If you have open bugs, then you have potential security problems. (At least with OS code) If the bugs are well understood, then fix them with low cost, and little risk. If the bugs are poorly understood, there may be buffer overflow issues and other security problems. (So fix those too)
That's what makes Computer Science different from other fields, like building houses or bridges. What we understand is easy (or provably impossible). What we don't understand is difficult.
If something is easy, I can write a script to do it for me, then I just issue one command and viola, it's done. An engineer may know everything there is to know about building bridges, but it's still a long, hard process to get one built.
As far as the securty-badge scenario; you'd have to be pretty close to the badge to get it to transmit. Like, close enough to have it in your hand.
Nope. I know many people who keep the badge in their wallet, and just bump the reader with their hip. Works fine. In the example given, the cloner did bump into the guy with the real badge.
The court reversed the suspension, but how did that get the student his time back. (I know that missed assignments and tests will be excused or made up)
Assessing monitary damages might make it up to the kid, but it punishes the public that pays for it, and the other kids who will get fewer services because of a fine.
The court really needs to assign mandatory 1st amendment education to the principle and teachers involved. Obviously they missed something in civics class.
So all we have to do is encrypt the pron in Rot13 (Hmm, what does a Rot13 gif look like?) or something like TES (Trivial Encryption Standard) so that the "State of the Art Filters" don't see it. Anyone in the know will have what they want. Just don't let the authorities know the key.
Joke yes, but not completly wrong. The flipside would be a government that can stop a publication, just because it *might* cause problems.
With the 1st admendment, you can publish, but then it up to you to deal with the fallout.
The bigger problem is that the law tries to forbid the publication of documents that are stamped "Classified" even if they shouldn't have been classified in the first place, or cover up government wrongdoing.
But we do put bugs in computer systems that we sell to foreign governments. During the cold war the Soviets and Chinese had to beg, borrow and steal US computer equipment. You better believe that most of what they could get their hands on had spy equipment or flaws onboard. Stolen US software directly caused the largest non-nuclear explosion ever seen from space.
There *are* legitimate purposes for using cracks. You may have damaged the dongle that came with software you purchased and the company that produced it can't/ won't give you a new one. The copy protections may cause great inconvenience to use, it might even break things. Many kids software products require you to put the CD into the drive to run it. It's not reasonable to expect a 4 year old to keep track of several CDs and not scratch them, so I make images on the hard drive. Most of the time this works, but when it doesn't I have to look for a crack.
Now, you can say, "Don't use the software, if it's that hard to use", but I've already paid for it, no one is going to give me a refund, and the form of copy protection isn't mentioned on the outside of the box. (Or even in most manuals)
Uhm, lawsuit? Sony illegally installed software on her machine, and she lost a client? Surely, she can find a lawyer to take this on contengency. (or, if you want to get back with her, find one for her)
Exactly. Most of these leaks may be nothing more than the current administration trying to scare it's opponents. "We can listen in on your phone conversations. We know who you are talking to..."
Sure they can. Certainly they can get *some* information, but these leaks could be designed into scaring people into thinking that They Know Everything.
When really important secret stuff gets into the newspapers, the very last thing a competent spy agency does is to scream and shout and wave it about. Doing so only confirms the leaked information. It's better to do silent damage control and plant counter misinformation.
The easiest way to get the hardware going automagically would be to write a driver driver. If there was a way to use binary windows drivers under Linux, all this would be solved.
Of course, Microsoft designs it's OS so that this is difficult or impossible. i.e. If the driver were a concrete, stand-alone, API where the OS calls it, and expects results back writing a driver driver wouldn't be too much of a problem. (And drivers would be more reliable and portable) But, if the OS allows the driver to make OS calls to make it's life easier, the driver becomes wedded to that OS. You'd have to emulate the entire OS just in case your base driver needed it.
I submitted this story http://www.nytimes.com/2006/05/12/science/12dna.ht ml?_r=1&oref=slogin last week. rejected (:-( Basically, if he submittes his DNA, they will be able to track his (future) children, as well as any siblings and possibly cousins that he may have. (As well as his parents)
Which leads to a possible out for him. His parents should claim trade secret on their DNA, and thus his. You could argue that his parents rights to privacy are being trampled, because they commited no crime, but share DNA with him.
Holy "Demolition Man" Batman!!!, in the future, the goverment needing the services of a 1337 hacker, could recreate Adrian from his DNA. Of course, when they were done with him, they'd destroy his body until it was needed again.
Tell that to the screenwriters guild. When they struck, television shows didn't get written. While there were some scabs, no one seriously thought about sending all the writing jobs to India.
Tell that to Harlen Ellison, former president of the Screenwriters Guild. Or the actors union. Or the directors union.
There are Unions of creative people. Usually they're called guilds, or associations. The AMA is a union.
Unions are like every organization. Corporations, Governments, even websites go bad when they get too big. I'll bet some Malthusian theory could explain it.
Ahh, you younsters. In my day, when I wanted to build my own computer, I had to get individual ICs, resistors, diodes, capacitors, etc... You have it too easy, just slap a preassembled motherboard in a premade case and poof, a computer.
Ok, ok, my first computer was actually a Heathkit, all the parts came in bags, and there were detailed instructions and troubleshooting guides. But I know a guy who put together his own Z80 based computer just by reading the spec sheets.
Most places don't have forensic investigators. I was just reading about how many juries are throwing cases because the police didn't use all the latest stuff as seen on CSI and Law & Order. The prosecuter in the interview seemed to think this was a bad thing. If I were on a jury, I'd want as much information as possible.
Many people are convicted on eyewitness testimony alone. If that eyewitness is a cop, well... Most small towns in American might as well have the judge, jury and executioner be the same person, because they think alike anyway.
Cut the wire connected to it. Put the plug back in. You now have near perfect communications security
Not even close. Given the resources, I could break into such a system from some distance away.
You forgot to put the computer in a Faraday cage, with armed Marine guards outside. Make sure the Faraday cage is in a room near the center of a large, secure building. Encrypt all communications with one time pad onto physical media, and make sure the other end of the communications channel is just as secure.
Yes, security is possible, just very, very inconvenient.
Unfortunatly, a hero isn't a guy who designs a building so it doesn't catch fire, a hero is the fireman who goes into the burning building to save the dozen infants in the nursery.
This will never change, because the burning building is a rarity, and there are laws to keep you from having 12 unsupervised infants in the same room, thus when it happens, it's news. The millions of buildings that don't burn down aren't news.
the computer industry to a very great extent does not know HOW to build a secure system
Well, I know how to build a secure system. For a bunch of money, I'll tell you. We've know for years how to do security right, but when it is done right, it's a hassle, and not percived as being worth it.
Gack... That's because those worms were simply malicious. The newer cybercriminal is getting paid for his work, so he's more likely to lie low. Once he's compromised a machine, he doesn't want to get caught by interfering with the owner. Formatting the hard drive, or deleting files is sure to get you noticed. Most of the time these days, users don't know anything is wrong until they have multiple bots on their machine whose combined impact makes their machine impossibly slow.
Sure you can. I have locks on my doors and trained dogs. If a criminal were to select my house, these simple technologies will send him to a softer target most of the time.
Now if you are taking about the existence of crime itself as the "cultural problem", then I'm more likly to agree with you, but pyschology is making leaps and bounds in determining why people commit crimes. Think "Gattaca" or "Minority Report" and others where technology solved problem X, and created a much bigger problem Y.
In conclusion, yes sir, technology can solve all your problems, but then it's up to you to deal with the Giant Killer Robots(tm). (Which in my opinion, are long overdue (:-)
What many computer professionals don't realize is that a certain amount of loss due to crime is inevitable at any medium to large business. Stores like Walmart and Target have huge "shrinkage" problems, many times due to the employees themselves. Banks are constantly the victim of their own people all the way up to the VP level. Because of this, businesses are forced to make the calculation about how much security will save, vs. how much will be lost due to crime. If you want Military level security, you can buy it, but even the Military has had to deal with stolen information.
The trick is getting a better crystal ball and figuring out how much a breakin will cost. Since the IT people often can't properly predetermine the cost of normal projects, predicting the cost of a hypothetical crime will be less acurate than predicting the weather. Perhaps instututes like SANS could put dollar number formulas on each threat type. Even though the formulas would require too many assumptions to be accurate to us, management types could plug in what they think and have the OMG moment w.r.t. security or lack thereof.
Better systems, like newer cellphones, modulate their power so that they only use as much as needed to get a good data rate. Thus, if your neighbor is using this, and you are using it, the systems shouldn't interfere, because both will use minimal power.
However, if you neighbor's neighbor is stealing bandwidth from him, the signal spillover might affect you. (:-(
Slashdot Mirror
If you have open bugs, then you have potential security problems. (At least with OS code) If the bugs are well understood, then fix them with low cost, and little risk. If the bugs are poorly understood, there may be buffer overflow issues and other security problems. (So fix those too)
That's what makes Computer Science different from other fields, like building houses or bridges. What we understand is easy (or provably impossible). What we don't understand is difficult.
If something is easy, I can write a script to do it for me, then I just issue one command and viola, it's done. An engineer may know everything there is to know about building bridges, but it's still a long, hard process to get one built.
As far as the securty-badge scenario; you'd have to be pretty close to the badge to get it to transmit. Like, close enough to have it in your hand.
Nope. I know many people who keep the badge in their wallet, and just bump the reader with their hip. Works fine. In the example given, the cloner did bump into the guy with the real badge.
They had this on Max Headroom (TV series). Your ID was a thing the size of a pen that you had to insert into the reader.
The real trick is getting everyone to standardize on the same device, so that you wouldn't have to carry a dozen of these things around.
The court reversed the suspension, but how did that get the student his time back. (I know that missed assignments and tests will be excused or made up)
Assessing monitary damages might make it up to the kid, but it punishes the public that pays for it, and the other kids who will get fewer services because of a fine.
The court really needs to assign mandatory 1st amendment education to the principle and teachers involved. Obviously they missed something in civics class.
So all we have to do is encrypt the pron in Rot13 (Hmm, what does a Rot13 gif look like?) or something like TES (Trivial Encryption Standard) so that the "State of the Art Filters" don't see it. Anyone in the know will have what they want. Just don't let the authorities know the key.
Joke yes, but not completly wrong. The flipside would be a government that can stop a publication, just because it *might* cause problems.
With the 1st admendment, you can publish, but then it up to you to deal with the fallout.
The bigger problem is that the law tries to forbid the publication of documents that are stamped "Classified" even if they shouldn't have been classified in the first place, or cover up government wrongdoing.
surely the US can't talk back at people for spying on others considering recent news
But that's exactly why we don't trust companies influenced by other governments. We spy on them, so we know how they might spy on us.
But we do put bugs in computer systems that we sell to foreign governments. During the cold war the Soviets and Chinese had to beg, borrow and steal US computer equipment. You better believe that most of what they could get their hands on had spy equipment or flaws onboard. Stolen US software directly caused the largest non-nuclear explosion ever seen from space.
9 17,00.htm
http://news.zdnet.co.uk/software/0,39020381,39147
There *are* legitimate purposes for using cracks. You may have damaged the dongle that came with software you purchased and the company that produced it can't/ won't give you a new one. The copy protections may cause great inconvenience to use, it might even break things. Many kids software products require you to put the CD into the drive to run it. It's not reasonable to expect a 4 year old to keep track of several CDs and not scratch them, so I make images on the hard drive. Most of the time this works, but when it doesn't I have to look for a crack.
Now, you can say, "Don't use the software, if it's that hard to use", but I've already paid for it, no one is going to give me a refund, and the form of copy protection isn't mentioned on the outside of the box. (Or even in most manuals)
Using the one time pad, there exists a key that will decode any message of length N to any other message of length N.
Just give them the key the decrypts it into the bible.
Uhm, lawsuit? Sony illegally installed software on her machine, and she lost a client? Surely, she can find a lawyer to take this on contengency. (or, if you want to get back with her, find one for her)
Exactly. Most of these leaks may be nothing more than the current administration trying to scare it's opponents. "We can listen in on your phone conversations. We know who you are talking to..."
Sure they can. Certainly they can get *some* information, but these leaks could be designed into scaring people into thinking that They Know Everything.
When really important secret stuff gets into the newspapers, the very last thing a competent spy agency does is to scream and shout and wave it about. Doing so only confirms the leaked information. It's better to do silent damage control and plant counter misinformation.
The easiest way to get the hardware going automagically would be to write a driver driver. If there was a way to use binary windows drivers under Linux, all this would be solved.
Of course, Microsoft designs it's OS so that this is difficult or impossible. i.e. If the driver were a concrete, stand-alone, API where the OS calls it, and expects results back writing a driver driver wouldn't be too much of a problem. (And drivers would be more reliable and portable) But, if the OS allows the driver to make OS calls to make it's life easier, the driver becomes wedded to that OS. You'd have to emulate the entire OS just in case your base driver needed it.
I submitted this story http://www.nytimes.com/2006/05/12/science/12dna.ht ml?_r=1&oref=slogin last week. rejected (:-( Basically, if he submittes his DNA, they will be able to track his (future) children, as well as any siblings and possibly cousins that he may have. (As well as his parents)
Which leads to a possible out for him. His parents should claim trade secret on their DNA, and thus his. You could argue that his parents rights to privacy are being trampled, because they commited no crime, but share DNA with him.
Holy "Demolition Man" Batman!!!, in the future, the goverment needing the services of a 1337 hacker, could recreate Adrian from his DNA. Of course, when they were done with him, they'd destroy his body until it was needed again.
Tell that to the screenwriters guild. When they struck, television shows didn't get written. While there were some scabs, no one seriously thought about sending all the writing jobs to India.
Tell that to Harlen Ellison, former president of the Screenwriters Guild. Or the actors union. Or the directors union.
There are Unions of creative people. Usually they're called guilds, or associations. The AMA is a union.
Unions are like every organization. Corporations, Governments, even websites go bad when they get too big. I'll bet some Malthusian theory could explain it.
Ahh, you younsters. In my day, when I wanted to build my own computer, I had to get individual ICs, resistors, diodes, capacitors, etc... You have it too easy, just slap a preassembled motherboard in a premade case and poof, a computer.
Ok, ok, my first computer was actually a Heathkit, all the parts came in bags, and there were detailed instructions and troubleshooting guides. But I know a guy who put together his own Z80 based computer just by reading the spec sheets.
Most places don't have forensic investigators. I was just reading about how many juries are throwing cases because the police didn't use all the latest stuff as seen on CSI and Law & Order. The prosecuter in the interview seemed to think this was a bad thing. If I were on a jury, I'd want as much information as possible.
Many people are convicted on eyewitness testimony alone. If that eyewitness is a cop, well... Most small towns in American might as well have the judge, jury and executioner be the same person, because they think alike anyway.
Cut the wire connected to it. Put the plug back in. You now have near perfect communications security
Not even close. Given the resources, I could break into such a system from some distance away.
You forgot to put the computer in a Faraday cage, with armed Marine guards outside. Make sure the Faraday cage is in a room near the center of a large, secure building. Encrypt all communications with one time pad onto physical media, and make sure the other end of the communications channel is just as secure. Yes, security is possible, just very, very inconvenient.
Unfortunatly, a hero isn't a guy who designs a building so it doesn't catch fire, a hero is the fireman who goes into the burning building to save the dozen infants in the nursery.
g 0000000384.html
This will never change, because the burning building is a rarity, and there are laws to keep you from having 12 unsupervised infants in the same room, thus when it happens, it's news. The millions of buildings that don't burn down aren't news.
If you want real change in the industry, do like the Japanese, and make the CIO get a big reward every year there isn't a breakin, and if there is, the CIO should be forced to commit seppuku. http://www.win.net/ratsnest/archive-articles21/fo
Now, *that* would improve information security.
the computer industry to a very great extent does not know HOW to build a secure system
Well, I know how to build a secure system. For a bunch of money, I'll tell you. We've know for years how to do security right, but when it is done right, it's a hassle, and not percived as being worth it.
Gack... That's because those worms were simply malicious. The newer cybercriminal is getting paid for his work, so he's more likely to lie low. Once he's compromised a machine, he doesn't want to get caught by interfering with the owner. Formatting the hard drive, or deleting files is sure to get you noticed. Most of the time these days, users don't know anything is wrong until they have multiple bots on their machine whose combined impact makes their machine impossibly slow.
Sure you can. I have locks on my doors and trained dogs. If a criminal were to select my house, these simple technologies will send him to a softer target most of the time.
Now if you are taking about the existence of crime itself as the "cultural problem", then I'm more likly to agree with you, but pyschology is making leaps and bounds in determining why people commit crimes. Think "Gattaca" or "Minority Report" and others where technology solved problem X, and created a much bigger problem Y.
In conclusion, yes sir, technology can solve all your problems, but then it's up to you to deal with the Giant Killer Robots(tm). (Which in my opinion, are long overdue (:-)
What many computer professionals don't realize is that a certain amount of loss due to crime is inevitable at any medium to large business. Stores like Walmart and Target have huge "shrinkage" problems, many times due to the employees themselves. Banks are constantly the victim of their own people all the way up to the VP level. Because of this, businesses are forced to make the calculation about how much security will save, vs. how much will be lost due to crime. If you want Military level security, you can buy it, but even the Military has had to deal with stolen information.
The trick is getting a better crystal ball and figuring out how much a breakin will cost. Since the IT people often can't properly predetermine the cost of normal projects, predicting the cost of a hypothetical crime will be less acurate than predicting the weather. Perhaps instututes like SANS could put dollar number formulas on each threat type. Even though the formulas would require too many assumptions to be accurate to us, management types could plug in what they think and have the OMG moment w.r.t. security or lack thereof.
Better systems, like newer cellphones, modulate their power so that they only use as much as needed to get a good data rate. Thus, if your neighbor is using this, and you are using it, the systems shouldn't interfere, because both will use minimal power.
However, if you neighbor's neighbor is stealing bandwidth from him, the signal spillover might affect you. (:-(