If nobody wants the Knitting Channel, then KC will cut their prices to the cable company to ensure it's carried. The market would settle with reasonable fees per channel, but there is no "market". There are only battling monopolies.
Then in the middle of the night when you aren't at your PC it will disconnect and connect using the signed logitech keyboard driver and work just fine as a keyboard, and use keyboard input to run a rootkit on your PC. Then it will disconnect and connect as a printer again so that you never realize what happened.
With USB hubs, the printer could identify as a hub, and then you wouldn't need to disconnect the printer to "plug in" the Logitech keyboard.
That attack should work no more than once, once discovered. You revoke the signature for those keyboards. And get more security than doing nothing.
The thing you're missing in your replies is that these attacks have hardware-level support.
Yes, and if the person who wins the contract to deliver the computers is attacked by Al Qaeda, and they replace all the computers with identical ones, save one minor intentional "flaw", that would be undetectable under today's process.
Your argument is "because security is not 100%, there's no reason to try."
I'm saying "it's better than today" which you are leaving unargued.
That's a UBI, it's just so low that nobody talkind about UBI would consider it UBI. I understand your plan 100%. It's UBI. I could achieve the same results with UBI and taxes.
That's about 5 years after I played DOS games. The Sound Blaster was AdLib compatible, so there was no reason to ask for both. Earlier games would ask for AdLib or system sound, and later would ask for Sound Blaster (or compatible). I never had many games that asked for mouse. The early ones assumed no, the later ones assumed yes. It depended on who made the game. The ports from C64 were more joystick oriented, but DOS-aimed games would assume a mouse. Mice were common with consumer DOS computers from all years. My PC clone from '85 came with a mouse. But no HD. The joys of DOS 3.3 were trying to get the mouse (and other) drivers to load in the right order. Though, not being multitasking, you could edit the config and autoexec to load them in a static sequence. TSR drivers would need more space to load than they took when loading was complete, so you'd want to stack them to get minimal gaps. I remember having some game boot disks that left out drivers for things like sound. So the best games for sound were run without it to get the maximum memory available for it to run under.
And my days of playing with DOS games were such that by the time VGA was popular, I was running Windows. Started with Win 1.0, though X-tree was better, as Win1.0 was more a file manager than anything else, and it wasn't until Win 3.0 where you saw thing written for Windows (rather than running under DOS, under or instead of Windows. But then, all this goes back to '80-'90, so there may be significant memory errors.
Capitalism does not rely on force for production. Production happens via voluntary exchange.
If you are going to use the ideal definition, then it's between two informed people, not the uninformed people that US capitalism requires. That requirement is lost in the US and results in the US system being the theft capitalism. You didn't name it. Does it have a name? Capitalism by force is common, and deserves a separate name.
So, the tl; dr of your proposal is: "put the device driver on the USB device instead of in the OS, and put a signature of the driver on the device as well"
The driver for my USB printer is already on the USB device and already signed.
, then the tl;dr of my response is "fine, just copy the driver and the corresponding signature, that will let you authenticate an insecure device"
Sure, you can get an insecure printer running on that driver, but when it starts sending HID commands, the OS will turn it off.
If I'm misunderstanding your proposal, feel free to state it clearly so that I can answer clearly. I'm amazed by the number of people who think that public key cryptography is some kind of magical thing that lets you give somebody a physical object that is impossible to copy.
You are correct only if a signed printer driver will work with a keyboard, as its only driver. Otherwise your objection is "swap stuff, and magic happens". Encrpytion ensures that the driver authenticates (already in use). So why can't you encrypt the UID of the device as well? Sure, a well crafted attack could get you fake devices with UID/driver from a real one. But at that point, you are in the "hide an AP and USB drive inside a keyboard" level, which is 100% allowed today on any system that allows USB keyboards. Or should the government use AT keyboards only? Or is PS/2 more secure than AT? After all your PS/2 mouse could send keyboard commands, right? And with AT for keyboard and serial for mouse, you are more secure. Unless your serial mouse contains a serial modem, and serial killer.
No, I haven't given this 5 years of thought and put it to committee. It was an off-the-cuff response that eliminates 99.9% of the attacks being described. But 0.1% of the attacks could still work, so we should never attempt security is the number one response. The rest are "when I deliberately mis interpret your statements, they sound silly."
Reality proves you wrong. The HP I use has a read-only flash drive in it with the drivers for the printer on it.
Besides, your arguement is invalid anyway. "It can't be done because it is currently done differently" has been said millions of times by millions of people. Everyone one of them proved wrong by progress.
Oh, and if you are wondering, the drivers in the printer are signed.
I used the example of Ivan Denisovich. That was written father's name last, in cyrillic, when the book was published. Was that done differently because it was literature?
I though the patronymic came last. "Ivan Denisovich" would be Ivan, son of Denis. Much like when last names were introduced in England, if you didn't have a good name to pick (Smith, Brown, etc.) you'd take your dad's name (Donaldson, Anderson, etc.) In the original Russian, published in 1962, Solzhenitsyn placed the patronymic after the first name
But this is much later than Kahn, and I am not an expert on names. I just know the Russian examples from literature.
If you ever meet someone at a party that starts talking about the Free Masons, run away. They'er either not a Free Mason and a conspiracy nut... or they are a Free Mason and a conspiracy nut.
This is me, running. From some nut talking about conspiracies.
The same is true if I plug a USB flash drive and then after 10 minutes it disconnects itself, reconnects as a USB keyboard, and does the same thing.
When it connects as a USB keyvoard, it would be challenged for its driver. If it doesn't have one, it must authenticate with a null driver, properly signed, or the OS will disconnect it.
That's easy. Most OSs already handle signed drivers. It's just a change to *require* them for USB devices used by the federal government. When that happens, your problem goes away.
The problem is that the people elect based on a popularity contest, rather than evaluating the people running. It's like I'm back in the 8th grade voting dot student body president. At the time, I though it a joke popularity contest that was a warning for when we were adults voting. Now I now it was actual practice, and more like reality than anyone would like to admit.
A commercial problem is a business case problem. It's finances that prevent it from being done, not an explicit ban in the contract or the law. The cable companies expect it to be unprofitable, so they don't try. There is no contract clause or legal regulation that prevents it. Commercial: related to commerce.
Especially now, there are enough applicants to minimum wage jobs that they can afford to be picky. If there were more jobs than people, the employers wouldn't care if an employee smoked a joint once a month outside work hours.
Our kids are going to free university. Though at this rate, they'll be applying to universities in Norway, or wherever you can get free university (in English), including foreign students. But, so long as they don't screw it up, they'll be left with a good basic income. Investments are paying out $4k a month at this point, and on track to pay out $10k per month by my retirement, with retirement accounts fully-funding my retirement so I don't have to touch the long-term investments. And that's not counting government retirement (if any). My mother was a single parent. I lived on about $2 a day though the '80s. In University, I paid my way though, and graduated with no student loans, with no help from parents. Worked every summer and winter. Yes, if you are over 18 and want to be a security guard for a month, they are so desperate for warm bodies over the holiday time, you can find a job. And I lost track of the multipliers for OT on a holiday. Something like 3x, but it might have been more.$2k in a month. So long as you don't sleep or do anything else. As an 18 year old kid with no education.
If nobody wants the Knitting Channel, then KC will cut their prices to the cable company to ensure it's carried. The market would settle with reasonable fees per channel, but there is no "market". There are only battling monopolies.
Then in the middle of the night when you aren't at your PC it will disconnect and connect using the signed logitech keyboard driver and work just fine as a keyboard, and use keyboard input to run a rootkit on your PC. Then it will disconnect and connect as a printer again so that you never realize what happened.
With USB hubs, the printer could identify as a hub, and then you wouldn't need to disconnect the printer to "plug in" the Logitech keyboard.
That attack should work no more than once, once discovered. You revoke the signature for those keyboards. And get more security than doing nothing.
The thing you're missing in your replies is that these attacks have hardware-level support.
Yes, and if the person who wins the contract to deliver the computers is attacked by Al Qaeda, and they replace all the computers with identical ones, save one minor intentional "flaw", that would be undetectable under today's process.
Your argument is "because security is not 100%, there's no reason to try."
I'm saying "it's better than today" which you are leaving unargued.
That's a UBI, it's just so low that nobody talkind about UBI would consider it UBI. I understand your plan 100%. It's UBI. I could achieve the same results with UBI and taxes.
No. I've seen copiers in every library I've ever been to, but I've never seen a copyright warning around them.
Last I checked, the libraries have started carrying e-books and let you "check out" e-books, which is a copy of an entire book that's "given away".
And I've never seen a library without a copy machine. I'm sure they existed, before copy machines were created, but since the '70s, I've not seen one.
It is a fair (and arguably legal) use. It is not Fair Use (as defined under the Fair Use clauses of the Copyright Act).
That's about 5 years after I played DOS games. The Sound Blaster was AdLib compatible, so there was no reason to ask for both. Earlier games would ask for AdLib or system sound, and later would ask for Sound Blaster (or compatible). I never had many games that asked for mouse. The early ones assumed no, the later ones assumed yes. It depended on who made the game. The ports from C64 were more joystick oriented, but DOS-aimed games would assume a mouse. Mice were common with consumer DOS computers from all years. My PC clone from '85 came with a mouse. But no HD. The joys of DOS 3.3 were trying to get the mouse (and other) drivers to load in the right order. Though, not being multitasking, you could edit the config and autoexec to load them in a static sequence. TSR drivers would need more space to load than they took when loading was complete, so you'd want to stack them to get minimal gaps. I remember having some game boot disks that left out drivers for things like sound. So the best games for sound were run without it to get the maximum memory available for it to run under.
And my days of playing with DOS games were such that by the time VGA was popular, I was running Windows. Started with Win 1.0, though X-tree was better, as Win1.0 was more a file manager than anything else, and it wasn't until Win 3.0 where you saw thing written for Windows (rather than running under DOS, under or instead of Windows. But then, all this goes back to '80-'90, so there may be significant memory errors.
Capitalism does not rely on force for production. Production happens via voluntary exchange.
If you are going to use the ideal definition, then it's between two informed people, not the uninformed people that US capitalism requires. That requirement is lost in the US and results in the US system being the theft capitalism. You didn't name it. Does it have a name? Capitalism by force is common, and deserves a separate name.
So, the tl; dr of your proposal is: "put the device driver on the USB device instead of in the OS, and put a signature of the driver on the device as well"
The driver for my USB printer is already on the USB device and already signed.
, then the tl;dr of my response is "fine, just copy the driver and the corresponding signature, that will let you authenticate an insecure device"
Sure, you can get an insecure printer running on that driver, but when it starts sending HID commands, the OS will turn it off.
If I'm misunderstanding your proposal, feel free to state it clearly so that I can answer clearly. I'm amazed by the number of people who think that public key cryptography is some kind of magical thing that lets you give somebody a physical object that is impossible to copy.
You are correct only if a signed printer driver will work with a keyboard, as its only driver. Otherwise your objection is "swap stuff, and magic happens". Encrpytion ensures that the driver authenticates (already in use). So why can't you encrypt the UID of the device as well? Sure, a well crafted attack could get you fake devices with UID/driver from a real one. But at that point, you are in the "hide an AP and USB drive inside a keyboard" level, which is 100% allowed today on any system that allows USB keyboards. Or should the government use AT keyboards only? Or is PS/2 more secure than AT? After all your PS/2 mouse could send keyboard commands, right? And with AT for keyboard and serial for mouse, you are more secure. Unless your serial mouse contains a serial modem, and serial killer.
No, I haven't given this 5 years of thought and put it to committee. It was an off-the-cuff response that eliminates 99.9% of the attacks being described. But 0.1% of the attacks could still work, so we should never attempt security is the number one response. The rest are "when I deliberately mis interpret your statements, they sound silly."
USB devices don't contain drivers
Reality proves you wrong. The HP I use has a read-only flash drive in it with the drivers for the printer on it.
Besides, your arguement is invalid anyway. "It can't be done because it is currently done differently" has been said millions of times by millions of people. Everyone one of them proved wrong by progress.
Oh, and if you are wondering, the drivers in the printer are signed.
I used the example of Ivan Denisovich. That was written father's name last, in cyrillic, when the book was published. Was that done differently because it was literature?
It's more commonly called UBI (universal basic income).
I though the patronymic came last. "Ivan Denisovich" would be Ivan, son of Denis. Much like when last names were introduced in England, if you didn't have a good name to pick (Smith, Brown, etc.) you'd take your dad's name (Donaldson, Anderson, etc.) In the original Russian, published in 1962, Solzhenitsyn placed the patronymic after the first name
But this is much later than Kahn, and I am not an expert on names. I just know the Russian examples from literature.
If you ever meet someone at a party that starts talking about the Free Masons, run away. They'er either not a Free Mason and a conspiracy nut... or they are a Free Mason and a conspiracy nut.
This is me, running. From some nut talking about conspiracies.
So, is the tl;dr "if you just copy the key from one USB to another, that will let you authenticate an insecure device".
I want to make sure the question is clear when I answer. I'm amazed by the number of people who say "security is hard, it's better to not even try."
Yeah, like fascism and communism are opposites, except in practice they approach the same end result, but from different directions.
The same is true if I plug a USB flash drive and then after 10 minutes it disconnects itself, reconnects as a USB keyboard, and does the same thing.
When it connects as a USB keyvoard, it would be challenged for its driver. If it doesn't have one, it must authenticate with a null driver, properly signed, or the OS will disconnect it.
That's easy. Most OSs already handle signed drivers. It's just a change to *require* them for USB devices used by the federal government. When that happens, your problem goes away.
This is a FLAC player, not an MP3 player.
The problem is that the people elect based on a popularity contest, rather than evaluating the people running. It's like I'm back in the 8th grade voting dot student body president. At the time, I though it a joke popularity contest that was a warning for when we were adults voting. Now I now it was actual practice, and more like reality than anyone would like to admit.
So "signed drivers" don't exist?
A commercial problem is a business case problem. It's finances that prevent it from being done, not an explicit ban in the contract or the law. The cable companies expect it to be unprofitable, so they don't try. There is no contract clause or legal regulation that prevents it. Commercial: related to commerce.
Especially now, there are enough applicants to minimum wage jobs that they can afford to be picky. If there were more jobs than people, the employers wouldn't care if an employee smoked a joint once a month outside work hours.
Our kids are going to free university. Though at this rate, they'll be applying to universities in Norway, or wherever you can get free university (in English), including foreign students. But, so long as they don't screw it up, they'll be left with a good basic income. Investments are paying out $4k a month at this point, and on track to pay out $10k per month by my retirement, with retirement accounts fully-funding my retirement so I don't have to touch the long-term investments. And that's not counting government retirement (if any). My mother was a single parent. I lived on about $2 a day though the '80s. In University, I paid my way though, and graduated with no student loans, with no help from parents. Worked every summer and winter. Yes, if you are over 18 and want to be a security guard for a month, they are so desperate for warm bodies over the holiday time, you can find a job. And I lost track of the multipliers for OT on a holiday. Something like 3x, but it might have been more.$2k in a month. So long as you don't sleep or do anything else. As an 18 year old kid with no education.