I was under the impression that much of the espionage is actually conducted against engineering (especially defense) firms, who are not distributors of anti-Party opinion but rather developers of technology that the CCP & friends want.
Of course, to be honest now I'm just repeating shit I've read in the media, and god knows how much any of that can be trusted.
I'm not going to get them to shell out for a copy of windows when I can get them up and running in an afternoon, free and legally with Linux.
Yep. That's a big advantage to Linux, and my chief reason for using it when I do. But since I have access to free Windows licenses through a.edu, I really don't have any reason to use Linux when a Windows desktop works better.
If all you need to do is give your proverbial grandma a web browser, Linux is perfectly sufficient, so you might as well use it; it's free.
Windows malware is so successful because Windows is DESIGNED with DRM and concealment in mind to prevent you copying it to other computers, to prevent you duplicating the apps that you've bought
I'm sorry; that makes no sense.
I hate WM DRM as much as the next guy. And arguably, in Vista, Microsoft redesigned the audio and video subsystems with DRM in mind. But what has that got to do with malware?
Most malware seems to come in the form of either (1) browser toolbars (which certainly exist for Firefox as well), or (2) services that start at boot (which is hardly a Windows-specific concept). Linux has some advantages in malware-resistance -- limited-privilege user accounts in particular -- but honestly they seem pretty minor; malware is still just a sudo/UAC-dialog away from doing whatever it wants in either the Linux of Windows case.
In the end, I say it's the responsibility of the OS to provide (1) secure network services, and (2) unambiguous GUIs; after that, malware are no longer exploiting vulnerabilities in the OS but in the people using it.
To me, in terms of speed, Windows XP feels roughly on par with XFCE desktops. And much faster than GNOME or KDE 3.5, which are closer to Vista. (I don't mention KDE4 because, despite the fact that the major distros have jumped on it, it isn't really ready; 3.5 is the one that works as of January 2010.)
With few exceptions, all free software of any value has a Windows version. Firefox. Thunderbird. Pidgin. Mplayer. VLC. Wireshark. OpenOffice. The list goes on. Frankly, there's nothing you can do with F/OSS software on Linux that you can't do just as well on Windows.
I just rejuvenated a laptop that had been chugging along with Kubuntu by installing XP on it; the thing is much faster now, still runs all the software I liked from Kubuntu (except Kile, but I discovered that TexmakerX which does have a Windows version is just as good)., and does a number of important things much better now:
Wifi is much more reliable now. I can connect to "complicated" wireless networks with multiple APs, and speeds are good. On linux, with bfwcutter, only "simple" home-style single-AP networks worked, and even these were unreliable.
Flash video works. On 'nix, Youtube videos would play at one-frame-per-ten-seconds in fullscreen, even at low resolutions. Now I can play them fullscreen at 1920x1200 resolution.
Hibernate and suspend work now!
I can keep the Linux command-line tools I like using Cygwin.
Everything is better now. I wish I'd done this earlier, instead of wasting my time with Kubuntu these last two years.
Actually, I'd agree with one of the things China says here...
When I read the quote,
stop using the issue of so-called Internet freedom to unreasonably criticize China.' China's laws forbid hacking attacks and violations of citizens' privacy, the statement said
I translate as, "Stop talking about censorship; this is really about hacking, and that's illegal here."
Up until the "...and that's illegal here" bit, I think they have a point.
China hacked Google computers; they're apparently involved in widespread government-sanctioned industrial espionage --- and somehow the dialogue has shifted to be about censorship? They're different issues.
If anything, I think that the hacking incidents are indisputably worse -- you can argue about what governments can or should do to control the spread of information inside a country, but you can't argue that the hacking is ok -- so it strikes me as strange that the Americans would want to change the subject. If they'd stuck to the hacking they'd have a stronger argument.
Not that I support the censorship either; it'd be nice if Chinese people could access, say, Wikipedia. But this really is a separate issue.
Why is a wave of pressurized air not considered sound?
I guess it's considered sound if it rattles the insides of your ear relative to the rest of your head. And I guess that a sufficiently slow change in pressure doesn't do this. An extreme example would be deep-sea diving in an old-style bathysphere: There's a lot of energy in the pressure differential between the air inside and the atmosphere at the surface, and the air inside had to reach that pressure over time, but it happened so slowly that we'd never call it "sound;" the vibrating bits of your ear never moved relative to your head.
That's my understanding, at least. Precisely where the line is drawn I don't know. Human hearing extends down to about 20 Hz, but whether frequencies below this can damage hearing I don't know. (Plus the whole notion of "frequency" is a bit messed up; it requires infinite time, etc...)
(I'd heard a story about a lawsuit against the makers filed by a man who used the stuff below the belt and ended up with a hole in his scrotum; this got infected and he ended up needing to be castrated. Unfortunately I can't find a source now...)
Yes and no -- and no in this case -- as far as I understand. (I'd appreciate clarification/correction/confirmation from others on the points I make below.)
In most contexts -- and I assume sound falls into this category -- the energy of a signal is its squared L2 norm. (This is certainly true for the power dissipated in a resistive load by a voltage or current signal.) Anyway, the L2 norm is invariant under the Fourier transform. And you'll notice that a Dirac delta has the same L2 norm whether it's as 2 Hz or 2000 Hz.
Yet in quantum mechanics, we have such expressions as "E = h f." This is because the kinetic energy operator involves a derivative of the wave function; from a signal-processing point of view the derivative is a linear filter whose gain is linearly proportional to frequency. This explains the superficial "disconnect" between "energy is independent of frequency" and "E = h f."
So my question for others is: What's the energy operator for a pressure wave?
Just firing a handgun without hearing protection is enough to rip out the hair cells in your ears (which don't grow back) and cause permanent hearing loss. I'm pretty sure that if this thing is capable of "stunning" people it's doing lasting damage to your auditory system. That damage may be small, but it remains that the ringing you hear in your ears afterward is still a set of frequencies you'll never hear again.
You do not seem to understand what a man-in-the-middle attack is.
It's weird; I've known forever what MITM attacks were but hadn't gotten how you'd pull one off here; I'd somehow come to the conclusion that the proxy wouldn't be able to authenticate to the remote server (though that's nonsense). The discussions prompted by this article have been helpful to me in clarifying things.
Oh! Yes! The passwords are either going to be just POSTed or submitted with HTTP BASIC authentication -- plaintext to the proxy either way; the password is not involved in setting up the SSL/TLS connection to begin with. Gotcha. Thanks for the clarification.
Good points. I hadn't noticed my sources. Anyway, my purpose had only been to figure out how the various robots.txt and HTML META directives are interpreted to respond to great-great grandparent.
Thank you. I have seen scponly though. What I dislike about it is summarized by this quote from its installation page:
installing scponly with chroot could incur some pretty hairy troubleshooting. The binaries and libraries must be set up properly in the chroot subdirectories properly.
It seems to me (though I wouldn't mind if I were wrong) that this is essentially just a way to do #2 in my list (prev. post) for versions of sshd that do not support restricting the commands that users can execute, or built-in chrooting. So, haven't new versions of sshd made scponly unnecessary?
FYI, #1 in my list was referring to this approach (found URL since last post). This does not actually use a chroot; it just makes sshd-server behave as though it were in one by modifying the way it handles file paths. I don't know how it plays with symlinks.
True, but in most cases, my first SSH connection to a machine is over a trusted medium, like a crossover cable or at least a local network. I then have it in known_hosts.
That's more-or-less the assumption that I'm making about TLS certs. Or at the very least, if it keeps changing you know retrospectively that you need to change your password.
blocks on ssh and sftp because reverse sessions were deemed a threat for corporate data espionage
Part of this is the fault of the OpenSSH distribution of sftp. It is too tightly coupled to ssh for many uses. If we want sftp to replace ftp (and there are many good reasons why we'd want this, NAT being high on the list), we need to make it easy for people to configure sftp servers that do nothing but serve "chrooted" sftp. The fact that serving files and getting a login are just the tiniest misconfiguration apart is a big problem.
As it is, there are three options that I am aware of:
Modify sftp-server to behave as though chrooted (without ever actually running chroot), and disable the client from executing anything but sftp-server in sshd.conf
Build a chroot jail, and do similar sshd configuration to #1
Use a different SFTP server, e.g. CoreFTP on Windows.
Of these, #2 especially is a very crappy solution; #3 is the easiest, but AFAIK Windows-only. Option 1 is my personal favorite on Linux, but has the disadvantages that (1) you need to maintain your own sftp-server, and (2) if sftp-server is exploitable, then you have a problem since IIRC it runs suid root. There should be a simpler, secure way to set this up out-of-the-box. If such a thing existed, and were standard and Open Source, we'd see SFTP used a lot more.
(A lack of clients is also a problem, particularly on Windows, but ExpanDrive ($$$) is pretty good. The Open-Source "Dokan" is ok too, but transfers are slow. The best thing would be for ExpanDrive to get all the kinks worked out and to then be bought out by Microsoft and incorporated into Windows by default.)
I could make a similar argument about WebDAV, actually. It would be deployed more if it weren't such a pain to set up. In principle there's nothing stopping someone from making a nice self-contained WebDAV fileserver. But AFAIK such a thing doesn't exist.
He redirects all HTTP through his proxy and will do a MITM attack on anything that uses a self-signed certificate.
How would that work? The bad guy's server wouldn't be able to log into the remote server (since plaintext passwords never get sent across the network with SSL), and the user would immediately notice something is amiss, no? Isn't "oh, I can see all the corporate documents" proof enough that he's talking to the server he thinks he's talking to?
(Ok, I understand that I'm possibly overstating the intelligence and/or necessary-paranoia of typical users here; in a corporate setting where you're responsible for other people's behavior, you'd need to to run a CA and distribute certs in OS images, etc.... But in principle, with observant users, this attack shouldn't work, right?)
For example, email and FTP and other clients where the connection is almost certainly set up manually and repeatedly used (vs. web browsing where people may never return) should be fine with unsigned encryption.
Indeed. What's more, I'd argue that the content of these sites is usually sufficient proof that they are who they purport to be. Say I SSH into my home media server. I believe that I'm talking to the machine I think I am if-and-only-if it has the 2 TB of media I expect it to have. That -- especially if public keys are stored by clients, a la SSH -- is all the authentication most users need.
a self-signed certificate is barely better than raw http.
I wouldn't go that far. It guarantees that nobody can eavesdrop on the conversation you're having. You just might not be talking to the person you think you're talking to. That said, once you've stored the cert, it does guarantee that you're talking to the same person you talked to last time.
For file servers, I think this is fine most of the time.
I mean, compare this to SSH. How do you know you're talking to the server you think you're talking to? ~/.ssh/known_hosts . Which behaves exactly as the above.
AFAIK you're not supposed to visit URLs that robots.txt tells you not to. The issue is more to do with load on the servers, side-effects from cgi programs, and the like (for instance, you don't want web robots clicking your "one-click ordering" button*) than it is to do with public visibility of the content: If you want to hide something, you don't put it up on a public webserver to begin with.
Indeed, AFAIK most release groups distribute a multipart RAR file containing an AVI with the audio/video and a seperate.srt file containing the subtitles track. After you extract it, a slightly snarky way to explain things would be to say that "the file directory is the container format."
Slashdot Mirror
If they're using gstreamer on Linux, then I guess they'll implement a DirectShow backend on Windows?
I was under the impression that much of the espionage is actually conducted against engineering (especially defense) firms, who are not distributors of anti-Party opinion but rather developers of technology that the CCP & friends want.
Of course, to be honest now I'm just repeating shit I've read in the media, and god knows how much any of that can be trusted.
If you want faster flash right now then the buck stops right where you say it stops. Buy a faster computer.
Or install Windows...
I'm not going to get them to shell out for a copy of windows when I can get them up and running in an afternoon, free and legally with Linux.
Yep. That's a big advantage to Linux, and my chief reason for using it when I do. But since I have access to free Windows licenses through a .edu, I really don't have any reason to use Linux when a Windows desktop works better.
If all you need to do is give your proverbial grandma a web browser, Linux is perfectly sufficient, so you might as well use it; it's free.
Windows malware is so successful because Windows is DESIGNED with DRM and concealment in mind to prevent you copying it to other computers, to prevent you duplicating the apps that you've bought
I'm sorry; that makes no sense.
I hate WM DRM as much as the next guy. And arguably, in Vista, Microsoft redesigned the audio and video subsystems with DRM in mind. But what has that got to do with malware?
Most malware seems to come in the form of either (1) browser toolbars (which certainly exist for Firefox as well), or (2) services that start at boot (which is hardly a Windows-specific concept). Linux has some advantages in malware-resistance -- limited-privilege user accounts in particular -- but honestly they seem pretty minor; malware is still just a sudo/UAC-dialog away from doing whatever it wants in either the Linux of Windows case.
In the end, I say it's the responsibility of the OS to provide (1) secure network services, and (2) unambiguous GUIs; after that, malware are no longer exploiting vulnerabilities in the OS but in the people using it.
To me, in terms of speed, Windows XP feels roughly on par with XFCE desktops. And much faster than GNOME or KDE 3.5, which are closer to Vista. (I don't mention KDE4 because, despite the fact that the major distros have jumped on it, it isn't really ready; 3.5 is the one that works as of January 2010.)
Indeed!
With few exceptions, all free software of any value has a Windows version. Firefox. Thunderbird. Pidgin. Mplayer. VLC. Wireshark. OpenOffice. The list goes on. Frankly, there's nothing you can do with F/OSS software on Linux that you can't do just as well on Windows.
I just rejuvenated a laptop that had been chugging along with Kubuntu by installing XP on it; the thing is much faster now, still runs all the software I liked from Kubuntu (except Kile, but I discovered that TexmakerX which does have a Windows version is just as good)., and does a number of important things much better now:
Everything is better now. I wish I'd done this earlier, instead of wasting my time with Kubuntu these last two years.
Actually, I'd agree with one of the things China says here...
When I read the quote,
stop using the issue of so-called Internet freedom to unreasonably criticize China.' China's laws forbid hacking attacks and violations of citizens' privacy, the statement said
I translate as, "Stop talking about censorship; this is really about hacking, and that's illegal here."
Up until the "...and that's illegal here" bit, I think they have a point.
China hacked Google computers; they're apparently involved in widespread government-sanctioned industrial espionage --- and somehow the dialogue has shifted to be about censorship? They're different issues.
If anything, I think that the hacking incidents are indisputably worse -- you can argue about what governments can or should do to control the spread of information inside a country, but you can't argue that the hacking is ok -- so it strikes me as strange that the Americans would want to change the subject. If they'd stuck to the hacking they'd have a stronger argument.
Not that I support the censorship either; it'd be nice if Chinese people could access, say, Wikipedia. But this really is a separate issue.
Why is a wave of pressurized air not considered sound?
I guess it's considered sound if it rattles the insides of your ear relative to the rest of your head. And I guess that a sufficiently slow change in pressure doesn't do this. An extreme example would be deep-sea diving in an old-style bathysphere: There's a lot of energy in the pressure differential between the air inside and the atmosphere at the surface, and the air inside had to reach that pressure over time, but it happened so slowly that we'd never call it "sound;" the vibrating bits of your ear never moved relative to your head.
That's my understanding, at least. Precisely where the line is drawn I don't know. Human hearing extends down to about 20 Hz, but whether frequencies below this can damage hearing I don't know. (Plus the whole notion of "frequency" is a bit messed up; it requires infinite time, etc...)
...and it will still be healthier than Nair.
(I'd heard a story about a lawsuit against the makers filed by a man who used the stuff below the belt and ended up with a hole in his scrotum; this got infected and he ended up needing to be castrated. Unfortunately I can't find a source now...)
Yes and no -- and no in this case -- as far as I understand. (I'd appreciate clarification/correction/confirmation from others on the points I make below.)
In most contexts -- and I assume sound falls into this category -- the energy of a signal is its squared L2 norm. (This is certainly true for the power dissipated in a resistive load by a voltage or current signal.) Anyway, the L2 norm is invariant under the Fourier transform. And you'll notice that a Dirac delta has the same L2 norm whether it's as 2 Hz or 2000 Hz.
Yet in quantum mechanics, we have such expressions as "E = h f." This is because the kinetic energy operator involves a derivative of the wave function; from a signal-processing point of view the derivative is a linear filter whose gain is linearly proportional to frequency. This explains the superficial "disconnect" between "energy is independent of frequency" and "E = h f."
So my question for others is: What's the energy operator for a pressure wave?
Just firing a handgun without hearing protection is enough to rip out the hair cells in your ears (which don't grow back) and cause permanent hearing loss. I'm pretty sure that if this thing is capable of "stunning" people it's doing lasting damage to your auditory system. That damage may be small, but it remains that the ringing you hear in your ears afterward is still a set of frequencies you'll never hear again.
You do not seem to understand what a man-in-the-middle attack is.
It's weird; I've known forever what MITM attacks were but hadn't gotten how you'd pull one off here; I'd somehow come to the conclusion that the proxy wouldn't be able to authenticate to the remote server (though that's nonsense). The discussions prompted by this article have been helpful to me in clarifying things.
Oh! Yes! The passwords are either going to be just POSTed or submitted with HTTP BASIC authentication -- plaintext to the proxy either way; the password is not involved in setting up the SSL/TLS connection to begin with. Gotcha. Thanks for the clarification.
Good points. I hadn't noticed my sources. Anyway, my purpose had only been to figure out how the various robots.txt and HTML META directives are interpreted to respond to great-great grandparent.
Thank you. I have seen scponly though. What I dislike about it is summarized by this quote from its installation page:
installing scponly with chroot could incur some pretty hairy troubleshooting. The binaries and libraries must be set up properly in the chroot subdirectories properly.
-- from here
It seems to me (though I wouldn't mind if I were wrong) that this is essentially just a way to do #2 in my list (prev. post) for versions of sshd that do not support restricting the commands that users can execute, or built-in chrooting. So, haven't new versions of sshd made scponly unnecessary?
FYI, #1 in my list was referring to this approach (found URL since last post). This does not actually use a chroot; it just makes sshd-server behave as though it were in one by modifying the way it handles file paths. I don't know how it plays with symlinks.
True, but in most cases, my first SSH connection to a machine is over a trusted medium, like a crossover cable or at least a local network. I then have it in known_hosts.
That's more-or-less the assumption that I'm making about TLS certs. Or at the very least, if it keeps changing you know retrospectively that you need to change your password.
blocks on ssh and sftp because reverse sessions were deemed a threat for corporate data espionage
Part of this is the fault of the OpenSSH distribution of sftp. It is too tightly coupled to ssh for many uses. If we want sftp to replace ftp (and there are many good reasons why we'd want this, NAT being high on the list), we need to make it easy for people to configure sftp servers that do nothing but serve "chrooted" sftp. The fact that serving files and getting a login are just the tiniest misconfiguration apart is a big problem.
As it is, there are three options that I am aware of:
Of these, #2 especially is a very crappy solution; #3 is the easiest, but AFAIK Windows-only. Option 1 is my personal favorite on Linux, but has the disadvantages that (1) you need to maintain your own sftp-server, and (2) if sftp-server is exploitable, then you have a problem since IIRC it runs suid root. There should be a simpler, secure way to set this up out-of-the-box. If such a thing existed, and were standard and Open Source, we'd see SFTP used a lot more.
(A lack of clients is also a problem, particularly on Windows, but ExpanDrive ($$$) is pretty good. The Open-Source "Dokan" is ok too, but transfers are slow. The best thing would be for ExpanDrive to get all the kinks worked out and to then be bought out by Microsoft and incorporated into Windows by default.)
I could make a similar argument about WebDAV, actually. It would be deployed more if it weren't such a pain to set up. In principle there's nothing stopping someone from making a nice self-contained WebDAV fileserver. But AFAIK such a thing doesn't exist.
He redirects all HTTP through his proxy and will do a MITM attack on anything that uses a self-signed certificate.
How would that work? The bad guy's server wouldn't be able to log into the remote server (since plaintext passwords never get sent across the network with SSL), and the user would immediately notice something is amiss, no? Isn't "oh, I can see all the corporate documents" proof enough that he's talking to the server he thinks he's talking to?
(Ok, I understand that I'm possibly overstating the intelligence and/or necessary-paranoia of typical users here; in a corporate setting where you're responsible for other people's behavior, you'd need to to run a CA and distribute certs in OS images, etc.... But in principle, with observant users, this attack shouldn't work, right?)
For example, email and FTP and other clients where the connection is almost certainly set up manually and repeatedly used (vs. web browsing where people may never return) should be fine with unsigned encryption.
Indeed. What's more, I'd argue that the content of these sites is usually sufficient proof that they are who they purport to be. Say I SSH into my home media server. I believe that I'm talking to the machine I think I am if-and-only-if it has the 2 TB of media I expect it to have. That -- especially if public keys are stored by clients, a la SSH -- is all the authentication most users need.
a self-signed certificate is barely better than raw http.
I wouldn't go that far. It guarantees that nobody can eavesdrop on the conversation you're having. You just might not be talking to the person you think you're talking to. That said, once you've stored the cert, it does guarantee that you're talking to the same person you talked to last time.
For file servers, I think this is fine most of the time.
I mean, compare this to SSH. How do you know you're talking to the server you think you're talking to? ~/.ssh/known_hosts . Which behaves exactly as the above.
I just learned something...
There are ways to achieve each of the various things you mention. See this, this, and this.
AFAIK you're not supposed to visit URLs that robots.txt tells you not to. The issue is more to do with load on the servers, side-effects from cgi programs, and the like (for instance, you don't want web robots clicking your "one-click ordering" button*) than it is to do with public visibility of the content: If you want to hide something, you don't put it up on a public webserver to begin with.
As usual, Wikipedia has more to say.
* ok, bad example; no purchase system actually works like this... but you get the idea.
Indeed, AFAIK most release groups distribute a multipart RAR file containing an AVI with the audio/video and a seperate .srt file containing the subtitles track. After you extract it, a slightly snarky way to explain things would be to say that "the file directory is the container format."
Yes! Finally someone pointed this out! We're talking about apples and oranges here...