If I have sex with a nice hairy cuddly beary man, and he tells me afterwards that on 2012-12-21 all the US army will be on Defcon 3 due to the Mayan calendar thingy, is that rape? Does it make a difference whether we used a condom or not? Or is it just a leak of top secret military info? Or did he only pull my leg?
;; QUESTION SECTION: ;routerlogin.netgear.net. IN A
;; ANSWER SECTION:
routerlogin.netgear.net. 3531 IN A 64.95.64.197
;; AUTHORITY SECTION:
netgear.net. 172731 IN NS ns.buydomains.com.
netgear.net. 172731 IN NS this-domain-for-sale.com.
;; ADDITIONAL SECTION:
ns.buydomains.com. 7131 IN A 64.95.64.93
this-domain-for-sale.com. 3531 IN A 206.83.79.30
;; Query time: 24 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Dec 20 16:58:01 2010 ;; MSG SIZE rcvd: 155
And you are positively sure that the certificate of your router is really signed by a CA, and that you didn't have to "accept" it on first login?
Then what's the polite way to tell house guests why you're not letting them check their Facebook?
Simple: don't log in to the management interface of your router while you have untrusted house guests. Indeed, a man in the middle can only spy upon a conversation that takes place.
Now, if your guests ask you to reconfigure your router because they need something special, just pretend you don't know how to do that, or that you forgot your password.
Or, alternatively, only take in trusted house guests.
Where is the misinformative label when you need it?
This has zit to do with certification authorities, because the certificate would not be recognized as valid by any browser, because the DNS name would not match. And no certification authority worth their salt would sign a certificate for 10.0.0.1 or similar nonsense.
So, the solution would be D. generate a unique private/public key pair for each device, and have the user manually accept the certificate as an "exception" on first usage. Which he has to do anyways, even if all routers use the same certificate.
Moderators, please don't mod articles about certificates if you don't understand how certificates work.
Actually, most larger metro systems are 3d, with tunnels in varying depths, and lines happily crossing underneath or over each other
In a 2D (metro) system you can only traveling to arbitrary nodes (assuming there is a station there) frequently requires changing trains or extended travel times.
On a well designed system, you should be able to get from any station to any other one changing at most once. And frequency should be high enough that changing is not too time-consuming.
the secondary problem being that it isn't actually generally all that convenient.
The metro in Paris actually works quite well (when it is not on strike).
Hmm let's see: some form of transportation to link neighborhoods, that works in 3D, to relieve gridlocks? Remove the insane flying-vehicle thing, make it cheap and practical, and you've got yourself a metro.
A Metro? Gloomy tunnels in which you will be robbed and knife- or gunpoint? Expensive underground construction work that strain the city's budget? And how do you evacuate people if there's a fire?
No, you should prefer a tramway. It's much greener, and also affords you a nice view of the city. You should be proud of your public transportation, and show it in the open, rather than shamefully burying it underground!
So what he was saying is, that they are padding with a potentially unencrypted random number, that can be used to guess earlier and later random numbers, and thus break SSH. The random number is a hint for crackers / PRNG guessers.
No, that a deliberately "broken" implementation of ssh (either on server or on client) could use the padding to leak the session key, and that without access to the code there would be no way to tell (... because the padding is "supposed" to be random...).
Quite clever actually, and reminescent about the ways how the French subverted the Luxembourgish Luxtrust system.
Luxtrust token are hardware crypto token containing a private key. The key (supposedly) is generated randomly by the token at initialization and never leaves the token, and can only be used to establish session keys and sign messages, where the critical calculation happens on the token. The key is used to secure banking transactions, so that for example, the French tax administration cannot spy on the communication between French citizens and their Luxembourgish bank.
That's the theory. The catch is, the tokens are manufactured by the French company Gemalto, and each token's random number generator will only ever "generate" private keys from a limited set (different for each token, of course). So, French tax administration can trivially infer the private key by looking up the public key in a table provided by Gemalto.
The scheme is virtually undetectable, because:
The keyset is different for each token
Each token can only be initialized a very limited amount of times (much smaller than number of possible keys for that token)
The tokens supplied to BSI for audit didn't have this weakness. And moreover, the German tax authorities would be quite happy to listen in too:-)
Result: Luxembourg spent millions on an inconvenient crypto scheme, which works neither on modern 64 bit compiters nor on mobiles, and which is useless for its purpose.
In order to stay "technically" legal, the group can't openly call for an illegal action, such as DDosing of a target. So they instead say "hopefully nobody will DDos target", and hope that everybody understands what is really meant...
As somebody else pointed out, then just make your "device" mimic a keyboard. At start, it inputs a program to send the data, and that program then sends the data by twiddling the keyboard leds (caps lock, scroll lock, num lock). Should even work over PS/2.
Physical disabling is crude and only for the most absolutely paranoid of situations
At some point a minimum of physical security is needed. Such a cover protecting the connectors, so that you can't unplug the keybord, and plug something else into the port.
If someone writes a program that displays 15 frames/second of QR encoded data and records it with a camera, that's 200MB of data every hour.
Good luck with spending hours photographing your screen without getting seen by co-workers walking by your office. Any data theft has to be quick in order to be unconspicious.
If he's patient, he can record it as a 2400 baud data stream and record it on his MP3 player - he can steal around 10MB/hour using this method.
How will he get sound out of his PC? Loudspeakers? Within minutes co-workers curious about the strange noise will show up. Well, maybe headphones, but soon enough you'll be losing too much quality to keep the data stream usable.
Or maybe he can record it as a bit patter on a laser printer - if he can write at 100dpi reliably, thats around 100KB per piece of paper. If that can be stretched to 500dpi he'll get around 2MB per piece of paper, and will look like a gray piece of paper to the naked eye so security won't pay any attention "Oh that, it's scrap paper I'm taking home to my kids".
Security personnel at such institutions are trained to spot just such shenanigans... Maybe they won't understand what you are doing, but they sure know that something very bizarre is going on if somebody tries to smuggle seemingly "gray" paper out of the facility... Not to mention that any computer with high enough security clearance may not actually allow output to printer. Or at least not to a printer without a guard standing near it.
he can plug in a USB keyboard dongle that acts as a keyboard and then let it type in the program for him.
That would indeed bypass any software protection based on USB ids. But what about physical security (such as a shell locking over the back half of the computer, preventing access to USB ports). Sure, the perp could always cut the keyboard cable, and directly solder his device on, but then again he'll be bust if somebody just happens to be walking into his office at the wrong moment.. not to mention the permanent damage to the cable raising another red flag.
Maybe. But I'm still more worried about somebody shouting at me who sits next to me, than about somebody with a sticky caps lock key halfway across the globe:-)
Here's where lack of democracy comes in: politicians (rightly or wrongly) feel that they would never get the necessary majority to repeal or supersede the 10th Amendment, and thus they prefer to play silly word games around "commerce". If your argument is so compelling, bring it before the people to convince them to make a democratic decision to fix the constitution, rather than working around it. Anything else is just hypocrisy.
Or..are the Feds just now trying to make any law for anything, and stick commerce in it, so they can try to enforce something?
The Feds have been abusing the "commerce clause" since ages. Almost any federal law has some bizarre reference to "commerce" in it to justify how the Feds had authority to pass the law in the first place.
The most funny application was how a Californian resident was tried under a federal law for growing pot for her own consumption. You see, if she grows her own pot, she doesn't need to buy it, and thus her dealer doesn't need to import it from another state. That way, by growing her own she was "distorting interstate commerce", giving the Fed jurisdiction over a "crime" which should have been a local matter.
Why are "Interstate Threats" punished more severely than local threats? It's not logical, local threats are more credible (does anyone really believe a thug would come extra from California to NY to vandalize the home of an unhappy customer?), and thus more frightening ("I've just a bridge to cross..." is way more scary than "I'll hop into the next plane and come to..."). So Interstate threats should be considered less server, not more.
Slashdot Mirror
If I have sex with a nice hairy cuddly beary man, and he tells me afterwards that on 2012-12-21 all the US army will be on Defcon 3 due to the Mayan calendar thingy, is that rape? Does it make a difference whether we used a condom or not? Or is it just a leak of top secret military info? Or did he only pull my leg?
Which is why the built-in DNS server on e.g. NETGEAR routers points routerlogin.net to the appliance's private IP address.
Smart...but it would have to be routerlogin.netgear.net or else no CA would sign this.
hmmm... but:
> dig routerlogin.netgear.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25491
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;routerlogin.netgear.net. IN A
;; ANSWER SECTION:
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 24 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 20 16:58:01 2010
;; MSG SIZE rcvd: 155
; > DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13 > routerlogin.netgear.net
routerlogin.netgear.net. 3531 IN A 64.95.64.197
netgear.net. 172731 IN NS ns.buydomains.com.
netgear.net. 172731 IN NS this-domain-for-sale.com.
ns.buydomains.com. 7131 IN A 64.95.64.93
this-domain-for-sale.com. 3531 IN A 206.83.79.30
And you are positively sure that the certificate of your router is really signed by a CA, and that you didn't have to "accept" it on first login?
Then what's the polite way to tell house guests why you're not letting them check their Facebook?
Simple: don't log in to the management interface of your router while you have untrusted house guests. Indeed, a man in the middle can only spy upon a conversation that takes place.
Now, if your guests ask you to reconfigure your router because they need something special, just pretend you don't know how to do that, or that you forgot your password.
Or, alternatively, only take in trusted house guests.
This has zit to do with certification authorities, because the certificate would not be recognized as valid by any browser, because the DNS name would not match. And no certification authority worth their salt would sign a certificate for 10.0.0.1 or similar nonsense.
So, the solution would be D. generate a unique private/public key pair for each device, and have the user manually accept the certificate as an "exception" on first usage. Which he has to do anyways, even if all routers use the same certificate.
Moderators, please don't mod articles about certificates if you don't understand how certificates work.
- a metro is a 2D system, not 3D.
Actually, most larger metro systems are 3d, with tunnels in varying depths, and lines happily crossing underneath or over each other
In a 2D (metro) system you can only traveling to arbitrary nodes (assuming there is a station there) frequently requires changing trains or extended travel times.
On a well designed system, you should be able to get from any station to any other one changing at most once. And frequency should be high enough that changing is not too time-consuming.
the secondary problem being that it isn't actually generally all that convenient.
The metro in Paris actually works quite well (when it is not on strike).
Hmm let's see: some form of transportation to link neighborhoods, that works in 3D, to relieve gridlocks? Remove the insane flying-vehicle thing, make it cheap and practical, and you've got yourself a metro.
A Metro? Gloomy tunnels in which you will be robbed and knife- or gunpoint? Expensive underground construction work that strain the city's budget? And how do you evacuate people if there's a fire?
No, you should prefer a tramway. It's much greener, and also affords you a nice view of the city. You should be proud of your public transportation, and show it in the open, rather than shamefully burying it underground!
That plastic water bottle you tossed in the trash could soon be fueling your car instead of sitting in a landfill for 1000 years.
In any case, that's a lot more humane than using cats for this purpose
They be backdooring everybody out there
And be sure where not to hide them. The obvious spot is unavailable unfortunately because they are "backdooring" everybody...
So what he was saying is, that they are padding with a potentially unencrypted random number, that can be used to guess earlier and later random numbers, and thus break SSH. The random number is a hint for crackers / PRNG guessers.
No, that a deliberately "broken" implementation of ssh (either on server or on client) could use the padding to leak the session key, and that without access to the code there would be no way to tell (... because the padding is "supposed" to be random...).
Quite clever actually, and reminescent about the ways how the French subverted the Luxembourgish Luxtrust system.
Luxtrust token are hardware crypto token containing a private key. The key (supposedly) is generated randomly by the token at initialization and never leaves the token, and can only be used to establish session keys and sign messages, where the critical calculation happens on the token. The key is used to secure banking transactions, so that for example, the French tax administration cannot spy on the communication between French citizens and their Luxembourgish bank.
That's the theory. The catch is, the tokens are manufactured by the French company Gemalto, and each token's random number generator will only ever "generate" private keys from a limited set (different for each token, of course). So, French tax administration can trivially infer the private key by looking up the public key in a table provided by Gemalto.
The scheme is virtually undetectable, because:
Result: Luxembourg spent millions on an inconvenient crypto scheme, which works neither on modern 64 bit compiters nor on mobiles, and which is useless for its purpose.
In order to stay "technically" legal, the group can't openly call for an illegal action, such as DDosing of a target. So they instead say "hopefully nobody will DDos target", and hope that everybody understands what is really meant...
Why should Amazon risk compromising their servers just because one of their hosted sites has become a target?
Hmmm, look like they did exactly that :-)
Amazon is a business, and risking that business because of a single client would be a horrible idea.
So why did they do it, if it was such a horrible idea?
The port may be universal; but the drivers aren't
As somebody else pointed out, then just make your "device" mimic a keyboard. At start, it inputs a program to send the data, and that program then sends the data by twiddling the keyboard leds (caps lock, scroll lock, num lock). Should even work over PS/2.
Physical disabling is crude and only for the most absolutely paranoid of situations
At some point a minimum of physical security is needed. Such a cover protecting the connectors, so that you can't unplug the keybord, and plug something else into the port.
If someone writes a program that displays 15 frames/second of QR encoded data and records it with a camera, that's 200MB of data every hour.
Good luck with spending hours photographing your screen without getting seen by co-workers walking by your office. Any data theft has to be quick in order to be unconspicious.
If he's patient, he can record it as a 2400 baud data stream and record it on his MP3 player - he can steal around 10MB/hour using this method.
How will he get sound out of his PC? Loudspeakers? Within minutes co-workers curious about the strange noise will show up. Well, maybe headphones, but soon enough you'll be losing too much quality to keep the data stream usable.
Or maybe he can record it as a bit patter on a laser printer - if he can write at 100dpi reliably, thats around 100KB per piece of paper. If that can be stretched to 500dpi he'll get around 2MB per piece of paper, and will look like a gray piece of paper to the naked eye so security won't pay any attention "Oh that, it's scrap paper I'm taking home to my kids".
Security personnel at such institutions are trained to spot just such shenanigans... Maybe they won't understand what you are doing, but they sure know that something very bizarre is going on if somebody tries to smuggle seemingly "gray" paper out of the facility... Not to mention that any computer with high enough security clearance may not actually allow output to printer. Or at least not to a printer without a guard standing near it.
he can plug in a USB keyboard dongle that acts as a keyboard and then let it type in the program for him.
That would indeed bypass any software protection based on USB ids. But what about physical security (such as a shell locking over the back half of the computer, preventing access to USB ports). Sure, the perp could always cut the keyboard cable, and directly solder his device on, but then again he'll be bust if somebody just happens to be walking into his office at the wrong moment.. not to mention the permanent damage to the cable raising another red flag.
cryptographic signatures
Is this a genuine spam, or just somebody's twisted sense of humor?
And nice telephone number too: (425) 722-1299.
Handy for reporting such serious business as "Microsoft lottery" e-mail scams and similar items.
I was more thinking about manure...
I've heard that Linux is also a cure. Tested in a small penguin.
There's no such thing as "consensual rape"
What about some SM plays?
Maybe. But I'm still more worried about somebody shouting at me who sits next to me, than about somebody with a sticky caps lock key halfway across the globe :-)
Here's where lack of democracy comes in: politicians (rightly or wrongly) feel that they would never get the necessary majority to repeal or supersede the 10th Amendment, and thus they prefer to play silly word games around "commerce". If your argument is so compelling, bring it before the people to convince them to make a democratic decision to fix the constitution, rather than working around it. Anything else is just hypocrisy.
I forsee mouth-rape in his near future.
That's why God gave man teeth.
One more reason I'm doing all my Christmas shopping through Amazon this year.
... and here is one big reason not to do any Christmas shopping through Amazaon this year.
Or..are the Feds just now trying to make any law for anything, and stick commerce in it, so they can try to enforce something?
The Feds have been abusing the "commerce clause" since ages. Almost any federal law has some bizarre reference to "commerce" in it to justify how the Feds had authority to pass the law in the first place.
The most funny application was how a Californian resident was tried under a federal law for growing pot for her own consumption. You see, if she grows her own pot, she doesn't need to buy it, and thus her dealer doesn't need to import it from another state. That way, by growing her own she was "distorting interstate commerce", giving the Fed jurisdiction over a "crime" which should have been a local matter.
Oh, I see, the commerce clause...