And how about an environment where you explicitly do NOT trust any certs that don't originate internally? Or where you don't even want a connection to the internet? Plenty of private networks don't even need DNS names, but could benefit from TLS even if a compromise is made on the host authentication part.
And how do you get a cert for a private domain name, or for a network that doesn't use DNS? If you do have a real name, what if your organization isn't functional enough to jump through the authentication hoops needed to get a cert? What if you just want the wire-level encryption provided by SSL but don't really need the third-party authentication elements? There are plenty of uses for self-signed certs and plenty of enterprises where it would be very desirable for clients to be pre-configured to accept (ONLY!) certs issued by that internal root CA. It's the client bit that turns out to be hard. And despite all the comments in this thread that diminish that difficulty, I didn't see anyone explaining how to do it.
I suspect that a lot of people don't relate to the idea of an environment that's so big and dynamic that dealing with accepting self-signed certs is a problem, or that even the low-cost cert is too much... and I tend to agree mostly... but I also don't think most of the people who are convinced that it's really easy to make an internal CA and put that CA in your standard config and then deploy self-signed certs from that CA to your heart's content. But I don't see anyone actually showing how to do it... just links to the openSSL instructions that don't answer the hard part of the question.
(We KNOW how to make a private CA and certs. We know how the browser is supposed to be configured to accept that CA globally, as opposed to per-cert. We try to do it, and it doesn't work.)
I don't mind touching every desktop *once* since we deploy a standard configuration. What I don't enjoy is having to accept the self-signed cert every time a new one is created or one expires. I've always wanted to make a private "root CA". I would even go as far as to suggest that our enterprise root CA should be the *only* CA on the client systems, because in a real sense, nothing outside our facility should have "trusted" status in the first place.
I've never managed to do it. I can self-sign certs, of course, no problem. I can make my own CA key/cert. I can install that CA as an authority in the browser. It doesn't work though. When I sign a new cert, the browser still complains. I've made an honest effort to figure out how to do this, and I came to this slashdot thread in hopes of finding out what I've missed, but even here people seem convinced that the task is so simple to be beneath consideration.
Did it install that particular cert, or did it install a root cert so that all other certs on that campus were pre-approved?
I understand the OP's question pretty well. I've found it to be not so easy to make a private CA that lets you do enterprise deployment of private certs without having the end user (or even an admin with local access) accept the self-signed cert. I've put some honest effort into this task, and have never done it successfully.
It was nice working at a company that was already in the root CA list in all the browsers, because our "internal" certs were already in the chain of trust:-)
I would love, absolutely love, to see a cookbook example as to how to do this. I know how to setup a private CA. I know how to use that CA to generate certs and how to make Apache serve them. What I cannot do is make Firefox pre-accept certs that are signed by that CA key. Whenever you make a new cert or add a browser client, you *still* have to accept the cert. I have never (in years of trying) successfully added a trusted CA.
I get my CA cert in the trusted authority section... and it doesn't work. And if I ask for a cookbook example of how to do it, I invariably get directed "to google".
None of this stuff holds any mystery for me, and I'm not clueless, but I have never successfully accomplished this one simple task: Make a CA for an intranet and establish it in all the browsers in such a way that clients do not have to accept certs signed by that CA.
Cookbook example, please, because I've already been told I'm stupid for not being able to find this information or figure it out for myself.
Those of us who have datacenter experience understand that MTBF means NOTHING when you have enough disk drives that you're replacing one per week. You'll stop thinking of consumer drives as safe and reliable pretty quickly in that environment. And there's not really much of an alternative for "a step up from consumer drives." You need a backup system, and I don't think you'd be on the wrong track if you start with an HP LTO-4 autoloader, 52 tapes, and an account with Iron Mountain.
One big win you can get when educating amateurs is to get them over the psychological obstacle that their hundreds of gigs or few terabytes presents.
A backup system that works for terabytes and doesn't take donkey's years is probably more expensive than all their other electronics combined. Faced with this daunting amount of data, few people actually bother to backup anything at all. The hurdle is to let them understand the difference between tiers of data:
A. If I lose this data, I may pay fines or go to prison B. If I lose this data, I may lose property or money C. If I lose this data, I may lose something of sentimental value D. If I lose this data, I may lose entertainment value
Category "A" data is a very small amount for most people. Category "B" data is also usually fairly small. There are plenty of simple ways to get very high levels of confidence for this kind of data, *provided the user has the ability and the discipline to segregate it*. "C" and "D" categories are often lumped together, into a gigantic mush of photos, videos, MP3's, etc. Because of this pattern, truly important data gets lost in the noise and people simply give up, even if they do try to make backups.
It's easy to take for granted that people will find this stuff to be common sense, but if you actually make the effort to educate the user a bit, the education goes a long, long way.
I work in a manufacturing environment where we have this kind of plan. The IT parts of it are a drop in the bucket, since the disaster plan gets us from "smoldering crater" to full production (e.g., giant specialized machines, mountains of raw material, amazingly detailed logistics). As far as data recovery goes, we'd be less than 48 hours from "crater" to "all business intelligence and financial data online" -- we drill for it -- as long as the "crater" didn't cover Arizona, California, Utah and Nevada. We don't actually have a plan for dealing with that.
I work in a regulated industry where things work this way. We establish a written policy which is submitted to a regulatory agency. That agency periodically evaluates our performance to our own policy, giving our policy the force of law. Basically, we made it "the law" that we have a specific backup interval, using specific technology, offsite storage of LTO-4 media, etc. One thing that we absolutely do is routine data recovery. Meaning, as part of our routine process we have an ongoing request of media from offsite storage which drives a task that someone is required to perform, that is, restoring and validating a random sample backup. As a result, nobody in our organization has any confusion or doubt about the procedure or impact of a disaster event.
Then again, the cost of our backup system is probably much higher than the total IT budget for the people in TFA.
Well, there's an intermediate step that I seriously think should be taken. Instead of being a low-wage, entry-level, vocational rehab job, the screener job should require a minimum of several years of police experience and a degree in criminal justice.
I don't understand why people expect the TSA staff to behave like professionals when they simply are not.
>Does Kuwait have a booming tourism industry or something?
Some, but it's ancillary to the people who travel there for economic reasons. When the men go there for business, their wives are the tourists. It's not the other way around, this is the Middle East, remember?
If I found myself in Kuwait, or any country that borders Kuwait, or any country that borders any country that borders Kuwait, I wouldn't be taking snapshots -- I'd be devoting every resource to getting the hell out of there as soon as possible.
>i didnt want to spend another vacation getting patted down by the FBI, even though i should have.
If it's not the fight you'd choose, then no.
Some people would actually welcome being arrested for doing something that is not only completely legal, but is also clearly an activity protected by the First Amendment. If you aren't among them, then you really should just walk away and find another seagull. For some, the experience you had is like winning the lottery.
>(Personally my issue with the scanner isn’t the radiation, but for some people it is.)
For some people, dosimetry is really important because it has an effect on how often they can work. They aren't allowed to wear meters in the scan. They don't know what their total dosage is. They can't even estimate it because the information isn't disclosed.
Basically, people are claiming that an unknown, undisclosed amount of X-Ray exposure is perfectly safe in all circumstances, to people at all stages of life (e.g., first trimester fetus), even people in radiological professions and even people who undergo significant amounts of irradiation for medical reasons.
There is no way to draw an equivalence across all these groups. And, no, you are NOT exposed to a direct equivalent of a backscatter X-Ray in "two minutes of flight". It's not equivalent, and that often-quoted statement did not come from a radiologist or any expert with a relevant background.
What is the precise dosage of the backscatter, how is it calibrated, and how can it be independently verified? And why isn't my Congressman asking these questions?
I have not seen any specific claim as to the intensity of the backscatter machines in question, nor have I seen anything about how the calibration is maintained, how often it is checked, who checks it and by what method, or how any of this can be independently verified.
>Basically what I'm saying is fuck those guys, they must be assholes if they agree to do that job.
More likely they are desperate. They have been rejected for police jobs and other civil service jobs. With the TSA they get federal benefits (increases like clockwork, it's better entry-level benefits than you'll get anywhere else).
Once you get in the door at a place like that, you're not going to voluntarily leave. If you can psyche yourself up to work a job where you cut the assholes out of pigs or work at a machine that's likely to pull your thumbs off, you can do this.
The real problem is that they aren't *professionals*. I think the airport security job at the lowest level should require years of police, military police, or private security experience and a degree in criminal justice. Instead, it's an entry-level vocational rehab job.
Slashdot Mirror
And how about an environment where you explicitly do NOT trust any certs that don't originate internally? Or where you don't even want a connection to the internet? Plenty of private networks don't even need DNS names, but could benefit from TLS even if a compromise is made on the host authentication part.
And how do you get a cert for a private domain name, or for a network that doesn't use DNS?
If you do have a real name, what if your organization isn't functional enough to jump through the authentication hoops needed to get a cert? What if you just want the wire-level encryption provided by SSL but don't really need the third-party authentication elements? There are plenty of uses for self-signed certs and plenty of enterprises where it would be very desirable for clients to be pre-configured to accept (ONLY!) certs issued by that internal root CA. It's the client bit that turns out to be hard. And despite all the comments in this thread that diminish that difficulty, I didn't see anyone explaining how to do it.
I suspect that a lot of people don't relate to the idea of an environment that's so big and dynamic that dealing with accepting self-signed certs is a problem, or that even the low-cost cert is too much... and I tend to agree mostly... but I also don't think most of the people who are convinced that it's really easy to make an internal CA and put that CA in your standard config and then deploy self-signed certs from that CA to your heart's content. But I don't see anyone actually showing how to do it... just links to the openSSL instructions that don't answer the hard part of the question.
(We KNOW how to make a private CA and certs. We know how the browser is supposed to be configured to accept that CA globally, as opposed to per-cert. We try to do it, and it doesn't work.)
I don't mind touching every desktop *once* since we deploy a standard configuration. What I don't enjoy is having to accept the self-signed cert every time a new one is created or one expires. I've always wanted to make a private "root CA". I would even go as far as to suggest that our enterprise root CA should be the *only* CA on the client systems, because in a real sense, nothing outside our facility should have "trusted" status in the first place.
I've never managed to do it. I can self-sign certs, of course, no problem. I can make my own CA key/cert. I can install that CA as an authority in the browser. It doesn't work though. When I sign a new cert, the browser still complains. I've made an honest effort to figure out how to do this, and I came to this slashdot thread in hopes of finding out what I've missed, but even here people seem convinced that the task is so simple to be beneath consideration.
Did it install that particular cert, or did it install a root cert so that all other certs on that campus were pre-approved?
I understand the OP's question pretty well. I've found it to be not so easy to make a private CA that lets you do enterprise deployment of private certs without having the end user (or even an admin with local access) accept the self-signed cert. I've put some honest effort into this task, and have never done it successfully.
It was nice working at a company that was already in the root CA list in all the browsers, because our "internal" certs were already in the chain of trust :-)
I would love, absolutely love, to see a cookbook example as to how to do this. I know how to setup a private CA. I know how to use that CA to generate certs and how to make Apache serve them. What I cannot do is make Firefox pre-accept certs that are signed by that CA key. Whenever you make a new cert or add a browser client, you *still* have to accept the cert. I have never (in years of trying) successfully added a trusted CA.
I get my CA cert in the trusted authority section... and it doesn't work. And if I ask for a cookbook example of how to do it, I invariably get directed "to google".
None of this stuff holds any mystery for me, and I'm not clueless, but I have never successfully accomplished this one simple task: Make a CA for an intranet and establish it in all the browsers in such a way that clients do not have to accept certs signed by that CA.
Cookbook example, please, because I've already been told I'm stupid for not being able to find this information or figure it out for myself.
Those of us who have datacenter experience understand that MTBF means NOTHING when you have enough disk drives that you're replacing one per week. You'll stop thinking of consumer drives as safe and reliable pretty quickly in that environment. And there's not really much of an alternative for "a step up from consumer drives." You need a backup system, and I don't think you'd be on the wrong track if you start with an HP LTO-4 autoloader, 52 tapes, and an account with Iron Mountain.
We spend about ten grand a year *just on tapes.*
One big win you can get when educating amateurs is to get them over the psychological obstacle that their hundreds of gigs or few terabytes presents.
A backup system that works for terabytes and doesn't take donkey's years is probably more expensive than all their other electronics combined. Faced with this daunting amount of data, few people actually bother to backup anything at all. The hurdle is to let them understand the difference between tiers of data:
A. If I lose this data, I may pay fines or go to prison
B. If I lose this data, I may lose property or money
C. If I lose this data, I may lose something of sentimental value
D. If I lose this data, I may lose entertainment value
Category "A" data is a very small amount for most people.
Category "B" data is also usually fairly small. There are plenty of simple ways to get very high levels of confidence for this kind of data, *provided the user has the ability and the discipline to segregate it*.
"C" and "D" categories are often lumped together, into a gigantic mush of photos, videos, MP3's, etc. Because of this pattern, truly important data gets lost in the noise and people simply give up, even if they do try to make backups.
It's easy to take for granted that people will find this stuff to be common sense, but if you actually make the effort to educate the user a bit, the education goes a long, long way.
I work in a manufacturing environment where we have this kind of plan. The IT parts of it are a drop in the bucket, since the disaster plan gets us from "smoldering crater" to full production (e.g., giant specialized machines, mountains of raw material, amazingly detailed logistics). As far as data recovery goes, we'd be less than 48 hours from "crater" to "all business intelligence and financial data online" -- we drill for it -- as long as the "crater" didn't cover Arizona, California, Utah and Nevada. We don't actually have a plan for dealing with that.
I work in a regulated industry where things work this way. We establish a written policy which is submitted to a regulatory agency. That agency periodically evaluates our performance to our own policy, giving our policy the force of law. Basically, we made it "the law" that we have a specific backup interval, using specific technology, offsite storage of LTO-4 media, etc. One thing that we absolutely do is routine data recovery. Meaning, as part of our routine process we have an ongoing request of media from offsite storage which drives a task that someone is required to perform, that is, restoring and validating a random sample backup. As a result, nobody in our organization has any confusion or doubt about the procedure or impact of a disaster event.
Then again, the cost of our backup system is probably much higher than the total IT budget for the people in TFA.
>You missed the point: $666 -> $210,100 in 36 years is equivalent to investing $666 for 36 years at 18%
>annual interest. The power of compounding!
You make it sound like consistent 18% opportunities were actually available to anyone, particularly with that small of an initial investment.
Well, there's an intermediate step that I seriously think should be taken. Instead of being a low-wage, entry-level, vocational rehab job, the screener job should require a minimum of several years of police experience and a degree in criminal justice.
I don't understand why people expect the TSA staff to behave like professionals when they simply are not.
Electromagnetic transducers don't have the direct link to cell damage that X-Rays have.
I look for situations where it's correct and appropriate to say "intensive purposes" deliberately. I'm surprised there's not an xkcd on this.
>Does Kuwait have a booming tourism industry or something?
Some, but it's ancillary to the people who travel there for economic reasons. When the men go there for business, their wives are the tourists. It's not the other way around, this is the Middle East, remember?
If I found myself in Kuwait, or any country that borders Kuwait, or any country that borders any country that borders Kuwait, I wouldn't be taking snapshots -- I'd be devoting every resource to getting the hell out of there as soon as possible.
>i didnt want to spend another vacation getting patted down by the FBI, even though i should have.
If it's not the fight you'd choose, then no.
Some people would actually welcome being arrested for doing something that is not only completely legal, but is also clearly an activity protected by the First Amendment. If you aren't among them, then you really should just walk away and find another seagull. For some, the experience you had is like winning the lottery.
How am I supposed to do my architecture photography if I can't use my Tilt/Shift lens?
>(Personally my issue with the scanner isn’t the radiation, but for some people it is.)
For some people, dosimetry is really important because it has an effect on how often they can work.
They aren't allowed to wear meters in the scan. They don't know what their total dosage is. They can't even estimate it because the information isn't disclosed.
Basically, people are claiming that an unknown, undisclosed amount of X-Ray exposure is perfectly safe in all circumstances, to people at all stages of life (e.g., first trimester fetus), even people in radiological professions and even people who undergo significant amounts of irradiation for medical reasons.
There is no way to draw an equivalence across all these groups. And, no, you are NOT exposed to a direct equivalent of a backscatter X-Ray in "two minutes of flight". It's not equivalent, and that often-quoted statement did not come from a radiologist or any expert with a relevant background.
What is the precise dosage of the backscatter, how is it calibrated, and how can it be independently verified? And why isn't my Congressman asking these questions?
Until the TSA discloses specific dosimetry information, we can't answer that question.
What are the odds of the first-trimester fetus that you don't know about yet getting cancer from an unknown x-ray dose?
It's a different kind of radiation, and not directly comparable.
I have not seen any specific claim as to the intensity of the backscatter machines in question, nor have I seen anything about how the calibration is maintained, how often it is checked, who checks it and by what method, or how any of this can be independently verified.
If they detect a tumor but don't report it, can they be held liable?
>Basically what I'm saying is fuck those guys, they must be assholes if they agree to do that job.
More likely they are desperate. They have been rejected for police jobs and other civil service jobs. With the TSA they get federal benefits (increases like clockwork, it's better entry-level benefits than you'll get anywhere else).
Once you get in the door at a place like that, you're not going to voluntarily leave. If you can psyche yourself up to work a job where you cut the assholes out of pigs or work at a machine that's likely to pull your thumbs off, you can do this.
The real problem is that they aren't *professionals*. I think the airport security job at the lowest level should require years of police, military police, or private security experience and a degree in criminal justice. Instead, it's an entry-level vocational rehab job.
If the images can't be saved, they can't be used as evidence.