Slashdot Mirror


User: Shakrai

Shakrai's activity in the archive.

Stories
0
Comments
12,853
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 12,853

  1. Re:Encryption... on AT&T's Plan to Play Internet Cop · · Score: 1

    Yep, you're right. I missed a step... The public key (certificate) is *signed* by a CA. That's the purpose of Verisign/Thawte/etc. Signing is another public key process, only its used to verify that the public key delivered by Party A and B are registered with Verisign.

    Yes, but unless we have a trusted CA for individual p2p users, you can't use public-key cryptography on a p2p network.

    If I want to communicate with you then we can find a secure method of exchanging keys and/or agree to trust a specific CA. Now try and scale that up to the hundreds or thousands of connections that you will make during a typical p2p session all of them with people that you've never met before.

    I'm sure there are ways around this and this won't be the death blow of piracy by any means, but it will largely destroy p2p as it exists now. And that's probably the whole point. Piracy has been around since the days of the BBS, but it's never been so easily accessible before. If they can drive it back into the minority and make it harder to do then they've probably accomplished what they set out to do.

  2. Re:Encryption... on AT&T's Plan to Play Internet Cop · · Score: 1

    OOB communications would be a thumb drive, shipping a configured router, telling you the shared key over the phone (not AT&T phone), or a properly encrypted e-mail.

    And therein you have completely missed the point.

    If you and I wish to communicate without AT&T eavesdropping on us, we can find a secure way to exchange our keys. I've never disputed that. How exactly do you purpose to securely exchange keys with the hundreds of peers that you will communicate with during the typical p2p session?

  3. Re:Encryption... on AT&T's Plan to Play Internet Cop · · Score: 1

    'm sure it will take all of about a month for Azureus or whoever to write a modification to the BitTorrent concept, allowing for VPN style connections between peers

    You missed the point of my posts. That VPN is a moot point if you don't have a way to verify the key that you are using to encrypt the data. What stops AT&T from conducting man in the middle attacks against your encrypted bittorrent sessions?

  4. Re:Encryption... on AT&T's Plan to Play Internet Cop · · Score: 2, Informative

    This was written, and then modded "insightful" by somebody who does not understand how encryption.

    I know that ssh takes steps to store the public keys and warn you if they've changed. Why would it bother doing that if man-in-the-middle attacks aren't possible?

    Party A contacts party B, and gives out its public key. This can be completely, 100% "in the clear". Party B replies with its public key. Party A uses party B's public key to encrypt a random number, and sends it to Party B. Party B decrypts this random value, and re-encrypts this random value with Party A's public key, sending it on to Party A.

    My understanding is as follows:

    Party A contacts Party B and sends it's public key. Party E (evil guy) intercepts this public key and replaces it with his own. Party B replies with his public key, which is also intercepted and replaced. Party A and B are now "encrypting" the traffic with the public key provided by Party E, whom decrypts it, and re-encrypts it with the original public keys provided by A and B prior to forwarding that traffic on to them. Party E now has access to the complete conversation between A and B whom are none the wiser, unless they have an outside method of verifying the keys they received.

    I fail to see how an exchange of a random number stops this, when Party A never actually received Party B's key to begin with, because said key was replaced by Party E.

  5. Re:Encryption... on AT&T's Plan to Play Internet Cop · · Score: 1

    Wow... Just wow... http://en.wikipedia.org/wiki/Out-of-band

    Mind pointing out which section of that answers my question, because I don't see it? If you are transferring the keys across the internet then they are vulnerable to being intercepted and replaced with a different key. I fail to see how you stop this without a trusted source that can sign (or otherwise vouch for) the encryption keys used for that session.

  6. Re:Mod Parent Up on AT&T's Plan to Play Internet Cop · · Score: 1

    Eh, you'd have to do it like any other certificate registry and you'd have to trust the registry itself. This is no different from how it works today -- there just isn't an (affordable) system in place to do it on an individual level yet. The current system also works on a protocol level -- I'm thinking of a transparent end-to-end system at Level 3. I think this was actually one of the original goals behind IPSec, but it never took off for whatever reason.

  7. Re:Encryption... on AT&T's Plan to Play Internet Cop · · Score: 1

    and key are exchanged out of band

    Unless "out of band" means exchanged through some other path then AT&T then I fail to see how that helps us.

    I'm not denying that there are ways to securely exchange encryption keys with someone -- but you can't exchange them over an untrusted network without some sort of way to verify it. This won't stop piracy (I'm sure the warez groups can securely exchange keys) but it will render p2p as we know next to useless.

    Your typical bittorrent client will establish connections with dozens or hundreds of peers. How do you purpose to securely exchange encryption keys with all of them?

  8. Re:Encryption... on AT&T's Plan to Play Internet Cop · · Score: 1

    I don't have that much faith in AT&T following the law. Even if there isn't an escape clause, they'll lobby to have one put in the minute somebody tries to apply the DMCA against them. Hell, this is the company that's trying to get retroactive immunity for breaking the law.

    Somebody needs to establish a central certificate registry for individuals. Then build something at the network layer (easy as cake in Linux, probably doable in Windows as well) that checks that registry before communicating with a host on the internet. If they have a certificate all traffic is encrypted (be it dns requests, irc, p2p, or what have you). I could see some problems implementing this (non fixed ip addresses for starters) but we should be able to overcome them.

  9. Re:Encryption... on AT&T's Plan to Play Internet Cop · · Score: 2, Interesting

    Impossible to tell from the traffic itself.

    Don't most (all?) VPN systems rely on public-key cryptography and thus vulnerable to man in the middle attacks? It might not be possible to do a MITM attack against your VPN to work (presumably you have some system in place to verify the encryption keys) but how are you going to prevent it on a p2p network when you have no way to verify the keys of the hosts you are communicating with? A piratebay-type certificate registry hosted in a country that isn't friendly to copyright law? What happens when they block access to it?

  10. Re:Encryption... on AT&T's Plan to Play Internet Cop · · Score: 1, Insightful

    but with encryption technology more accessible than ever I think that the whole effort will be a waste of resources

    Sure about that? What's to stop them from using man in the middle attacks to decrypt the communications? Are we going to have a certificate registry for pirated material? Not very likely.

  11. Re:A new approach to limiting usage is needed on Time Warner Cable to Test Tiered Bandwidth Caps · · Score: 2, Interesting

    Unless my home is considered a curb, FIOS is true fiber to the home.

    More to the point, who gives a shit? If they can provide me the speed that I need I don't really care if it comes into my house on fiber, coax, twisted-pair or tin cans with string.

  12. Re:Wait a second on Microsoft to Spy on Employees · · Score: 1

    Why are so many managers like that?

    The only time I've ever had a manager like that I did my very best to become Wally. It's actually kind of sad how long you can remain employed whilst doing absolutely nothing productive.

  13. Re:Wait a second on Microsoft to Spy on Employees · · Score: 1

    If the employer wants to place conditions of employment that an employee CAN meet, to increase productivity

    Don't tell me that you are justifying workplace drug testing on the basis of "productivity".

  14. Re:Wait a second on Microsoft to Spy on Employees · · Score: 1

    Actually, that's more indicative of someone who could be "bought off" easily. Do you want someone working for you that might be bribed to do something (e.g. corporate espionage, etc.) because they have a lot of debt and need the money? I think not.

    That's flawed reasoning. Your credit report is not a complete picture of your finances. Somebody could have an extremely high debt ratio and a shitty credit score but still have the means to repay that debt. Likewise, somebody could have a perfectly good credit report/high score and still be in deep financial problems.

    Beyond that, did you know that 50-70% of credit reports (depending on the study) contain errors? Yeah, that's the document I want used to determinate whether or not I can get a job.

  15. Re:Wait a second on Microsoft to Spy on Employees · · Score: 2, Insightful

    Actualy some companies do install devices that record speed/etc on work cars

    All the power to them. But they don't have the right to install such a device on my car. That's the argument I was making. The people that claim "drugs are illegal" as justification for workplace drug testing should consider that speeding is also illegal (hell, in my state a speeding ticket will probably cost you more then a pot possession charge) and if you can justify drug testing then why not installing GPS into employees personal vehicles?

    i would quit such a job right away and find a sane place to work at

    And if the economy is in the dumps and you can't? That's why I don't buy into "go work somewhere else" as a response. It's just not fair to go after someones livelihood to accomplish what the Government couldn't otherwise do.

  16. Re:Wait a second on Microsoft to Spy on Employees · · Score: 1

    Urine and credit score can be argued to be relevant to employment

    ANYTHING can be argued to be relevant, that doesn't make it right or just.

    Drug testing is a load of shit. I might buy into under limited situations (such as after an accident involving a commercial vehicle) but random testing? And the tests don't even prove that you are intoxicated -- all they prove is that you've used drugs within the last few days or weeks. I don't even buy the "well it's illegal to use drugs" argument, because it's also illegal to speed and download copyrighted material off the internet, but I don't see employers installing GPS units into my car and wireshark on my gateway.

    And credit scoring? How the hell is that relevant? How is my payment history on my Visa card the business of my employer unless said employer is lending me money?

  17. Re:Wait a second on Microsoft to Spy on Employees · · Score: 5, Insightful

    And what's wrong with this?

    Because they threaten you into compliance by threatening your livelihood and not everybody has the option of switching jobs?

    Hell, short of threats of physical violence, I'm hard pressed to think of a nastier thing to do to someone then threaten their livelihood.

  18. Re:Wait a second on Microsoft to Spy on Employees · · Score: 2, Insightful

    The idea of monitoring user frustration via keystrokes and responding accordingly, BTW, has been discussed here for years, and it's a great idea if it could be made to work correctly.

    Yes, because the random drug testing, use of credit reports, and monitoring of activities outside of the workplace isn't enough. My boss should get an automated message if some line of code deems that I'm "frustrated" because my keystroke pattern changes.

  19. Re:Sun? on Sun Buys MySQL · · Score: 2, Interesting

    MySQL performs small tasks very quickly, but doesn't scale that well to large tasks

    Doesn't Slashdot use MySQL on the backend? Doesn't Google use it for some stuff?

    Might it have been more fair to say "PostgreSQL scales better then MySQL" then "MySQL doesn't scale well"?

  20. Re:I wonder on Sun Buys MySQL · · Score: 5, Funny

    I like Notepad with a fixed font.

    Notepad is a great storage system. In fact, I have at least ten "New Text Document.txt", "New Text Document (2).txt" files on my desktop right now. One of them has my address book in it.... let's see... is it (6)? Nope, that's my checking account register. Hmm.... could've sworn that was my address book.... shit, I'm overdrawn by $50!

    (Laugh, it's not that far from the truth.... got a similar situation with text files in my ~ on my Linux box.... who needs meaningful filenames and directories when you have grep?)

  21. Re:Wait a second on Microsoft to Spy on Employees · · Score: 5, Informative

    Everyone instead leaps to, "my manager is going to be putting my heartrate on my review!"

    Maybe you should RTFA? They aren't aiming this at sports figures and deep sea divers. To quote:

    Technology allowing constant monitoring of workers was previously limited to pilots, firefighters and Nasa astronauts. This is believed to be the first time a company has proposed developing such software for mainstream workplaces.

    Another interesting quote:

    The system could also "automatically detect frustration or stress in the user" and "offer and provide assistance accordingly".

    Great! I can just see it now. Clippy pops up on my screen: "It looks like you are extremely frustrated with your current job? Would you like my assistance in composing your resume?"

  22. Re:Wait a second on Microsoft to Spy on Employees · · Score: 5, Insightful

    But I like to believe that we might yet hold on to some Constitutional rights that would really put a damper on this thing.

    Don't get your hopes up. They'll use the same argument they used for workplace drug testing, i.e: If you don't like it, go work somewhere else.

    If they can demand my urine and credit score, why not my heart rate?

  23. Re:Really? on US Policy Would Allow Government Access to Any Email · · Score: 1

    So you're saying that no one else was actually spying in the US?

    What I'm saying is that the FBI has decades of institutional experience in counterintelligence operations and relying on your ability to detect their surveillance is naive at best. They've successfully made cases against some of the brightest people in the World, many of whom had a lot more training in detecting/avoiding surveillance then anybody in this discussion.

    Going back to the original question that prompted this discussion: Am I more protected by keeping my data in-house? My answer to that would be no. Sneak and peek warrants allow them to enter your home without your knowledge. Even encrypting your files isn't a surefire solution because it's trivial for them to install keyloggers (software or hardware based) that would capture the decryption key. Hell, it doesn't even need to interface with your computer -- a fiber optic camera in the right location with a good view of the keyboard would probably also work.

    I suppose the point I'm trying to make is that I'd never bet against the intelligence of the Feds. They have bright people working for them and nearly limitless resources. I don't have any major skeletons in my closet but if I did I would not be keeping them around on my hard drive and banking on my ability to detect someone having been in my home.

  24. Re:Really? on US Policy Would Allow Government Access to Any Email · · Score: 1

    You give them too much credit. At the end of the day, they are people, and tend not to think outside the box at all.

    I bet that's what all of these guys thought too.

    If you have something to hide from the Feds and you are placing your faith in a hair on a door-jam, then I hope you like wearing orange.....

  25. Re:UKUSA Community on 'War on Terror' Allies Form Information Consortium · · Score: 2, Informative

    Otherwise known as the Anglo Saxon alliance, South Africa got kicked out for some reason.

    There is no "Anglo Saxon alliance". The Anglosphere is made up of English speaking countries that share a common culture and history. South Africa is definately considered to be part of the Anglosphere.

    There are many overlapping alliances and agreements between members of the Anglosphere (the "special relationship" between the US/UK, the Anzus treaty, the US/Canadian Joint Board of Defense, NORAD, etc, etc) but there is no one "Anglo-Saxon alliance" as far as I'm aware and the members of the Anglosphere have their share of disputes (trade disputes between the US and Canada, New Zealand banning nuclear vessels from their ports, US treaty obligations to Latin-America that conflict with the goals of other Anglosphere nations, etc, etc).