The real problem is that the LHC and SSC were intended to be sister designs, neither an only child.
The energies needed for the current work are more than half of the maximum output at the LHC - the SSC would have been the higher energy design, capable of operating at energies ~3x that of LHC.
What that means is that in addition to at least 10 years of lost experiments, we'll be waiting for probably quite some time for the next large physics instrument to be built to explore a lot of the questions the current experiment sheds a little light on.
I think it is well worth reminding people what Obama promised and what Obama delivered, on surveillance and on whistleblowing.
The poster you're pulling the long face over did not mention parties, he mentioned two personalities. The latter personality is doing everything he can to demonstrate the importance of contintuity over all else in US politics.
Your choice to muddy the waters by bringing up political parties brings NUTTTC. PO.
There actually are folks (quite a lot of them) sexually aroused by cruelty to animals. Hence the sturm und drang about the "crush" videos about ten years ago, when The End of Days was heralded by folks paying actual money to watch girls in high heels stomp on mice, birds, etc.
My memory is that in the UK the animal rights nutbags managed to write remarkably broad laws covering all of this stuff.
PETA will probably have, as its charter paying subscribers, folks for whom this is a thrill, and with better-looking models than they're used to seeing.
The EFF dresses up their appeal (https://www.eff.org/deeplinks/2011/04/open-wireless-movement) in BS rhetoric about a 'tragedy of the commons' that's ensuing as people turn on WPA at home.
No. This is people configuring their equipment as recommended. This is what a successful education campaign looks like. The fact that when the tech first hit, everyone was setting it up wrong does not mean that's how we ought to leave it.
Even the EFF admits that the time for just leaving the door open yet has not yet arrived. Consumer routers don't do network segmentation and traffic prioritization well enough yet.
My favorite EFF knee-slapper:
"There is currently no WiFi protocol that allows anybody to join the network, while using link-layer encryption to prevent each network member from eavesdropping on the others. But such a protocol should exist."
OK, so I should leave my network unprotected because a protocol that doesn't exist, should?
Whiskey, tango foxtrot, you digital hippies. Would you please go loiter somewhere else?
You're starting from a false premise, about what's cheap and what margins ought to be. Granted, that's reinforced by the pricing on the unlocked Samsung (500-600 in the US) and the pricing on the Motorola tablet.
Take a look at the Barnes and Noble Color Nook, a 7" wifi android tablet with an IPS touchscreen that sells for $250. It's a solid enough build that tons of folks are happily rooting and overclocking them.
This defense doesn't work for the torrent aggregation sites (Pirate Bay, Isohunt, etc.) and it would only work here if the various spam lists really were willing to staff the "unlist us" addresses as thoroughly as the "list us" addresses.
I work at a nonprofit that has health care and gang outreach as two chunks of what we do. I have had emails inviting a group of people to a meeting around gang violence flagged as spam in the past, because the subject line was thought to be spammy. Heaven forfend that one of our providers should dare to talk about viagra or erectile dysfunction in an email.
I am not sure if it was Spamhaus per se, but one of the times we were added to a blacklist, I was able to get us pulled immediately. But I was warned by the fully automated removal system that that was a one-time deal and if we were listed again, I would have to wait patiently while they got around to deciding what to do.
With the Barracuda list, there's a for-profit company with 800 numbers that are answered, at least. I don't remember now who it was, but one of the RBL providers got into a pissing match with Yahoo over their mailing list configuration and blackholed Yahoo's outbound mail servers a few years ago.
Accountability with these lists is a problem. The court case immediately at hand isn't interesting one way or another, since it wasn't contested.
Accountability, on the other hand, is something that needs to be addressed a lot better by the RBLs.
I have the impression that about all we're able to get out of decades of recording whale and dolphin communications is "say what?" We've only just lately stumbled on infrasound communication between elephants over very long distances, and again we're pretty much at "say what?" We're a little bit better at certain communications when they're almost always accompanied by fighting, fucking, or scattering but by and large we have a huge number of what many of us assume are less-complicated-than-our-own-oh-so-wondrous communications - and by and large, we can do fuck-all as far as figuring them out.
Faced with that, we tend to either forget that they may convey more information than we can parse, or state that they do not convey that information, since they are not able to convey it to us. Not that they convey, say, the works of Shakespeare of the Pachyderms, but rather that they may well be conveying quite a bit more information than we realize.
One of my favorite bits of the history of language study is that language needed a lot of redefinition after Karl von Frisch figured out how bees were using dance to communicate place and direction of things not visible to the rest of the hive, food and water. Quite a bit of a problem for a lot of what had been thought about what language was up until that time.
I want to thank the original poster for a jaw-droppingly stimulating post.
If the talks aren't new and interesting, and you are just going to socialize, that's okay, but it's hardly what the conference could be. It's not what I want to go to Defcon for; I liked the first few I went to, where there were some very good technical talks and that was the expectation. What you are describing sounds a lot like retirement or senescence.
It seems that many speakers are chosen based on who they know, and there's way too much inside baseball going on in speaker selection. An example seems to be the talk I walked out on early today, where some kid who's professor is a friend of Kaminsky's gave a presentation pointing out that university hostname assignment and resolution practices may constitute a privacy leak. Now, the talk may have heated up something fierce after I left the room, but tieing a DNS lookup to an ARP address and then having the (attractive blonde) professor talk about how the uni had recruited the student who presented, and about the legality or not of it, and then who knows what Dan contributed, if anything? I left to see if the biohacking guy had anything to say. Sadly, he did not; he had very few examples, and lots and lots of words explaining why he thought biohackers were of interest. Fewer words and more examples, possibly even an actual biohacker - would have helped immensely.
One thing I thought was interesting last year and did not particularly see this year was talk about policy. I got called out on an incident in the middle of Saturday afternoon, so sadly I missed the long analysis of the PLA, and I hope that is worth watching later. Last year, though I disagreed with it a great deal, there was a long policy panel. (The thrust was 'we're done, this is what we are suggesting to the Feds, please congratulate us.' The speakers were current or former military. They were not interested in actual input from the audience and were very insulting of audience members who wanted to give any. It was good to see these guys out in daylight and understand what they were doing, though.)
No one had interesting SCADA work to talk about this year? Really? Last year there was a talk about SCADA that seems to me to have pretty much had to have been a stepping stone for more. But I didn't see any such talks this year.
The poster who compared Defcon to Burning Man may have hit it on the head. Defcon is unusual in that it brings together a lot of very different perspectives - the lock folks were out in force again this year, and did a pretty good presentation which was good to see.
There's still a real opportunity for Defcon to be interesting, but this year was indeed a fail. Also, they are bound for fire marshall trouble if they don't get the fuck out of the Riviera. They made a decision this year to axe what had been the largest room in the venue and put most of the big talks into a four room area served by a single hallway. They cleared each room ahead of the next talk; if you wanted to see two talks deemed by the group to be interesting back to back, you were SOL - and so was everyone else, as the halls clotted insanely.
As of now, I'm unlikely to go back until such time as the con moves out of the Riviera. And by then, it will probably be larger, fluffier and have even less content - I don't see it relocating too soon, and it's going to keep being bigger and bigger.
What's needed is more stuff like FX' presentation, exploiting Cisco routers with one packet giving you configuration access - using ICMP! Now damn, that was good stuff. Less UFOs, less inspirational speakers, less interest in media whoring. These would all be valuable things.
But it's very possible that Defcon is in some ways intentionally aping burning man - and hopes one day in the future to start co-hosting events with burning man.
How much coudl the old Avantgo servers actually be worth, anyway?
I'm not sure what the advantage of Sunrise is? Is it faster than just defining the channels in plucker? Plucker is pig slow.
Sunrise, however, was only able to load the Christian Science Monitor for me (granted, with only using the point-click-drool install method and the canned 'showcase' channels) despite downloading many meg of channels which it claimed would land on the device after sync. But only CSM. And in a layout that's a pain on the Palm screen. I gave up on it for now - but not before figuring out that it helps to install Sunrise in your Palm folder, you avantgo refugees. This will help get rid of a shitload of "file not found" messages on launch.
Sunrise may work and may be faster than just using Pluckr by itself. I suppose it has to be. Dear god pluckr by itself has a hard time.
That is one thing Avantgo does extremely well - collate content the once and spit it back out to one and all, formatted in a way that really made sense for a palmtop.
My experience with avantgo was that the problems were more often with the content providers than with Avantgo itself.
I've been using Avantgo for 10 years, and am sorry to see it go buh-bye, but am not that suprised. Given the advantages palm + avantgo have together over Kindle (you decide how often to update; touchscreen; small device unlikely to be accidentally folded/bent,) I wonder if any bright sparks over at Palm are talking to Sybase about buying the servers and putting them on a truck so they can offer the service for the Pre.
Yes, I understand the Pre has its own always-on signal. Throwing avantgo in as a way of saving people on costs would go over well, though, if there's a client that would work or could be made to work on the pre.
holy crap. I'm now starting on channel #2 with pluckr.
Why are people claiming pluckr is superior to Avantgo? Granted, any site can be plucked - but for sites with mobile-condensed channels, which is all I'm pointing this at, it's wicked slow and the layout's not that good (I admit: I dry fired with the Onion before adding in the full complement.)
I can't imagine how much fun it would be to wait on this for regular websites.
wow. Now I'm up to channel 4. It looks like pluckr by itself requires more patience than us internet peeps typically have, unless it's able to integrate only the deltas and not the whole site each time content changes. (My impression is that it is not able to do that, that it needs to respider if there's been an update.)
Well, I'm reading it right now. I am by no means a mathematician (a year of college calculus, a semester of physical chemistry and a fair amount of exposure to the kind of thermodynamics that describe chemicals in solution.)
I am enjoying it, and I'm noticing that so far (120 pages?) it's entirely math-free. Yes, there are some appendices containing proofs of some of the statements in the book. I was not impressed with the appendix on pythagoras' theorem; we did a much better job with that in high school and since it's in an appendix, I didn't understand why the treatment was as informal as it was. One big point of the section it is first cited in was to discuss the importance of formal, rigorous proofs.
I am concerned that beyond the biographical sketches of Math Greats, I'm really just getting mind candy. My training is in biology, and last night I ran across the rather insubstantial discussion of prime numbers and cicada lifespans. As presented, it was a rather weak just so story. My general rule of thumb is that if someone's not impressing me much in discussing the stuff I actually did spend time studying in depth, the prose may be entertaining on the other stuff, but it's unlikely to actually teach me anything much, and in the worst case may be telling me things which are wrong.
It's a fun book, but I wouldn't have any real interest in using it as a teaching aid for a math course.
Assigning a decent translation of one of the Greek math texts used as source material, and asking for an oral presentation of one of the classical geometric or arithmetic proofs, or perhaps of one of the proofs requiring the use of imaginary numbers? I could see doing that.
But reading a book report about a bunch of books (which is what Singh's book is) - even a well-written one - and using it in an actual math class seems wrong, somehow.
None of what you say about US phone call monitoring applies, since Skype is not a phone call, it's an internet transmission. The law on collecting packets is a lot weaker than the law on collecting analog signals.
The point of this is that the "crypto" in Skype can be broken and has been broken per a government request. What this means is that virtually any Skype conversation since 2001 should be assumed to be available for review by the Feds. September 11 2001, the Feds installed packet sniffers at consumer ISPs across the country, and told the NOC staffs "this will only be for a few weeks, while we get the Tier 1 taps in place."
On to your trusting lunacy about phones: We don't know what the NSA program does and does not do, nor what it is or is not designed to do, nor what it is doing nor how the data can be reexamined in the future. We know a very small amount about what it could do circa 2004 from good reporting, but no one's ever testified about it in a courtroom.
What we do know is that speaking about it in the past tense is amusing.
The scenario you outline - only targeted calls are intercepted - is the current legal justification for continuing to permit it and for retroatively legalizing it.
Once you have the ability to start snarfing those calls, without a warrant and without asking the carrier for further assistance, you will start snarfing a whole lot more. If you accidentally leave your equipment on, you'll just have collected a lot more. Since there is no oversight, there's no reason to be concerned about being reprimanded.
It must be possible in order that I can turn the power of the beams up past 11 - to twelve if need be - in order to spawn my world-consuming black hole.
All that silliness about massive datasets processed in lots of complicated networky ways? Merely a cover.
Oh, and the other thing is that before I learn enough about hadrons (jeeze, the textbooks are fuckin' HARD to follow) to make the blackhole thing work?
> ISPs have the right to stop costs from being dumped upon them, and therefore have the right to throttle, block, > and/or prohibit P2P. If they can't, your bill will have to go up, because the ISP has to at least break even to > keep providing you with service.
My ISP has a contract with me. They promised a service for a length of time, and are obliged to provide it. We can renegotiate when the contract is up.
I'm currently guaranteed service at 1500 inbound / 384 outbound which is unlimited, good 24/7/30 days. I actually doublechecked when I signed up: unlimited, sez I, you're not going to get twitchy around torrent traffic? If my ISP at the office started bitching because I was using my T1 both up and downstream, I'd laugh at them. If they tried to change the contract terms early, again, I'd laugh at them.
If Comcast or whoever have a contract with you, they are obliged to honor it. Or be liable for class-action damages. If they made a bad contract, that does not give them the right to change their terms partway through. If it did, no one would worry about signing a mortgage, would they?
Meanwhile, if you find your ISP is a cable co, and they're fucking with you, I highly recommend you look into the tools outlined here if for some reason you must stay with them (no other service available?)
Otherwise, based on the abstract below and the generally abysmal security performance of cable as a secure delivery system for anything, I would recommend you cancel your contract with them. This talk will be being given at Defcon this week, but the tools and some of the how-to are already out in the universe.
Sniffing Cable Modems
Guy Martin
Cable modems are widely used these days for internet connections or other applications. This talk gives a detailed overview of this mean of communication with a focus on its security.
DOCSIS (Data Over Cable Service Interface Specification) is currently the most used protocol around the world for providing internet over TV coaxial cable. Due to its nature, this protocol can easily be sniffed by taping onto the TV cable using a digital TV card. By doing this, you can not only sniff your own connection but all the connections of the entire neighborhood. With my tool packet-o-matic and an inexpensive DVB-C card, countless things are possible ranging from dumping people's email into maildir to removing firewall rules and quota limitation on your connection or even a DoS of all HTTP communications by injecting TCP reset packets.
I'm kind of stumped by who Schneier (and some readers in this thread) think attends RSA. I went last year, and it did not look to me like an end-user conference. It looked to me like it was a lot of people from companies large enough to have more than one person doing IT, and a company of that size is offering security as infrastructure to its users.
Are they doing it well? It's all over the map. Are they at least aware that they're doing it? One hopes so. But most of the attendees that I saw were clearly folks from large enough shops that they were thinking about dropping a lot of dollars on security.
If you work in IT at a company, and your users are downloading malware, you're not securing your gateway properly. Lots of ways to do this. IPCOP has a lot of good stuff for doing it in a free Linux distribution. You can go with a commercial product dedicated just to filtering, or that bundles in filtering, firewalling, and even spam.
If you offer a lot of services over the public internet, you're needing a larger IT staff and a security department. Or you're needing to be able to buy security as a service - for instance, the services of a reputable e-commerce site to handle transactions. And at that point, you are buying their infrastructure, and you probably aren't at RSA, and their staff are or ought to be. Whoever signs the checks for your e-commerce contract probably ought to be doing some due diligence around this point.
Now, the sales types may not have any idea what they're selling at RSA. Many did last year, but has this joke already been beaten to death?
What's the difference between an IT salesman and a car salesman?
A car salesman knows when he's lying.
What is an end user to do? Well, IPCOP is certainly a way to go. Set it up, set up a subscription to Dansguardian for some protection against malware URLs, turn on the IDS chunk so you get Snort telling you once you've screwed up. For end-users, Bluecoat has a free subscription to their list of categorized sites (called K-9) that a friend at the office thinks is very good. (He's got kids, and doesn't want to use the internet as an unrestricted babysitter.)
But the best venue to learn more about this approach is going to be your local LUG, not RSA. I don't know many people who can afford to throw around 4 to five figures for rackmount appliances for their homes. And my God it makes your home theater sound a lot worse.
The assets of the USSR were mostly fenced through London and Wall Street. I've heard George Soros shed a crocodile tear on this score as well as on thrashing the currencies in SE Asia in the 90s, but we pretty much prefer to pretend that much of the wealth of the nation wasn't stolen outright and fenced through our fuckheads so much as it was all just a Potemkin village ot start with.
The wheel is still in motion, though. The Chinese hold how much of our increasingly worthless paper again?
The big advantage to Computrace is that they have relationships with police departments and with ISPs. If you've filed a police report on the theft, and the laptop is powered up and talking to a network or a phone line, recovery odds are better than you'd think from the tone of the post I'm responding to.
Yes, if it's fenced and parted, you're screwed. I'm not sure how many laptops are parted, though. Given that a six month old laptop is worth so little already, I'd think parting it would make even the fencing economy think "waste of time here."
Preparing for recovery: absolutely. But what happens when your recovery media are damaged or stolen? Seriously: I have five machines at the house. Keeping all of them backed up justified putting in a little NAS head to rsync to. Write the backup to DVD? Often enough for it to be valuable after a system loss? Not a chance. It would just never happen. With rsync, there's reasonable odds that I'll be in a position to recover data. But now I've got an additional fancy toy in the house.
Fortunately, none of my stuff looks half as good as it actually is. Unfortunately, there's enough of it around that it's obviously professional gear. I have an equipment rack here, and I'm tempted to buy an old rackable NAS box and replace the fans. I have other toys to buy first, though.
From the wording ("intent to conceal") it sounds as if they're primarily interested in legal action taken against leakers. PGP throws up big flags if you're looking for it, and there are undoubtedly governments that look for it as well as businesses.
The real problem is that it sounds as if they intend to trust SSL, which is a mistake. I know (and apply URL filtering policy on) any SSL connections made at my job site. If I wanted to, I could MITM the SSL as well, but I don't have a policy to back me up nor do I care to break it and then deal with the headache of securing the decrypted traffic. If I had a serious budget, there are tools to run very high capacity (think backbone traffic) pipes through similar analysis toolkits. Cisco and I think Bluecoat have gotten beaten up for selling some of these tools to China; the Feds and the UK government buy the boxes and of course no one gets slapped on the wrist over that, since the US and UK are Protecting Our Freeeeeedoms.
So, if the idea of discouraging PGP is to make people less likely to be officially harassed for submitting to Wikileaks, considerable attention needs to be paid to implementing the SSL submission as well, because site access and flow volume (indicative of an upload) are pretty simple to log and tie to Wikileaks and to the client IP address. It sounds as if the folks at Wikileaks know this and are working to address it.
There's lots of this gear out there that's still relatively unknown. Last year I saw early samples of stuff that could easily do national infrastructure at wireline speed and which purportedly has some ability against SSH (I don't believe against SSH v2) from an outfit called Netronome. I am told that their gear is 'in the wild' now in the employ of plenty of TLA outfits. PCI-X cards with 4 x gigabit ports and a 1.4 Ghz network processing chip onboard. Plug it into the appliance or 'nix of your choice. Oh, and it's CALEA friendly, too.
Um, anyone tried reading the sites that are in trouble with the national provider? In the US I think that at least some of this stuff would get a court order pretty fast, for example at www.partidocoloradoantrodeladrones.org we find:
"Sitio oficial del Tembotá, gran valor, GRAN PEDÓFILO, gran JAPÚ, ñe'erei de profesión, hurrero de vocación"
It's a fairly amusing site and all that, but the link reeks of late-90s Usenet kookery: all caps, accusations of pedophilia, the whole nine yards. Neither site qualifies as a.org site in the US sense of the term, either. Oh, and the second referenced site, partidocolorado.org, is registered through Domains by Proxy - so it's that much harder to be sure of who's actually behind it. (Domains by proxy doing dot-org registrations? Tastes bad to me.)
Now, is it really a DNS screwup at all? If you look at the (supposedly) bogus site at 201.217.51.114, you are presented with a Partido Colorado website. Is it possible that Partido Colorado won a court order in Paraguay saying that partidocolorado.org was not allowed to run their site at that address? (Yes, this would be political speech in the US - but we are not talking about the US, and we are talking about people who by US standards are trying to run a site in.org space that they probably have no business locating there.)
In short, we're being told very little of the story here, and the poster is hoping some slashdotter with mad skillz will see this as black and white and fix the problem.
Compare the tone of the New Scientist writeup to the tone of the writeup on Breitbart.com, which has Drudge headline sidebars and doesn't cite where they started writing from. New Scientist is reporting what one of their physics guys thinks is fairly neat stuff from a meeting.
The "most important in the history of science" quote is from someone not on the team (apparently) who works at Davis. He may have been having a drink when he said it, the poor guy. Breitbart breaks the quote into two parts and separates them by a few grafs, making it look like a looming consensus.
I'm sorry the Breitbart piece was the one linked in, since the New Scientist piece (follow the google link above) is so good.
I'm very glad that so many people With Clues are in this thread to discuss it.
Whose QA team were you playing hooky from when you posted, please, so we can never again buy their product?
hint: Patriot passed like shit through a goose. It is now September of 2007. Osama bin Bad Boy's Big Adventure is fabled to have involved September of 2001; on my planet:
a) 7-1 ! = 4
and
b) "a Federal judge" (singular) ! = the Supreme Court of the United States.
Patriot will still be in play by - and embraced by - our next President, whichever the party. That much power? Give back? What are you, nuts?
You might want to look at the Wired writeup of Tobias' presentation. It's much longer, explains the research he did in developing the tools for Medeco 3 locks after he understood how to defeat the protection mechanism.
It's capped off with a clip of the kid who last year was bumping locks in 30 seconds; the Medeco she bumps takes her two tries, for perhaps 60 seconds. I am not 100% that she's got a 3 series, I believe it is one of the ones with the (formerly) very-difficult-to-bump mechanism.
Are physical hacks and network hacks part of the same spectrum? Well, the Defcon organizers sure think so. The winners of the capture the flag event all get to go to Defcon for free for life. So does the winner of the lockpick competition. I didn't see anyone who seemed to think that was out of line.
And social engineering? total hack skillset. Works even better when coupled with network engineering - a great though tossed out today was to start injecting bad ARP requests into a network, to fool people's workstations into thinking there is a duplicate address in use. Do it a few times, then phone up the person who's station you're targetting and explain you're from IT in networking and need access to his system remotely to troubleshoot a network issue that's been making trouble. People will give up their passwords to such a request. And it's harder to detect (three, say, bad ARP broadcasts, three popups and a phone call, versus getting into a server?) than the more frontal assault.
good point about locks versus strike plates, etc. Absolutely - buying a great lock and setting it in a pine frame is a total waste of time.
Tobias' concern is that one of the locks he's broken is used in areas where the doors are built properly, the locks probably are the weakest link in the chain, and there may be people with access to parts of the facility protected by these locks. Think embassies.
He's not really paying attention to homeowners who've bought Medeco locks as his primary reason for the disclosure.
Slashdot Mirror
The real problem is that the LHC and SSC were intended to be sister designs, neither an only child.
The energies needed for the current work are more than half of the maximum output at the LHC - the SSC would have been the higher energy design, capable of operating at energies ~3x that of LHC.
What that means is that in addition to at least 10 years of lost experiments, we'll be waiting for probably quite some time for the next large physics instrument to be built to explore a lot of the questions the current experiment sheds a little light on.
TAL is not an NPR show. It's an independently syndicated show carried mostly on NPR affiliates, but anyone who wants to buy it can run it.
Of course, the overlap in on-air personalities between NPR and American Public Radio (the syndicator of the show) is very large.
don't focus on bandwidth, focus on % of bandwidth devoted to porn, day to day and week to week.
Run driftnet.
Give everyone a look at what everyone's been downloading.
I think it is well worth reminding people what Obama promised and what Obama delivered, on surveillance and on whistleblowing.
The poster you're pulling the long face over did not mention parties, he mentioned two personalities. The latter personality is
doing everything he can to demonstrate the importance of contintuity over all else in US politics.
Your choice to muddy the waters by bringing up political parties brings NUTTTC. PO.
There actually are folks (quite a lot of them) sexually aroused by cruelty to animals. Hence the sturm und drang about the "crush" videos about ten years ago, when The End of Days was heralded by folks paying actual money to watch girls in high heels stomp on mice, birds, etc.
My memory is that in the UK the animal rights nutbags managed to write remarkably broad laws covering all of this stuff.
PETA will probably have, as its charter paying subscribers, folks for whom this is a thrill, and with better-looking models than they're used to seeing.
The EFF dresses up their appeal (https://www.eff.org/deeplinks/2011/04/open-wireless-movement) in BS rhetoric about a 'tragedy of the commons' that's
ensuing as people turn on WPA at home.
No. This is people configuring their equipment as recommended. This is what a successful education campaign looks like. The fact that when the tech first hit, everyone was setting it up wrong does not mean that's how we ought to leave it.
Even the EFF admits that the time for just leaving the door open yet has not yet arrived. Consumer routers don't do network segmentation
and traffic prioritization well enough yet.
My favorite EFF knee-slapper:
"There is currently no WiFi protocol that allows anybody to join the network, while using link-layer encryption to prevent each network member from eavesdropping on the others. But such a protocol should exist."
OK, so I should leave my network unprotected because a protocol that doesn't exist, should?
Whiskey, tango foxtrot, you digital hippies. Would you please go loiter somewhere else?
You're starting from a false premise, about what's cheap and what margins ought to be. Granted, that's reinforced by the pricing on the unlocked Samsung (500-600 in the US) and the pricing on the Motorola tablet.
Take a look at the Barnes and Noble Color Nook, a 7" wifi android tablet with an IPS touchscreen that sells for $250. It's a solid enough build that tons of folks are happily rooting and overclocking them.
And we'd want to spend time paying enough attentio to post to wikipedia why, again?
This defense doesn't work for the torrent aggregation sites (Pirate Bay, Isohunt, etc.) and it would only work here if the various spam lists really were willing to staff the "unlist us" addresses as thoroughly as the "list us" addresses.
I work at a nonprofit that has health care and gang outreach as two chunks of what we do. I have had emails inviting a group of people to a meeting around gang violence flagged as spam in the past, because the subject line was thought to be spammy. Heaven forfend that one of our providers should dare to talk about viagra or erectile dysfunction in an email.
I am not sure if it was Spamhaus per se, but one of the times we were added to a blacklist, I was able to get us pulled immediately. But I was warned by the fully automated removal system that that was a one-time deal and if we were listed again, I would have to wait patiently while they got around to deciding what to do.
With the Barracuda list, there's a for-profit company with 800 numbers that are answered, at least. I don't remember now who it was, but one of the RBL providers got into a pissing match with Yahoo over their mailing list configuration and blackholed Yahoo's outbound mail servers a few years ago.
Accountability with these lists is a problem. The court case immediately at hand isn't interesting one way or another, since it wasn't contested.
Accountability, on the other hand, is something that needs to be addressed a lot better by the RBLs.
I have the impression that about all we're able to get out of decades of recording whale and dolphin communications is "say what?" We've only just lately stumbled on infrasound communication between elephants over very long distances, and again we're pretty much at "say what?" We're a little bit better at certain communications when they're almost always accompanied by fighting, fucking, or scattering but by and large we have a huge number of what many of us assume are less-complicated-than-our-own-oh-so-wondrous communications - and by and large, we can do fuck-all as far as figuring them out.
Faced with that, we tend to either forget that they may convey more information than we can parse, or state that they do not convey that information, since they are not able to convey it to us. Not that they convey, say, the works of Shakespeare of the Pachyderms, but rather that they may well be conveying quite a bit more information than we realize.
One of my favorite bits of the history of language study is that language needed a lot of redefinition after Karl von Frisch figured out how bees were using dance to communicate place and direction of things not visible to the rest of the hive, food and water. Quite a bit of a problem for a lot of what had been thought about what language was up until that time.
I want to thank the original poster for a jaw-droppingly stimulating post.
If the talks aren't new and interesting, and you are just going to socialize, that's okay, but it's hardly what the conference could be. It's not what I want to go to Defcon for; I liked the first few I went to, where there were some very good technical talks and that was the expectation. What you are describing sounds a lot like retirement or senescence.
It seems that many speakers are chosen based on who they know, and there's way too much inside baseball going on in speaker selection. An example seems to be the talk I walked out on early today, where some kid who's professor is a friend of Kaminsky's gave a presentation pointing out that university hostname assignment and resolution practices may constitute a privacy leak. Now, the talk may have heated up something fierce after I left the room, but tieing a DNS lookup to an ARP address and then having the (attractive blonde) professor talk about how the uni had recruited the student who presented, and about the legality or not of it, and then who knows what Dan contributed, if anything? I left to see if the biohacking guy had anything to say. Sadly, he did not; he had very few examples, and lots and lots of words explaining why he thought biohackers were of interest. Fewer words and more examples, possibly even an actual biohacker - would have helped immensely.
One thing I thought was interesting last year and did not particularly see this year was talk about policy. I got called out on an incident in the middle of Saturday afternoon, so sadly I missed the long analysis of the PLA, and I hope that is worth watching later. Last year, though I disagreed with it a great deal, there was a long policy panel. (The thrust was 'we're done, this is what we are suggesting to the Feds, please congratulate us.' The speakers were current or former military. They were not interested in actual input from the audience and were very insulting of audience members who wanted to give any. It was good to see these guys out in daylight and understand what they were doing, though.)
No one had interesting SCADA work to talk about this year? Really? Last year there was a talk about SCADA that seems to me to have pretty much had to have been a stepping stone for more. But I didn't see any such talks this year.
The poster who compared Defcon to Burning Man may have hit it on the head. Defcon is unusual in that it brings together a lot of very different perspectives - the lock folks were out in force again this year, and did a pretty good presentation which was good to see.
There's still a real opportunity for Defcon to be interesting, but this year was indeed a fail. Also, they are bound for fire marshall trouble if they don't get the fuck out of the Riviera. They made a decision this year to axe what had been the largest room in the venue and put most of the big talks into a four room area served by a single hallway. They cleared each room ahead of the next talk; if you wanted to see two talks deemed by the group to be interesting back to back, you were SOL - and so was everyone else, as the halls clotted insanely.
As of now, I'm unlikely to go back until such time as the con moves out of the Riviera. And by then, it will probably be larger, fluffier and have even less content - I don't see it relocating too soon, and it's going to keep being bigger and bigger.
What's needed is more stuff like FX' presentation, exploiting Cisco routers with one packet giving you configuration access - using ICMP! Now damn, that was good stuff. Less UFOs, less inspirational speakers, less interest in media whoring. These would all be valuable things.
But it's very possible that Defcon is in some ways intentionally aping burning man - and hopes one day in the future to start co-hosting events with burning man.
Oh, thank goodness. Here and my largest concern in life was that we were about to run out of babies on the planet.
How much coudl the old Avantgo servers actually be worth, anyway?
I'm not sure what the advantage of Sunrise is? Is it faster than just defining the channels in plucker? Plucker is pig slow.
Sunrise, however, was only able to load the Christian Science Monitor for me (granted, with only using the point-click-drool install method and the canned 'showcase' channels) despite downloading many meg of channels which it claimed would land on the device after sync. But only CSM. And in a layout that's a pain on the Palm screen. I gave up on it for now - but not before figuring out that it helps to install Sunrise in your Palm folder, you avantgo refugees. This will help get rid of a shitload of "file not found" messages on launch.
Sunrise may work and may be faster than just using Pluckr by itself. I suppose it has to be. Dear god pluckr by itself has a hard time.
That is one thing Avantgo does extremely well - collate content the once and spit it back out to one and all, formatted in a way that really made sense for a palmtop.
My experience with avantgo was that the problems were more often with the content providers than with Avantgo itself.
I've been using Avantgo for 10 years, and am sorry to see it go buh-bye, but am not that suprised. Given the advantages palm + avantgo have together over Kindle (you decide how often to update; touchscreen; small device unlikely to be accidentally folded/bent,) I wonder if any bright sparks over at Palm are talking to Sybase about buying the servers and putting them on a truck so they can offer the service for the Pre.
Yes, I understand the Pre has its own always-on signal. Throwing avantgo in as a way of saving people on costs would go over well, though, if there's a client that would work or could be made to work on the pre.
holy crap. I'm now starting on channel #2 with pluckr.
Why are people claiming pluckr is superior to Avantgo? Granted, any site can be plucked - but for sites with mobile-condensed channels, which is all I'm pointing this at, it's wicked slow and the layout's not that good (I admit: I dry fired with the Onion before adding in the full complement.)
I can't imagine how much fun it would be to wait on this for regular websites.
wow. Now I'm up to channel 4. It looks like pluckr by itself requires more patience than us internet peeps typically have, unless it's able to integrate only the deltas and not the whole site each time content changes. (My impression is that it is not able to do that, that it needs to respider if there's been an update.)
Well, I'm reading it right now. I am by no means a mathematician (a year of college calculus, a semester of physical chemistry and a fair amount of exposure to the kind of thermodynamics that describe chemicals in solution.)
I am enjoying it, and I'm noticing that so far (120 pages?) it's entirely math-free. Yes, there are some appendices containing proofs of some of the statements in the book. I was not impressed with the appendix on pythagoras' theorem; we did a much better job with that in high school and since it's in an appendix, I didn't understand why the treatment was as informal as it was. One big point of the section it is first cited in was to discuss the importance of formal, rigorous proofs.
I am concerned that beyond the biographical sketches of Math Greats, I'm really just getting mind candy. My training is in biology, and last night I ran across the rather insubstantial discussion of prime numbers and cicada lifespans. As presented, it was a rather weak just so story. My general rule of thumb is that if someone's not impressing me much in discussing the stuff I actually did spend time studying in depth, the prose may be entertaining on the other stuff, but it's unlikely to actually teach me anything much, and in the worst case may be telling me things which are wrong.
It's a fun book, but I wouldn't have any real interest in using it as a teaching aid for a math course.
Assigning a decent translation of one of the Greek math texts used as source material, and asking for an oral presentation of one of the classical geometric or arithmetic proofs, or perhaps of one of the proofs requiring the use of imaginary numbers? I could see doing that.
But reading a book report about a bunch of books (which is what Singh's book is) - even a well-written one - and using it in an actual math class seems wrong, somehow.
Where to start.
None of what you say about US phone call monitoring applies, since Skype is not a phone call, it's an internet transmission. The law on collecting packets is a lot weaker than the law on collecting analog signals.
The point of this is that the "crypto" in Skype can be broken and has been broken per a government request. What this means is that virtually any Skype conversation since 2001 should be assumed to be available for review by the Feds. September 11 2001, the Feds installed packet sniffers at consumer ISPs across the country, and told the NOC staffs "this will only be for a few weeks, while we get the Tier 1 taps in place."
http://www.wired.com/politics/law/news/2001/09/46747?currentPage=all
On to your trusting lunacy about phones: We don't know what the NSA program does and does not do, nor what it is or is not designed to do, nor what it is doing nor how the data can be reexamined in the future. We know a very small amount about what it could do circa 2004 from good reporting, but no one's ever testified about it in a courtroom.
What we do know is that speaking about it in the past tense is amusing.
The scenario you outline - only targeted calls are intercepted - is the current legal justification for continuing to permit it and for retroatively legalizing it.
Once you have the ability to start snarfing those calls, without a warrant and without asking the carrier for further assistance, you will start snarfing a whole lot more. If you accidentally leave your equipment on, you'll just have collected a lot more. Since there is no oversight, there's no reason to be concerned about being reprimanded.
It must be possible in order that I can turn the power of the beams up past 11 - to twelve if need be - in order to spawn my world-consuming black hole.
All that silliness about massive datasets processed in lots of complicated networky ways? Merely a cover.
Oh, and the other thing is that before I learn enough about hadrons (jeeze, the textbooks are fuckin' HARD to follow) to make the blackhole thing work?
It's a great place to store my pr0n.
> ISPs have the right to stop costs from being dumped upon them, and therefore have the right to throttle, block,
> and/or prohibit P2P. If they can't, your bill will have to go up, because the ISP has to at least break even to
> keep providing you with service.
My ISP has a contract with me. They promised a service for a length of time, and are obliged to provide it. We can renegotiate when the contract is up.
I'm currently guaranteed service at 1500 inbound / 384 outbound which is unlimited, good 24/7/30 days. I actually doublechecked when I signed up: unlimited, sez I, you're not going to get twitchy around torrent traffic? If my ISP at the office started bitching because I was using my T1 both up and downstream, I'd laugh at them. If they tried to change the contract terms early, again, I'd laugh at them.
If Comcast or whoever have a contract with you, they are obliged to honor it. Or be liable for class-action damages. If they made a bad contract, that does not give them the right to change their terms partway through. If it did, no one would worry about signing a mortgage, would they?
Meanwhile, if you find your ISP is a cable co, and they're fucking with you, I highly recommend you look into the tools outlined here if for some reason you must stay with them (no other service available?)
Otherwise, based on the abstract below and the generally abysmal security performance of cable as a secure delivery system for anything, I would recommend you cancel your contract with them. This talk will be being given at Defcon this week, but the tools and some of the how-to are already out in the universe.
Sniffing Cable Modems
Guy Martin
Cable modems are widely used these days for internet connections or other applications. This talk gives a detailed overview of this mean of communication with a focus on its security.
DOCSIS (Data Over Cable Service Interface Specification) is currently the most used protocol around the world for providing internet over TV coaxial cable. Due to its nature, this protocol can easily be sniffed by taping onto the TV cable using a digital TV card. By doing this, you can not only sniff your own connection but all the connections of the entire neighborhood. With my tool packet-o-matic and an inexpensive DVB-C card, countless things are possible ranging from dumping people's email into maildir to removing firewall rules and quota limitation on your connection or even a DoS of all HTTP communications by injecting TCP reset packets.
I'm kind of stumped by who Schneier (and some readers in this thread) think attends RSA. I went last year, and it did not look to me like an end-user conference. It looked to me like it was a lot of people from companies large enough to have more than one person doing IT, and a company of that size is offering security as infrastructure to its users.
Are they doing it well? It's all over the map. Are they at least aware that they're doing it? One hopes so. But most of the attendees that I saw were clearly folks from large enough shops that they were thinking about dropping a lot of dollars on security.
If you work in IT at a company, and your users are downloading malware, you're not securing your gateway properly. Lots of ways to do this. IPCOP has a lot of good stuff for doing it in a free Linux distribution. You can go with a commercial product dedicated just to filtering, or that bundles in filtering, firewalling, and even spam.
If you offer a lot of services over the public internet, you're needing a larger IT staff and a security department. Or you're needing to be able to buy security as a service - for instance, the services of a reputable e-commerce site to handle transactions. And at that point, you are buying their infrastructure, and you probably aren't at RSA, and their staff are or ought to be. Whoever signs the checks for your e-commerce contract probably ought to be doing some due diligence around this point.
Now, the sales types may not have any idea what they're selling at RSA. Many did last year, but has this joke already been beaten to death?
What's the difference between an IT salesman and a car salesman?
A car salesman knows when he's lying.
What is an end user to do? Well, IPCOP is certainly a way to go. Set it up, set up a subscription to Dansguardian for some protection against malware URLs, turn on the IDS chunk so you get Snort telling you once you've screwed up. For end-users, Bluecoat has a free subscription to their list of categorized sites (called K-9) that a friend at the office thinks is very good. (He's got kids, and doesn't want to use the internet as an unrestricted babysitter.)
But the best venue to learn more about this approach is going to be your local LUG, not RSA. I don't know many people who can afford to throw around 4 to five figures for rackmount appliances for their homes. And my God it makes your home theater sound a lot worse.
The assets of the USSR were mostly fenced through London and Wall Street. I've heard George Soros shed a crocodile tear on this score as well as on thrashing the currencies in SE Asia in the 90s, but we pretty much prefer to pretend that much of the wealth of the nation wasn't stolen outright and fenced through our fuckheads so much as it was all just a Potemkin village ot start with.
The wheel is still in motion, though. The Chinese hold how much of our increasingly worthless paper again?
The big advantage to Computrace is that they have relationships with police departments and with ISPs. If you've filed a police report on the theft, and the laptop is powered up and talking to a network or a phone line, recovery odds are better than you'd think from the tone of the post I'm responding to. Yes, if it's fenced and parted, you're screwed. I'm not sure how many laptops are parted, though. Given that a six month old laptop is worth so little already, I'd think parting it would make even the fencing economy think "waste of time here." Preparing for recovery: absolutely. But what happens when your recovery media are damaged or stolen? Seriously: I have five machines at the house. Keeping all of them backed up justified putting in a little NAS head to rsync to. Write the backup to DVD? Often enough for it to be valuable after a system loss? Not a chance. It would just never happen. With rsync, there's reasonable odds that I'll be in a position to recover data. But now I've got an additional fancy toy in the house. Fortunately, none of my stuff looks half as good as it actually is. Unfortunately, there's enough of it around that it's obviously professional gear. I have an equipment rack here, and I'm tempted to buy an old rackable NAS box and replace the fans. I have other toys to buy first, though.
From the wording ("intent to conceal") it sounds as if they're primarily interested in legal action taken against leakers. PGP throws up big flags if you're looking for it, and there are undoubtedly governments that look for it as well as businesses.
The real problem is that it sounds as if they intend to trust SSL, which is a mistake. I know (and apply URL filtering policy on) any SSL connections made at my job site. If I wanted to, I could MITM the SSL as well, but I don't have a policy to back me up nor do I care to break it and then deal with the headache of securing the decrypted traffic. If I had a serious budget, there are tools to run very high capacity (think backbone traffic) pipes through similar analysis toolkits. Cisco and I think Bluecoat have gotten beaten up for selling some of these tools to China; the Feds and the UK government buy the boxes and of course no one gets slapped on the wrist over that, since the US and UK are Protecting Our Freeeeeedoms.
So, if the idea of discouraging PGP is to make people less likely to be officially harassed for submitting to Wikileaks, considerable attention needs to be paid to implementing the SSL submission as well, because site access and flow volume (indicative of an upload) are pretty simple to log and tie to Wikileaks and to the client IP address. It sounds as if the folks at Wikileaks know this and are working to address it.
There's lots of this gear out there that's still relatively unknown. Last year I saw early samples of stuff that could easily do national infrastructure at wireline speed and which purportedly has some ability against SSH (I don't believe against SSH v2) from an outfit called Netronome. I am told that their gear is 'in the wild' now in the employ of plenty of TLA outfits. PCI-X cards with 4 x gigabit ports and a 1.4 Ghz network processing chip onboard. Plug it into the appliance or 'nix of your choice. Oh, and it's CALEA friendly, too.
All your packets are belong to us.
Um, anyone tried reading the sites that are in trouble with the national provider? In the US I think that at least some of this stuff would get a court order pretty fast, for example
.org site in the US sense of the term, either. Oh, and the second referenced site, partidocolorado.org, is registered through Domains by Proxy - so it's that much harder to be sure of who's actually behind it. (Domains by proxy doing dot-org registrations? Tastes bad to me.)
.org space that they probably have no business locating there.)
at www.partidocoloradoantrodeladrones.org we find:
"Sitio oficial del Tembotá, gran valor, GRAN PEDÓFILO, gran JAPÚ, ñe'erei de profesión, hurrero de vocación"
It's a fairly amusing site and all that, but the link reeks of late-90s Usenet kookery: all caps, accusations of pedophilia, the whole nine yards. Neither site qualifies as a
Now, is it really a DNS screwup at all? If you look at the (supposedly) bogus site at
201.217.51.114, you are presented with a Partido Colorado website. Is it possible that Partido Colorado won a court order in Paraguay saying that partidocolorado.org was not allowed to run their site at that address? (Yes, this would be political speech in the US - but we are not talking about the US, and we are talking about people who by US standards are trying to run a site in
In short, we're being told very little of the story here, and the poster is hoping some slashdotter with mad skillz will see this as black and white and fix the problem.
Compare the tone of the New Scientist writeup to the tone of the writeup on Breitbart.com, which has Drudge headline sidebars and doesn't cite where they started writing from. New Scientist is reporting what one of their physics guys thinks is fairly neat stuff from a meeting. The "most important in the history of science" quote is from someone not on the team (apparently) who works at Davis. He may have been having a drink when he said it, the poor guy. Breitbart breaks the quote into two parts and separates them by a few grafs, making it look like a looming consensus. I'm sorry the Breitbart piece was the one linked in, since the New Scientist piece (follow the google link above) is so good. I'm very glad that so many people With Clues are in this thread to discuss it.
Four years? And Supreme Court?
Whose QA team were you playing hooky from when you posted, please, so we can never again buy their product?
hint: Patriot passed like shit through a goose. It is now September of 2007. Osama bin Bad Boy's Big Adventure is fabled to have involved September of 2001; on my planet:
a) 7-1 ! = 4
and
b) "a Federal judge" (singular) ! = the Supreme Court of the United States.
Patriot will still be in play by - and embraced by - our next President, whichever the party. That much power? Give back? What are you, nuts?
You might want to look at the Wired writeup of Tobias' presentation. It's much longer, explains the research he did in developing the tools for Medeco 3 locks after he understood how to defeat the protection mechanism.
It's capped off with a clip of the kid who last year was bumping locks in 30 seconds; the Medeco she bumps takes her two tries, for perhaps 60 seconds. I am not 100% that she's got a 3 series, I believe it is one of the ones with the (formerly) very-difficult-to-bump mechanism.
Are physical hacks and network hacks part of the same spectrum? Well, the Defcon organizers sure think so. The winners of the capture the flag event all get to go to Defcon for free for life. So does the winner of the lockpick competition. I didn't see anyone who seemed to think that was out of line.
And social engineering? total hack skillset. Works even better when coupled with network engineering - a great though tossed out today was to start injecting bad ARP requests into a network, to fool people's workstations into thinking there is a duplicate address in use. Do it a few times, then phone up the person who's station you're targetting and explain you're from IT in networking and need access to his system remotely to troubleshoot a network issue that's been making trouble. People will give up their passwords to such a request. And it's harder to detect (three, say, bad ARP broadcasts, three popups and a phone call, versus getting into a server?) than the more frontal assault.
good point about locks versus strike plates, etc. Absolutely - buying a great lock and setting it in a pine frame is a total waste of time.
Tobias' concern is that one of the locks he's broken is used in areas where the doors are built properly, the locks probably are the weakest link in the chain, and there may be people with access to parts of the facility protected by these locks. Think embassies.
He's not really paying attention to homeowners who've bought Medeco locks as his primary reason for the disclosure.
T/M