Oh, ideology affects cage monkeys. The use of open source versus closed source, burchasing enough licenses for the software you use, and making '99.999%' uptime actually mean that instead of simply hiding downtime, and forcing people to spend more time documenting how much time they spent on a task than actually doing the task are all policies I've seen affect server work. Those may not be idologies per se, but they certainly arise from philosophies about how things should be done.
Telephone systems have been possible carriers for far longer than digital telephony has been around. While analog phones do not operate well below 100 cycles, they carried enough information to incorporate inaudible data at well below 20 cycles and imperciptible to your casual listener. The quality isn't good, but it doesn't have to be to bury a trigger message.
Microsoft doesn't necessarily want the NSA to have the backdoors, but they sure want the backdoors for their _own_ use, so that they can unlock a customer's content as a "service", or sell it to business as part of a security toolkit. Please look into Palladium, renamed "Trusted Computing", to see exactly what their long-term encryption and authentication plans are.
Widespread use of Palladium, without careful thought, could lead to exactly the forbidding of non-backdoor-burdened encryption. And discovering a backdoor-free way to use it is one of the fastest ways to get such a technology dropped: take a look at what happened with the 'Clipper Chip' for an example of that.
Or $1.00 on a Skype call. VoIP is very handy for both telecommuting and for remote interviews, and familiarity with it would be helpful to a network engineer interview. I once purchased and sent an overseas business collaborator a good headphones for precisely this purpose, to ease our communications. It saved him a lot of money over the next year.
You've brought back memories. And reminded me to bless the fates that my work for academia was blessed with a department secretary who ruled with an iron fist, got us what we needed, and kept the paperwork off our backs. We were the envy of other departments, and a terror at funding meetings because not only did this person know the numbers, but could point out holes in budgets that people had glossed over. And they were _amazing_ at getting groups to share resources and save funds for more useful things. Their behind the scenes deals with other groups probably saved 30% of our equipment budget, which was not a small cot, and let us run experiments that would have been unthinkable if we hadn't been able to scrounge unused space and resources.
Such secretaries are worth their weight in whatever bribes we can provide to ease their lives. But bugdet pinching makes it very hard to provide the necessary material for perks, so I did it myself. More RAM for their computer? Better keyboard? Remounting the mouse shelf so that it prevents RSI? Their own color printer for proofreading manuscripts with pictures? All came out of my own pocket, and were worth every penny in freeing up their time for work I needed.
Have you seen the workload your average teacher provides? It's hard, demanding work and it's hell on your home life. A decent high school teacher's work load resembles that of a talented geek like many sladhdot readers, and with similar upstream 'mandates' and 'visions' interfering with actually getting the work done. Figure 40 hours of actual work, another 10 hours of paperwork, and another 10 hours of unpaid homework or research to keep up-to-date in the field. It's a rough work-week.
If you have to mock Turing, at least make it funny. His work was amazing, and his suicide as a result of harassment for being homosexual is one of the great tragedies of science.
The Swiss are fascinating. They also do compulsory military service, and pride themselves on minding their own business. And notice who are the part-time soldiers, what we'd call 'reserves' or 'National Guard' in the USA. It's not the lower class or lower middle class you get in the US. It's the bank presidents, the corporate leaders, and other private citizens who really run the country.
The result is that they meet each other socially and work together in a way that lets them bond together should make Americans really think about what corporate leadership can do. It's a form of networking we've never really tried.
The problem isn't with handing on scientific knowledge. It's with handing on middle management, who inevitably evolve to maintain their fiefdoms, and whose purpose is organization itself, not the goal of the organization's charter or funding.
The best engineers, and the best leaders for those engineers, accomplish their work in spite of this. But NASA has become overwhelmed by this bureaucratic group, and it actively impedes work that is not on the montly 'employee goals' or the 'quarterly plan'.
That's what I get for listening to Intel's road map 2 years, where they said it was planned in their coming quad-core CPU releases.
But replacing the keys with hardware changes is like handling a Microsoft license: you'll have to re-register and get new keys from the upstream key holders. One of the inherent factors in the Palladium approach is the centralized storage of pribate keys, which are not transmitted in the clear, but do have a fascinating chain of trust to expire and replace private keys, if you have sufficient privilege to do so.
Tools that might be used to generate your own, individual, private keys and manage your Palladium tools with them will certainly be written, but the commercial encryption tools will make a big deal about their ability to recover from your hardware problems. They will do this by keeping implicit if not explicit control of the private keys they issue for their software and your hardware.
You have my sympathies. I'll urge you to look intoa a 'single-sign-on' policy, hwere the Kerberos tickets of Active Directory can be used for web, file sharing, and remote login access as needed without providing additiional logins.
Oh, I understand the expense. It's why I laugh so hard when someone comes along with FASCINATING! NEW! SECURITY PRODUCT! that promises to solve all our problems, especially consultants who want to support their exciting and untested product on my network, and which ignore basic security policies like never keeping passwords in clear-text or keeping the passwords complex enough to be tough to break, but simple enough to type.
But allowing blank paswords, and default passwords that match the login name, is just plain stupid. I could see if you're on the phone wiht the person and need to reset a one-time password and force them to immediately change it while you're on the phone with them, but that's about it.
The TPM is being hosted insider modern Intel and AMD CPU's rather than being a separate chip, so you won't see those bits anywhere you can shove a voltage probe on the most recent systems. And as near as I can tell, the data is _not_ in the clear on the bus, at least for authentication. The system is using session keys, not publishing passkeys in clear text.
No, the chip emulator does not have the individual chip's private keys. It takes a chain of trust to load new keys, and the private keys of the personal chip are not transmitted. Public keys, or authentication processes done with the private key and verifiable against the public key, are the standard for it.
You really need to read up on public/private encryption key handling. Simply knowing the algorithms is not enough. (Having the TPM emulator is effectively knowing the algorithms.)
And the purpose of government is to control people's rights, and all control of rights is wrong, right?
Wrong. People can and will abuse freedoms, so there's no way to prevent governments from forming to try and protect people from each other. It remains important to keep a close eye on those governments, but there's no way to avoid htem. And properly implemented, the Palladium tools could be used to provide robust authentication and access control for personal document transfers, contracts, email, VPN's, etc. Such authenticated connections or documents could be tied to particular users and particular computers with a wonderfully secure chain of trust, and put a big spike in such disparate problems as authenticating money transfers, reducing identity fraud, even protecting access to your medical records.
I agree that it is massively and ocmmonly misused. But the demaind is large enough that we must accept _some_ form of integrated document authentication and encryption, or we're going to remain extremely vulnerable to document snooping and identity theft in this electronic world. It's a shame that Microsoft screwed up what was a fundamentally good technology with their poor key management decisions and with their obvious focus on the worst forms of DRM for its use.
You apparently haven't studied cryptography and the use of session keys. Reading bits off the wire is great, but without access to the private keys used to generate the _session_ keys, it's not that helpful. And it's the public part of the session keys that go across the wire, not even the public keys for the TPM device or for the game manufacturer's private key. The primary creator of Palladium, Brian LaMacchia, apparently paid attention to how SSH, SSL, and even Kerberos work: the use of session keys is pretty critical to public/private key encryptionl.
_None_ pf the private keys cross the wire, except in Microsoft's library of their customer's keys. This is basic to good cryptography. It also means that Microsoft's library of keys becomes a real target for crackers, and its easy availability to warrant-free searches under the USA Patriot Act should be a real concern to anyone who uses it for personal or corporate data.
Until hte BIOS's are locked with TPM, to only permit certain hardware access with certain kernels. That's a next obvious step with the technology, and will lock those motherboards into only booting a Windows off of a specific kernel.
This is actually a potentially useful security feature, to control what kernel runs on kiosk or centrally managed corporate desktops. But the ability to prevent non-authorized devices or operating systems from booting at all will be troublesome to we who like to use our own hardware or our own OS.
Well, DRM is just a policy. The way it is implemented can be good or bad, and it can be for good or bad purposes. If Microsoft had shown signs of being trustworthy with key management or user privacy in the past, I'd be a lot more comfortable with this new toolkit from them. But these are the idiots who put the IP address of machines diting MS Word documents as hidden data inside the document, by default.
No, it's Palladium. There are some fascinating public/private key authentication techniques that it's using, which involve the private key of the chip itself used to provide public key verificable signatures for documents managed by Palladum. This includes requiring software to have a relevant key to unlock data files or hardware, and the keys can be time stamped in order that they can expire.
"and that will spell out a death sentence for motherboard manufacturers that do not support it."
Fixed it properly. The Windows monopoly is very strong, and Intel has been caught cooperating with them before in some unsavory market manipulations. AMD is interesting and useful, but show no signs of bucking against thei particular "feature".
The TPM is built into many, if not most, Intel and AMD CPU's. This misfeature will be integral to most motherboards in the very near feature. Microsoft has not yet insisted on it to use their latest OS and software, but it's only a matter of time, and that will spell out a death sentence for motherboards that do not support it.
The 'TPM' is the 'Trusted Platform Module', the hardware key of the Microsoft 'Palladium' software/hardware combination, which has since been mis-named as 'Trusted Computing'. I recommend looking into it: it's a decent public/private key encryption syste, and fairly robust against mere brute force cracking or the theft of a few keys, because it also incorporates key replacement and deprecation techniques.
Pallasium is designed to lock out use not authorized by the key owner, even when such use is quite legal and protected 'fair use', media duplicaiton, or shifting of software from client machine to client machine. It's also clearly designed to authenticate all documents created with the 'autorized' softwrae, which spells the end of anonymity: assigning particular data files to particular copies of the software is critical to verifying saved games, patchfiles, and user profiles. It will only be used by vendors willing to spend the money up front to purchase authorized keys, unlike current SSL keys which can easily be self-signed [unless I'm misunderstanding the key management technology].
Unfortunately, it's also designed to interfere with hardware: it's easy to link external hard drives and DVD burners and USB devices to particular host servers with only particular software permitted to write to them or even read from them, and it's also easy to lock the BIOS and prevent it from loading unauthorized boot loaders or unauthorized kernels. And that gets into taking away user's control of their own machines and putting it in the hands of Microsoft. Not the other vendors: Microsoft, because they own the technology and plan to retain all the master keys they can. And it means that if you use their encryption tools, you may as well just email them ot the NSA. The odds of Microsoft's repository of such keys being secure from warrent-free access by the NSA and agencies like them is nil.
You've just described the problem wiht IPsec setups. The server has to support tools not necessarily built into the file sharing system itself. There's also the issue of sniffing the traffic on each side of the IPsec tunnel, and handling the multiple channels needed for FTP makes it that much more complex to support. And there's the issue of corporate clients, or thin clients, where they're not allowed to install non-approved software.
Sending passwords to people via USPS or registered mail is expensive, and relatively slow, and doesn't protect the passwords from being stolen if the site is going to exist for long. Securing data transfers takes thought, and planning, to fill the server's needs and the client's needs andn abilities.
Oh, ideology affects cage monkeys. The use of open source versus closed source, burchasing enough licenses for the software you use, and making '99.999%' uptime actually mean that instead of simply hiding downtime, and forcing people to spend more time documenting how much time they spent on a task than actually doing the task are all policies I've seen affect server work. Those may not be idologies per se, but they certainly arise from philosophies about how things should be done.
Telephone systems have been possible carriers for far longer than digital telephony has been around. While analog phones do not operate well below 100 cycles, they carried enough information to incorporate inaudible data at well below 20 cycles and imperciptible to your casual listener. The quality isn't good, but it doesn't have to be to bury a trigger message.
Microsoft doesn't necessarily want the NSA to have the backdoors, but they sure want the backdoors for their _own_ use, so that they can unlock a customer's content as a "service", or sell it to business as part of a security toolkit. Please look into Palladium, renamed "Trusted Computing", to see exactly what their long-term encryption and authentication plans are.
Widespread use of Palladium, without careful thought, could lead to exactly the forbidding of non-backdoor-burdened encryption. And discovering a backdoor-free way to use it is one of the fastest ways to get such a technology dropped: take a look at what happened with the 'Clipper Chip' for an example of that.
Or $1.00 on a Skype call. VoIP is very handy for both telecommuting and for remote interviews, and familiarity with it would be helpful to a network engineer interview. I once purchased and sent an overseas business collaborator a good headphones for precisely this purpose, to ease our communications. It saved him a lot of money over the next year.
You've brought back memories. And reminded me to bless the fates that my work for academia was blessed with a department secretary who ruled with an iron fist, got us what we needed, and kept the paperwork off our backs. We were the envy of other departments, and a terror at funding meetings because not only did this person know the numbers, but could point out holes in budgets that people had glossed over. And they were _amazing_ at getting groups to share resources and save funds for more useful things. Their behind the scenes deals with other groups probably saved 30% of our equipment budget, which was not a small cot, and let us run experiments that would have been unthinkable if we hadn't been able to scrounge unused space and resources.
Such secretaries are worth their weight in whatever bribes we can provide to ease their lives. But bugdet pinching makes it very hard to provide the necessary material for perks, so I did it myself. More RAM for their computer? Better keyboard? Remounting the mouse shelf so that it prevents RSI? Their own color printer for proofreading manuscripts with pictures? All came out of my own pocket, and were worth every penny in freeing up their time for work I needed.
Have you seen the workload your average teacher provides? It's hard, demanding work and it's hell on your home life. A decent high school teacher's work load resembles that of a talented geek like many sladhdot readers, and with similar upstream 'mandates' and 'visions' interfering with actually getting the work done. Figure 40 hours of actual work, another 10 hours of paperwork, and another 10 hours of unpaid homework or research to keep up-to-date in the field. It's a rough work-week.
If you have to mock Turing, at least make it funny. His work was amazing, and his suicide as a result of harassment for being homosexual is one of the great tragedies of science.
The Swiss are fascinating. They also do compulsory military service, and pride themselves on minding their own business. And notice who are the part-time soldiers, what we'd call 'reserves' or 'National Guard' in the USA. It's not the lower class or lower middle class you get in the US. It's the bank presidents, the corporate leaders, and other private citizens who really run the country.
The result is that they meet each other socially and work together in a way that lets them bond together should make Americans really think about what corporate leadership can do. It's a form of networking we've never really tried.
The problem isn't with handing on scientific knowledge. It's with handing on middle management, who inevitably evolve to maintain their fiefdoms, and whose purpose is organization itself, not the goal of the organization's charter or funding. The best engineers, and the best leaders for those engineers, accomplish their work in spite of this. But NASA has become overwhelmed by this bureaucratic group, and it actively impedes work that is not on the montly 'employee goals' or the 'quarterly plan'.
He does keep stalking that red-haired fox.
That's what I get for listening to Intel's road map 2 years, where they said it was planned in their coming quad-core CPU releases.
But replacing the keys with hardware changes is like handling a Microsoft license: you'll have to re-register and get new keys from the upstream key holders. One of the inherent factors in the Palladium approach is the centralized storage of pribate keys, which are not transmitted in the clear, but do have a fascinating chain of trust to expire and replace private keys, if you have sufficient privilege to do so.
Tools that might be used to generate your own, individual, private keys and manage your Palladium tools with them will certainly be written, but the commercial encryption tools will make a big deal about their ability to recover from your hardware problems. They will do this by keeping implicit if not explicit control of the private keys they issue for their software and your hardware.
This is what www.fuckedcompany.com used to be for, and what wikileaks provides to some extent now.
You have my sympathies. I'll urge you to look intoa a 'single-sign-on' policy, hwere the Kerberos tickets of Active Directory can be used for web, file sharing, and remote login access as needed without providing additiional logins.
Oh, I understand the expense. It's why I laugh so hard when someone comes along with FASCINATING! NEW! SECURITY PRODUCT! that promises to solve all our problems, especially consultants who want to support their exciting and untested product on my network, and which ignore basic security policies like never keeping passwords in clear-text or keeping the passwords complex enough to be tough to break, but simple enough to type.
But allowing blank paswords, and default passwords that match the login name, is just plain stupid. I could see if you're on the phone wiht the person and need to reset a one-time password and force them to immediately change it while you're on the phone with them, but that's about it.
The TPM is being hosted insider modern Intel and AMD CPU's rather than being a separate chip, so you won't see those bits anywhere you can shove a voltage probe on the most recent systems. And as near as I can tell, the data is _not_ in the clear on the bus, at least for authentication. The system is using session keys, not publishing passkeys in clear text.
No, the chip emulator does not have the individual chip's private keys. It takes a chain of trust to load new keys, and the private keys of the personal chip are not transmitted. Public keys, or authentication processes done with the private key and verifiable against the public key, are the standard for it.
You really need to read up on public/private encryption key handling. Simply knowing the algorithms is not enough. (Having the TPM emulator is effectively knowing the algorithms.)
And the purpose of government is to control people's rights, and all control of rights is wrong, right?
Wrong. People can and will abuse freedoms, so there's no way to prevent governments from forming to try and protect people from each other. It remains important to keep a close eye on those governments, but there's no way to avoid htem. And properly implemented, the Palladium tools could be used to provide robust authentication and access control for personal document transfers, contracts, email, VPN's, etc. Such authenticated connections or documents could be tied to particular users and particular computers with a wonderfully secure chain of trust, and put a big spike in such disparate problems as authenticating money transfers, reducing identity fraud, even protecting access to your medical records.
I agree that it is massively and ocmmonly misused. But the demaind is large enough that we must accept _some_ form of integrated document authentication and encryption, or we're going to remain extremely vulnerable to document snooping and identity theft in this electronic world. It's a shame that Microsoft screwed up what was a fundamentally good technology with their poor key management decisions and with their obvious focus on the worst forms of DRM for its use.
You apparently haven't studied cryptography and the use of session keys. Reading bits off the wire is great, but without access to the private keys used to generate the _session_ keys, it's not that helpful. And it's the public part of the session keys that go across the wire, not even the public keys for the TPM device or for the game manufacturer's private key. The primary creator of Palladium, Brian LaMacchia, apparently paid attention to how SSH, SSL, and even Kerberos work: the use of session keys is pretty critical to public/private key encryptionl.
_None_ pf the private keys cross the wire, except in Microsoft's library of their customer's keys. This is basic to good cryptography. It also means that Microsoft's library of keys becomes a real target for crackers, and its easy availability to warrant-free searches under the USA Patriot Act should be a real concern to anyone who uses it for personal or corporate data.
Until hte BIOS's are locked with TPM, to only permit certain hardware access with certain kernels. That's a next obvious step with the technology, and will lock those motherboards into only booting a Windows off of a specific kernel. This is actually a potentially useful security feature, to control what kernel runs on kiosk or centrally managed corporate desktops. But the ability to prevent non-authorized devices or operating systems from booting at all will be troublesome to we who like to use our own hardware or our own OS.
Well, DRM is just a policy. The way it is implemented can be good or bad, and it can be for good or bad purposes. If Microsoft had shown signs of being trustworthy with key management or user privacy in the past, I'd be a lot more comfortable with this new toolkit from them. But these are the idiots who put the IP address of machines diting MS Word documents as hidden data inside the document, by default.
No, it's Palladium. There are some fascinating public/private key authentication techniques that it's using, which involve the private key of the chip itself used to provide public key verificable signatures for documents managed by Palladum. This includes requiring software to have a relevant key to unlock data files or hardware, and the keys can be time stamped in order that they can expire.
"and that will spell out a death sentence for motherboard manufacturers that do not support it."
Fixed it properly. The Windows monopoly is very strong, and Intel has been caught cooperating with them before in some unsavory market manipulations. AMD is interesting and useful, but show no signs of bucking against thei particular "feature".
The TPM is built into many, if not most, Intel and AMD CPU's. This misfeature will be integral to most motherboards in the very near feature. Microsoft has not yet insisted on it to use their latest OS and software, but it's only a matter of time, and that will spell out a death sentence for motherboards that do not support it.
The 'TPM' is the 'Trusted Platform Module', the hardware key of the Microsoft 'Palladium' software/hardware combination, which has since been mis-named as 'Trusted Computing'. I recommend looking into it: it's a decent public/private key encryption syste, and fairly robust against mere brute force cracking or the theft of a few keys, because it also incorporates key replacement and deprecation techniques.
Pallasium is designed to lock out use not authorized by the key owner, even when such use is quite legal and protected 'fair use', media duplicaiton, or shifting of software from client machine to client machine. It's also clearly designed to authenticate all documents created with the 'autorized' softwrae, which spells the end of anonymity: assigning particular data files to particular copies of the software is critical to verifying saved games, patchfiles, and user profiles. It will only be used by vendors willing to spend the money up front to purchase authorized keys, unlike current SSL keys which can easily be self-signed [unless I'm misunderstanding the key management technology].
Unfortunately, it's also designed to interfere with hardware: it's easy to link external hard drives and DVD burners and USB devices to particular host servers with only particular software permitted to write to them or even read from them, and it's also easy to lock the BIOS and prevent it from loading unauthorized boot loaders or unauthorized kernels. And that gets into taking away user's control of their own machines and putting it in the hands of Microsoft. Not the other vendors: Microsoft, because they own the technology and plan to retain all the master keys they can. And it means that if you use their encryption tools, you may as well just email them ot the NSA. The odds of Microsoft's repository of such keys being secure from warrent-free access by the NSA and agencies like them is nil.
You've just described the problem wiht IPsec setups. The server has to support tools not necessarily built into the file sharing system itself. There's also the issue of sniffing the traffic on each side of the IPsec tunnel, and handling the multiple channels needed for FTP makes it that much more complex to support. And there's the issue of corporate clients, or thin clients, where they're not allowed to install non-approved software.
Sending passwords to people via USPS or registered mail is expensive, and relatively slow, and doesn't protect the passwords from being stolen if the site is going to exist for long. Securing data transfers takes thought, and planning, to fill the server's needs and the client's needs andn abilities.