Slashdot Mirror


User: fyngyrz

fyngyrz's activity in the archive.

Stories
0
Comments
10,605
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 10,605

  1. Re:Always. on When Is a Self-Signed SSL Certificate Acceptable? · · Score: 2, Interesting

    Encryption is only a small part of the idea of certificates. The main part is that it gives you, the user, some idea that the web site you are typing your credentials into is who you think it is (eg your bank) and isn't someone else pretending to be your bank.

    This is utter nonsense. Either you have been scammed, or you are a scammer.

    Let me tell you what a certificate does in its typical web application. It allows you to create an encrypted conversation with the webserver. At the time the certificate was issued, the cert "authority" required money and that you generate what is called a "certificate request", which is an entirely self-generated document containing nothing of interest or particular security. Typically a company name, an address, that sort of thing. Once they have this, they may (or may not) elect to call a phone number you give them and have you record your voice saying your name or some equally insecure thing. At that point, they issue you the certificate.

    Once the certificate is issued, it is installed where the webserver software can find it, and if done correctly (not difficult), the webserver will now allow https as well as http, and, because the certificate was issued by an (cough) authority, your browser will not complain.

    Because there is literally no after-the-fact checking, you have no way of knowing, other than reputation (which has NOTHING to do with certificates, but with behavior) if you are dealing with a reputable merchant, or hackerboy69. There's nothing stopping hackerboy69 from *legitimately* getting a certificate from a cert authority that gives him ownership of "trusted-e-commerce.com" or some such horsepucky. He can set up a business, operate long enough to esablish trust, and then hose you. Certificate purring along perfectly 100% of the time.

    Presuming the victim site is a reputable one, any time after the cert is installed, any rooting attack on the webserver - of which there are endless varieties - that succeeds, will give the attacker complete control over (a) the webserver, (b) the certificate, (c) the ability to enter into an encrypted conversation with your browser.

    There's no need for a "man in the middle" attack, nor is there any need for you, as the consumer, to do anything differently. You're simply hosed. You may think that you're talking to secure-as-heck.com, but in reality, you're talking to hacker-boy-69, who has pwned secure-as-heck.com, and who is now gleefully collecting your information.

    So why bother? Because the server takeovers are rare; it ranges from fairly easy to difficult to do, but once done, the work to make the server act normal, but actually steal info, that takes more work. Work that is beyond most script kiddies. But again, this has NOTHING to do with the certificate, only with the security of the site in question. If it gets hacked, you're hosed. Doesn't matter if the hack is through the net or via some employee using the root password some dunce taped to the front of the server rack.

    The reason that certificates have value is because when you talk to a website, your packets go all over the place as they travel back and forth between the two parties, and a lot of people and machines have a chance to look them over. SSL conversations are about a zillion times harder to do that to -- they read back as garbage -- so people and machines tend to go for the low-hanging fruit instead, the tons of non-encrypted messages that cross the net. Encryption *is* good. I'd much rather not give a credit card number, expiration date, and CCV code in the clear. But I'm under no illusion that I've been protected from anything except during the trip between me and the server I'm talking to, which I hope, but cannot ever prove, is the one I *want* to be talking to.

    Once connected to the server, you have to make the same set of assumptions you do in a brick and mortar store. You have to assume the handsome guy behind the counter belongs there

  2. Always. on When Is a Self-Signed SSL Certificate Acceptable? · · Score: 5, Informative

    SSL certificates provide one thing, and one thing only: Encryption between the two ends using the certificate.

    They do not, and never been able to, provide any verification of who is on either end. This is because literally one second after they are issued, regardless of the level of effort that goes into validating who is doing the buying, someone else can be in control of the certificate, legitimately or otherwise.

    Now, I understand perfectly well that Verisign and its brethren have made a huge industry out of scamming consumers into thinking that identification is indeed something that a certificate provides; but that is marketing illusion and nothing more. Hokum and hand-waving.

  3. Re:I think he's a buzzword consultant on Cutting-Edge AI Projects? · · Score: 1

    Xeth, I emailed you when the article was posted; no response received. Intent? Usual email filterfoolery?

  4. Re:Give me a break on Cutting-Edge AI Projects? · · Score: 1

    I have no trouble believing the problem is widespread; it's just that I'm all too familiar with the problems where I live, hence the sarcasm. The GP's moderator, having not yet moved out of their mom's basement, isn't following the conversation very well.

  5. Re:a disappointment? on Whatever Happened To AI? · · Score: 1

    Just another darned adolescent, loose on the net...

  6. Re:Give me a break on Cutting-Edge AI Projects? · · Score: 0, Offtopic

    Yes, because countries never, ever violate their constitutions.

    Well, except for the USA, of course. Ex post facto laws. The standing of the commerce clause on its very head. The 1st, 2nd, 4th, 5th, 6th, 8th, and 10th amendments all sundered to degrees varying from harsh to ridiculous. Authorized, enumerated powers extended into unauthorized powers stolen wholesale from the citizens and the states. Article V completely ignored in favor of outright power grabs.

    Yes indeed, I'm quite sure we can count on a constitutional provision to keep a nation's leaders in check. After all, it's worked so well for us.

  7. Re:Seems real enough to me on Multitasking Considered Detrimental · · Score: 1

    Nah, we're both into the same music. Not entirely surprising, as I taught him to play bass and we jam every weekend, mostly on themes he develops, and which I greatly enjoy. But thanks for your post anyway.

  8. Seems real enough to me on Multitasking Considered Detrimental · · Score: 5, Interesting

    Kind of sad if you really didn't get it... I hope that was just "more joke."

    I just wrote something on the superiority of written matter over video because written matter has numerous advantages that relate to focus and reflection. I value these things. Right at that time, I ran into this very article (I mean the one TFS refers to), I found it a horrifying thing to read — like reading someone's report of losing their own mind.

    Since I wrote it up, I've been paying attention to how others pay attention, and I've seen a few things that signify, at least to me, that the problem is widespread.

    For instance, I introduced our youngest boy (he's in his twenties) to some music that is in his line of interest (he plays bass, this musician I was showing him is a fabulous bassist) and he listened for, oh, maybe 15 seconds before he began to talk about music, which segued quickly into other areas. I didn't answer him; he just took off on his own.

    Before the piece had finished playing, he was completely off on something else, and he had no idea what I was talking about afterwards when I asked him direct questions about the bass techniques demonstrated in the cut.

    It was disheartening, to say the least.

  9. Re:Privacy isn't that difficult. on Understanding Privacy · · Score: 1

    Fixed it, thank you!

  10. Re:Privacy isn't that difficult. on Understanding Privacy · · Score: 1

    In the USA, it isn't just property. It is access to property, to one's person, to the persons of one's family, etc. Many of these issues are not about economic return, unless you abstract them into meaninglessness.

  11. Re:LIVE ON CASH on Electronic Transaction Reporting Slipped Into Senate Bill · · Score: 1

    You realize that they can, and have already, confiscated large amounts of cash w/o a warrant and refused to return it? That they already force banks to report large transactions (both parties)? Heads up, there.

    The whole cash lifestyle is not without its legislatively crafted pitfalls. I don't say "legal" because that carries the connotation of authority, and the feds never had authority to do any of this. They have power, which is something else entirely. Any tin pot dictatorship has power. One mark of a civilized society is a mechanism that properly and successfully confers and limits authority for powers to government; here, that mechanism used to be the constitution. No longer.

  12. Re:Privacy isn't that difficult. on Understanding Privacy · · Score: 1

    According to my webstats, hundreds of people read it today, coming from slashdot. Not the moderator of the post you replied to, or the post that was a reply to, but a lot of other people, anyway. And frankly, those are the people I was writing for -- not the ones that can't be bothered and just fire off comments into the dark. Those people are both part of the problem.

  13. Re:Privacy isn't that difficult. on Understanding Privacy · · Score: 4, Insightful

    Not really. Knowledge is not a synonym for physical or human-free (computer) non-storing access; yet access -- to knowledge certainly, but also to property, your person, your effects, your home -- directly addresses the issue at hand.

    Personally -- and I seriously mean that, this is not about you -- I find that boiling things down to be concise is a task that, while eminently worthwhile, is fraught with the risk of error. One of the signals that I've gone too far is when I find myself trying to make what I said into an abstraction of an abstraction. That's why I would not adopt your formulation.

    In this case, I find the fourth amendment instructive. Those were incredibly insightful people. When they said the right of the people to be secure in their persons, houses, papers, and effects, that really covers the bases very well, without having to get all hand-wavy.

    ...unless you're a government stooge, that is. In which case, like the commerce clause, the prohibitions against ex post facto laws, the phrases "shall make no law" and "shall not be infringed" and "shall enjoy the right" and "nor shall be compelled" and others, we are being told we should believe it means the exact opposite of what it says. I have a severe problem with that.

  14. Re:first post on OS X Snow Leopard Details · · Score: 1

    Apple does not want to compete with its application developers. A consumer computer that can do "everything" out of the box ends up without a healthy ecosystem of commercial developers.

    [points at Aperture(cough-Lightroom)... points at dashboard(cough-Konfabulator)... points at Garageband(cough-entire industry of similar apps)]

    Truly, if it isn't useful out of the box, it really isn't as nice a thing to have at all. Apple knows (or at least, knew) that. Think about what they put in the box, or what they have: Garageband. iMovie. iPhoto. Mail. iChat. iCal. iDVD. iWeb. Grab. Omni Outliner. Comic Life. XCode. Calculator. Safari. Address book. DVD player. iTunes. Stickies. Preview. Dictionary. Appleworks. At various times, they add iWork and other programs and suites. They know these things help sell the OS, and they know why: because it's usable out of the box.

  15. Re:Privacy thwarts on Understanding Privacy · · Score: 1

    Perhaps you'll enjoy this joke of mine, then:

    Q: Why are men's minds always in the gutter?

    A: Because it is easier to look up women's skirts from there.

  16. Re:Privacy isn't that difficult. on Understanding Privacy · · Score: 4, Funny

    Normal, mentally healthy people don't need to be taught these boundaries, they are implicit social contracts.

    [says nothing, waves hands in general direction of congress, the executive, and the judiciary]

  17. Re:first post on OS X Snow Leopard Details · · Score: 2, Interesting

    Actually, I'm fairly comfortable saying that. Deep underlying changes, complete rewrites... those are great ways to break the living heck out of a system that is mostly working very well. Whereas adding tools for the end-users (even kids) that don't yank the entire rug out from under every program in the system and replace it with a brand new rug which may be slippery, a fire hazard, contain uncounted numbers of weevils, and - by accident of course - is missing the rubber backing so you slip on it every time you step on it...

    But really, I'm not worried about it. You know why? Because what I actually think we're going to get a year from now is an announcement that there's new iPhone software available. Perhaps accompanied by the news that there's a new iPhone, too. If we do get an OS X that has been substantially rewritten internally, I will (a) be astonished, and (b) let you test it for a couple of years before I make even the slightest move to upgrade. Because momma didn't raise no fool.

  18. Re:Privacy isn't that difficult. on Understanding Privacy · · Score: 1

    What you're talking about is scope and grant of access. They're still social boundaries; it isn't a matter of law by nature. That is simply hardening boundaries — not creating them. I encourage you to read the essay I linked; I talk about issues of large scope and small scope there, as well as grant of access and the (ir)relevance of hardening boundaries, directly addressing your points.

  19. Re:Privacy isn't that difficult. on Understanding Privacy · · Score: 5, Insightful

    Privacy = I decide who knows what about me.

    That's a good working model. It doesn't account for someone who comes into your house and sprays graffiti on your walls, though.

    Consider defining your equality this way:

    Privacy = I decide who has access to me, those people I am responsible for, and those things that are mine.

    Then go look at the fourth amendment. Carefully. Think about the role of persons, houses, papers, and effects as stated there, as well as how those things generalize into today's realities, and then take a moment to marvel and just how right those people got the issue.

    Then take another to be absolutely horrified at how wrong today's government has gotten them.

  20. Re:Sorta.... on Understanding Privacy · · Score: 5, Informative

    Frankly, the type of data the US Government works with is mostly public knowledge anyway.

    Yes? What you say on the phone? The amounts, times and participants in your banking transactions? Your medical records? Your email? Your borrowings from the library? Your purchases from Amazon? Your credit card records? These comprise "public knowledge"?

    I'm sorry, but I have to call your position the definitive "head in the sand" position. I cannot agree, even slightly.

  21. Re:Privacy isn't that difficult. on Understanding Privacy · · Score: 5, Insightful

    I don't pin everything on the government. However, they are indeed the primary source of privacy problems in the USA right now. We have, historically speaking, had good legal backup for the concept of privacy as embodied in the 4th amendment. The government is doing a great deal to erode those protections on many fronts at once, and this is, I maintain, the key area we need to focus on this issue. While I am not happy if John Q Moron personally invades my email stash, I am a lot more concerned if the government decides that's OK in the face of its own constituting authority. I'll deal with John Q later.

  22. Re:Privacy isn't that difficult. on Understanding Privacy · · Score: -1, Offtopic

    The set of social boundaries ... that we are expected not to cross" really varies from person to person

    Yes, of course it does. Did you even bother to read the linked essay?

    if you use this definition, if people accept warrentless wiretapping as the norm, then social expectation will dictate that there really aren't any privacy violations going on

    Ah. Obviously you didn't read it. Go read it.

    What social boundaries are we talking about here, and who is the "we" that are expected not to cross them?

    Go. Read. The. Essay.

  23. Re:Privacy isn't that difficult. on Understanding Privacy · · Score: 1

    Darn it, because I was thinking of information issues, I typoed my own definition. What I meant to say was:

    Privacy is defined by the set of social boundaries dealing with ACCESS in any one society that we are expected not to cross.
  24. Privacy isn't that difficult. on Understanding Privacy · · Score: 4, Insightful

    Personally, I think the idea that privacy is difficult to comprehend is overblown. Privacy is not at all difficult to define, understand, or to properly address in either the social or political sense.

    Privacy is defined by the set of social boundaries dealing with information in any one society that we are expected not to cross. How well you respect privacy is essentially whether you elect to cross those boundaries against those expectations.

    Here is my essay on privacy; see if reading it doesn't nail the issue for you in very short order.

    There is literally no need to invoke "multiple kinds" or "family resemblances", to mistake the hardening of a boundary (increasing difficulty of access) or the softening of it (as in data becoming easier to get to) for the idea that there actually is one, or to imagine that digital data is somehow qualitatively different than a letter. That's just making a ridiculous mess out of things that weren't all that complicated to begin with.

    Further, it isn't that there has been a "great struggle" to define privacy in a practical sense; any reasonably intelligent citizen knows perfectly well what it is, and they know when it has been violated, too. The problem is that the government (in the USA, at least) has found it to its great advantage to ignore privacy at every level it can; and that we are nearly powerless to do anything about it. That's what is causing all the fuss, and deservedly so.

  25. Re:All iPhone, all the time on OS X Snow Leopard Details · · Score: 1

    My suspicion is that they're keeping their options open and directing media attention where they want it most: They can always announce extra features later, but they don't have to.

    Well, that'd be good thing at release time; I question the wisdom of making the community think that OS X is getting less than the share of attention it has gotten in the past, or less than it otherwise could in the interim, though. Better to take them at their word and bitch about it so they either care enough to say, "no, no, we just meant no new kernel features, there will be plenty of cool new things to use in the next release", or else to perhaps let them know that if they indeed plan to only work on low-level stuff, that the rank and file will be restless.

    Basically, Apple gets media coverage focused on the iphone beyond any advertising budget ever. They have a release planned which might not have reasons for end users to upgrade (developers have many more reasons to switch) but Vista gives them breathing space to do housecleaning.

    I don't really think -- personally, my opinion only -- that's the case, or at least, not until or unless Apple achieves a comparable market share to windows in general.

    If you wanted to be mean, you might say that they could work on new features, deliberately leave them out of snow leopard, and then take a GIGANTIC DUMP on the release of windows 7 by releasing them then.

    Sure. But you could say you're working on cool new things without saying what; you'd still get to take a dump, and you'd have excited users instead of a bunch of people wondering if they should move to Ubuntu because Apple is showing distinct signs of having lost interest in the Mac side of things...

    But for that to happen, you'd need someone really ruthless in charge. Everyone knows Jobs is a fluffy little bunny who wants to be friends with MS...

    [laughs]... at present, Jobs appears to me to be a fluffy little bunny with an iPhone in each hand. With an AT&T exec standing nearby going...

    "Well, that's no ordinary rabbit! That's the most foul, cruel, and bad-tempered rodent you ever set eyes on! Look, that rabbit's got a vicious streak a mile wide, it's a killer! He'll do you up a treat, mate. I'm warning you!"

    Apologies to Monty Python