to access your account by abnormal methods, that constitutes unauthorised access. The mere absence of technical security controls (or the failure of those controls to work properly) does not constitute authorisation to perform an action in the eyes of the law.
I don't think it would come to that, and they'd have to argue pretty hard - and would probably end up looking pretty stupid and mean themselves - but you could still probably be found guilty of an offence, even if the sentence was only a nominal fine.
Interesting take on it though. Personally, I would only ever perform security evaluations on systems for which I have written authorisation to do so.
If you are playing with SQL injection on systems you have not been authorised to do security evaluations on, you are almost certainly committing a crime.
Curiosity and the best of intentions can land you in a lot of trouble, so please be more careful.
The difference with the parent poster is he simply monitored what was going on - he didn't actively hack the system.
I agree that in the case of Cuthbert, what he did was really quite trivial, and that the police are going after the low hanging fruit. Although given the difficulty of prosecuting these sorts of crimes, that's maybe not so surprising. Still, he has no defence in the court of human rights. He definitely committed a crime under section 1 of the 1990 Computer Misuse Act (unauthorised access): (a) he caused a computer to perform a function (b) he had intent (c) he knew what he was doing was unauthorised. That's all you need for a S1 CMA offence. He broke the law, he should have known better. Tough. Whether it was really worth prosecuting him is another matter, but I guess it sends a message out.
Eeek - step 3 could get you arrested, in the UK at least. I can't see that committing a computer crime in order to report a security vulnerability is a good idea!
Admittedly the chances of being caught right now are very low, but if you're the sort of person who takes security seriously, and maybe even wants to make a career out of it, doing this sort of thing isn't going to help you very much long term.
Nope, I'd say that describes capitalism. Capitalism frequently puts the value of money and profit above life - both human and non-human life.
Greed is a human, personal emotion. Clearly greed can also value money higher than life itself.
Capitalism is an economic system - it doesn't have emotions. Its nature is to value money and profit as its highest goal - just as the original poster said.
Yes, that makes sense - a challenge-response authentication protocol. There's normally some sort of key establishment mixed in there too to allow them to communicate over a secure channel.
I think you mean authentication, not authorisation, and I'm afraid I don't get your point about not sending anything that can be used again.
You seem to be talking about mutual authentication protocols. Public key cryptography is often used in these. Mutual authentication is often combined with key exchange protocols (e.g. the Station to Station protocol). These are great to establish a secure shared session between two parties, but as you point out, who checks the server certificate? It's a secure tunnel... to who? It's just too damn complex for most users.
I quite like the PetNames tool - users enter some personal text for any secure web sites they visit, and it gets prominently displayed in the main toolbar if they visit it again. Not perfect, but useful.
While you are correct to note that there are identifiable statistical differences in gene distribution among the "races" of humanity, genetic variation between any two individuals, whether of the same race or not, is far, far higher than any race-level differences.
Bottom line: genetically you are almost certainly far more different from someone of the same race as you, than your general race is from another. The few differences you can ascribe to race are mostly down to survival characteristics that worked in a particular environment, with some random cosmetic ones thrown in.
It does not list what is legal or illegal. If you do this specifically, people will find sneaky ways around it. Better to state that any action which is not *authorised* is illegal and leave the definition of authorised to the particular context. This can be interpreted by the courts, as its meaning can vary considerably in different contexts.
The founder of Demon Internet was in court recently on charges that he and his system administrator spied on other board members emails. He tried to plead that his system administrator was *authorised* to configure the system in this way, so what he did was legal. The court disagreed - just because you have an ability to perform an action, and just because the person telling you to do it is the owner of the company, does not consitute proper authorisation.
This means we don't have to keep ammending the legislation every time a new attack is uncovered. Also note that the word "computer" is never defined in the computer misuse act, which was a piece of genius. We can still apply the same law to mobile phones, which weren't around when this law was being framed. A definition made at the time would almost certainly be out of date by now.
I'm currently studying this law for an MSc in Information Security. Section 17 (5) (Interpretation) of the Computer Misuse Act states:
"Access of any kind by any person to any program or data held in a computer is unauthorised if-
(a) he is not himself entitled to control access of the kind in question to the program or data; and
(b) he does not have consent to access by him of the kind in question to the program or data from any person who is so entitled."
Having said that, the definition of "unauthorised access" is pretty tricky in some cases. The recent case where someone was let off a DDOS attack on his former employer's email system was due to the judge stating that since an email system is set up to receive emails, just sending a lot of them is not unauthorised. Hence why new legislation is being proposed to cover these loopholes.
Well, it does say more than 90%. There are a lot of documents in PDF format too.
It doesn't. Open standards for data formats have nothing to do with storage media. That's a separate problem.
They will use whatever physical media is most appropriate at the time. Really, storage media is not the issue. You can just keep migrating data from one to the next with suitable error correction of course. Being able to interpret the data on it is a big deal.
Having said that, most strategies for dealing with long-term digital preservation also involve reasonably regular (e.g. every decade) migration of file formats to more current ones (except for strategies that involve emulation). Things like ODF are useful, because they are easier to migrate to and from a variety of formats. I don't think anyone in the digital preservation community really expects ODF files to be directly readable in 100 years time - but it is much easier to transform data encoded in open standards into new formats than it is to convert ones held in proprietary formats.
The death penalty still exists in English law for treason to "Compass the death of the King or Queen, or their eldest son and heir.". A later reform act banning capital punishment entirely overrides this, but it is still written in the original law.
You argue your case very persuasively, but I can't agree that the proposed UK identity card scheme is only a minute change from our current forms of identification.
A goal of the UK identity card scheme is to be a gold standard for identification that other forms of identity will ultimately hang off. The joining of multiple biometrics and biographical history checking and other identity verfication will make it quite hard for the normal citizen to have more than a single identity in relation to the state. This will probably stamp out some classes of obvious fraud, and push some of it elsewhere. How expensive it is for fraudulent identities to be created depends on a whole lot of things, anyone's guess really at this point.
The real problem comes when all the previously isolated government departments join up what is known about us, and an audit trail of our complete activities exist. Now all sorts of speculative, behavioural data mining can take place. I think this sort of thing has been going on in the States recently. These programs are increasing in scope, occasionally changing names, but the desire by government is there to finally know their people, in ways we might not want them to.
There may be benefits we can gain in security from this, with proper checks and balances, or there may not. But they're not just going to have it for free without some kind of debate.