Slashdot Mirror


User: billstewart

billstewart's activity in the archive.

Stories
0
Comments
7,948
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 7,948

  1. ICANN's badly broken, UN wannabees worse. on Meet the Man Who Will Save the Internet · · Score: 1
    ICANN is badly broken, mostly in arrogant ways that annoy people, and doing a terrible job, though of course the UN wannabees are a combination of greedy evildoers like the Chinese government and generic arrogant .EU dogooders that find ICANN annoying but are otherwise Mostly Harmless, but it's the latter that create the context that the evildoers want to exploit. Here are some of the problems with ICANN
    • DNS names with character sets besides 7-bit US ASCII are a really important issue to people in most countries around the world, except the US, but ICANN hasn't gotten anything approved, and for a while was working with Versign's horribly broken Internationalized Domain Naming system that was an ugly klooge for URL naming, an uglier and incomplete kluge for email, and pretty much useless for other protocols. Internationalizing DNS is a technically hard problem, and ICANN didn't put enough work into getting research and development done.
    • More Global TLDs - ICANN really heavily dragged their feet on this, and imposed policies like "$50000 non-refundable bribe for considering your suggestion" that have prevented experimentation with different DNS structures and implementations - the only technical creativity so far is in dot-museum. I don't mind that they did a bunch of lame names first; it's much better to work out policies and technical issues on names that nobody cares about like dot-aero before you get to the big-money TLDs like dot-sex. But they've been way too slow, largely to preserve an artificial scarcity so they can make money off it, and it's been a bit stifling.
    • The Dot-XXX debacle - first the US right-wingers are telling ICANN they need to create .xxx so all the pr0n can be shoved off into a corner and censored, so ICANN decides to do it, and then other right-wingers (or some of the same, who've got organizational Alzheimer's), tell the US government to tell ICANN not to create .xxx because it admits to the existence of sex. Much of the world, or at least Europe, views this not only as a display of American cultural backwardness and prudishness, but see it as US partisan politics interfering with the supposedly-international Internet. There were other people who wanted .xxx, of course, because it could be commercially valuable, which is fine with ICANN.
    • Money - ICANN doesn't have a natural source of revenue other than selling domain names space, so they not only wanted to charge prices that were much higher than the real costs (cheap enough for US/EU/JP, but annoyingly expensive to people in third-world economies), but they tried to extort the Country-Code TLD owners into paying them for namespace as well as agreeing to all their other policies, which annoyed a lot of people.
    • IPv4 / IPv6 address space grab - ICANN not only grabbed control of DNS, but also got control of Internet addressing, and has tried to use it as another funding source. There's a public perception that this is unfair internationally, because lots of US universities and defense contractors got big chunks of it when the net was young, though in reality it's not that unbalanced, universities are giving back space, and HTTP1.1, RFC1918, CIDR, NAT, etc. are making the need much less critical. However, IPv4 space *will* run out, and implementing IPv6 is more important than whining about remaining IPv4 space. Also, governments like China have been whining about wanting to control IP space for their countries, and it may be easier for them to grab it from the "American-dominated" ICANN than from the obviously international RIPE, APNIC, LACNIC and ARIN.
    • IPv6 issues - ICANN's been treating address space as a funding source, not just as a scarce resource that you charge money for to prevent waste. It's one thing to do that with IPv4, but IPv6 is effectively infinite, yet ICANN was putting prices on it that discouraged people from getting space and experimenting with it.
  2. Because Public watches it & Advertisers sell a on Classic TV for Free Download · · Score: 1
    Some content is produced as propaganda, such as White House Press Conferences and movies like Battlefield Earth, and some content is Art for Art's Sake, but most content is produced because the producers think they can sell it to the public and the advertisers for more than it costs to make. And the advertisers advertise on TV or other content distribution channels because they think the content is going to get enough people to buy stuff to pay for the cost of the ads. And the public watches it, at least on average, though obviously content producers are occasionally surprised positively or negatively, and they do know that they're gambling and need to make enough money on the X% of big hits to make up for the failures. Sometimes ego and unrealistic optimism get in the way, which is why Waterworld spent $200 Million on production and negative fifty cents on good writing and only a few dozen people bothered to go see the movie.

    There's stuff on TV at 2am that you wouldn't watch in the daytime if you had anything better to do and weren't bored or stoned, but the TV channels will run it because enough people at 2am are bored or stoned and have nothing else to watch that the Ginsu Knife commercials can pay for the airtime. Later at night, or even earlier on some channels, the infomercials take over and don't even bother pretending to fund content, and they seem to make enough money at it to pay for the TV airtime.

  3. So block the VPN ports on VPN Flaw Allows Denial of Service · · Score: 1

    If you're not using the VPN features, then you can just block packets on Port 500 and you won't have to worry about it.

  4. Re:Pretty Graphs But the MATH is Wrong on The Math Behind the Hybrid Hype · · Score: 2, Insightful
    Oh, sorry, didn't notice your website in your slashdot reply posting headers. If I write something with major errors in it (as occasionally happens :-), I'd much rather have it corrected at the source than have somebody think it's cool and send it to Slashdot where half a million readers can tell me it's wrong, but I guess that's a matter of taste. You've obviously put a lot of work into this, and it wouldn't have been very difficult to take your figures and draw some correct conclusions from them. I took a swipe at this at the bottom of this article - owning the hybrids for a period of 2001-2006 appears to have been significantly cheaper than equivalent cars unless you've got a high cost of money.

    But ok, then, *you* didn't define your scope correctly or use it consistently, because you used it to draw incorrect conclusions outside the scope you thought you were looking in, *and* your math had some holes in it even within the scope you thought you were working in. Finance is an extremely critical engineering skill, because it tells you whether doing something is likely to be a good or bad idea, and the basics are not that hard.

    • Up in the summary you say that buying a hybrid is not economically worth it, which implies you're talking about a full economic comparison. But you're not - you're only talking about short-term cash flow during the lifetime of a car loan rather than the lifetime of the car.
    • At the end of the introduction, you say you're going to look at whether buying a hybrid is "worth it", which also implies a full economic comparison. But again, you're not talking about economics, you're talking about short-term cash flow.
    • Your gas-mileage calculations look correct, subject to obvious assumptions like the fact that the price of gas keeps changing and driving distances vary, though you need to compare the price of an "alternative non-hybrid vehicle" rather than "current vehicle" for other reasons. However, your driving distance assumption is 1500 miles/month, which you say in Footnote 25 is "conservative", but the DOE report you cite says the US average is 1000 miles/month, which makes your gas mileage calculations biased in favor of hybrids (though obviously people who drive more get more gas savings from hybrids; less obviously, they spend more on depreciation if they've bought an expensive hybrid.) On the other hand, their figures appear to be per-car - a 2-car household with one hybrid would probably use the hybrid for the person with the longer commute, though many social factors affect this (:-)
    • Down in Footnote 21, you say that your analysis is only valid for the life of the loan, and that after you've paid off the loan, the hybrid is at a significant advantage. If that's the scope you intend your analysis to cover, it needs to be said up front in big letters, because otherwise readers might assume your conclusions meant something about the economic value of owning the hybrid as opposed to the short-term cashflow.
    • In the section about "Car Payments", you're assuming that the buyer is using a no-down-payment conventional car loan from a finance company, as opposed to either paying cash or leasing a car. For many people, a car loan is a correct assumption, but amazing numbers of people seem to think leasing a car is a good idea, and the cost structure of that is somewhat different, including the fact that you need to give the car back at the end of the lease. Also, you're assuming that the loan is at market rates, as opposed to a dealer-incentive below-market rate. For a Toyota hybrid, that's probably realistic, but many American car manufacturers offer below-market loans as an incentive to buy their cars, which may affect things like Ford hybrid SUVs.
    • You also include a fudge factor of 15% above the sale price with a footnote that points to a credit union's car loan site, and you say it's "to account for typically incurred costs not included in the sale price." But as I read the credit union's web page, it
  5. How much are you spending on electricity? on The Math Behind the Hybrid Hype · · Score: 1
    Unless you're planning to sell the Escape once you've finished the payments, which doesn't sound likely, the extra $3K is probably costing you less than $60/month, because the real cost does get amortized over the lifetime of the car, even though from a cash-flow perspective you're paying it now, so you're coming out ahead.

    From an economic perspective, if you could use electricity from the wall for 90% of your driving instead of using gasoline-generated electricity, you'd start to notice your electric bill a lot more carefully (:-) Exactly how much it would increase depends a lot on what state you're in and what games your state electricity regulators and electric companies are playing against each other. (Here in California, you'd want to charge your car at night if you're able to get a cheaper-at-night electric rate, but you'd also get nailed by the "using-more-electricity-than-last-N-years" surcharges.)

    From an ecological perspective, sounds like your hybrid engine is a great deal (my old 1985 Toyota wagon also got 27-30 mpg when it was new, but it's about half the weight of your SUV.) Using electricity from the wall for most of your driving is going to have much different environmental effects than driving, but whether that's good or bad depends a lot on efficiencies and sources of power. For instance, if your local power plant runs on natural gas, it's probably a bit less efficient than using the natural gas directly in your engine. If it runs on oil, it's probably much less refined oil than the gasoline you'd be burning, so there's less waste and pollution from the refining processes, but it might or might not be more efficient in terms of hydrocarbons that get burned per mile you drive. Air pollution, especially smog, is generally reduced if you've got the power plants far away from cities and electric cars in the cities instead of gasoline-burners, but the Greenhouse Gas issues depend on how much fossil carbon you're burning, regardless of where you burn it. Hydroelectric power pretends to be clean, but the habitat destruction caused by dams is immense. Nuclear power is really clean from a greenhouse gas perspective, as long as you don't mind a bit of extra light from the poisonous wastes glowing in the dark for a few hundred thousand year :-)

  6. Re:Pretty Graphs But the MATH is Wrong on The Math Behind the Hybrid Hype · · Score: 1

    No, within the state scope, the math is less wrong, and the footnote indicates that the author knows that after the loan is paid off, the costs are different, though he gets them wrong too, and says that doing a more complete economic analysis would be more involved. (I didn't say his arithmetic was incorrect - he's calculating the wrong things, which is what makes his math wrong.) Especially given that he's said that in the footnote, drawing a conclusion that the hybrid is not economical is blazingly incorrect. Drawing a conclusion that buying a hybrid will hit you with significant negative cash flow up front would have been justified, though his assumption that everybody buys cars using car loans isn't valid. (Unless the loan is a loss leader, in which case the loss is built into the sticker price of the car, it's often better to pay cash for the car, in which case your cash flow is extremely negative the day your check clears, and somewhat positive after that. But if you owe lots of money on overpriced credit cards, you're better off getting the car loan and paying off the cards - YMMV... Or you might get a home equity loan that gets you a low interest rate that's often tax deductable, but your payments are potentially spread out over more years than you own the car.)

  7. Pretty Graphs But the MATH is Wrong on The Math Behind the Hybrid Hype · · Score: 5, Insightful
    Sure, the graphs are pretty and nerdy, but the math is wrong. He gets the "how much you're saving on gas" half correct, but the "how much the car costs" math is totally incorrect, so the "do you save money?" conclusions aren't usable. The problem is that he doesn't calculate the cost of owning the car for the length of time you own it - he calculates the monthly payments you make while you're initially paying for the car, ignores the period of time after you've paid off your loan, and then talks a bit about "value retention" (percentage of original value the car is worth at various ages) but doesn't include it into his calculations. That's especially wrong when he's comparing it to the cost of retaining an existing car - he's not really getting apples-to-apples comparisons, which not only affects the financial calculations but also the environmental impact (hint: the old car is going to stick around burning gasoline and consuming repair parts until it dies and gets junked and some parts get recycled - the issue of whether you or somebody else owns it doesn't change that.)

    The real way to make a good economic comparison is to compare buying a new hybrid vs. buying a new conventional-engine car, and do a time-value-of-money calculation to get present values of the cars and gasoline. Sure, monthly payments are what hits you in the wallet when you're making them, but they go away once you've paid off the loan, so you can calculate the Net Present Value of any interest you might pay to car dealers (might be positive or negative, depending on whether they're doing loss-leader loans to keep the car price higher.) Assume you're going to keep them both for the same number of years (otherwise it's way too messy; more on this later), estimate the effective interest rate for money over the next N years (which is not the same as the interest on your car loan...), estimate the future value of the car at the time you sell it (and calculate NPV), estimate the NPV of the price of any repairs you'll need to make, estimate the price of gasoline and amount you'll use over that period and NPV that.

    So does it pay off, or not? Depends a lot on what kind of car you'd get instead, how long you'd keep the cars, and on the assumptions you make about the future cost of money, gasoline, and used cars. If you're spending the same amount of money on the car (overinflated price of a hybrid vs. buying a fancy car), it's probably a win. If you're comparing the hybrid to an econobox, it's probably not a win. If you think cars last 15 years, and you're comparing the hybrid to a used econobox now, another one five years from now, and another one in ten years, it's almost definitely a big lose, but you get fewer coolness points for driving around in beaters during the first ten years (after that, your hybrid will also be a beater, and repair costs are much harder to predict than for standard cars.)

    I'm not the typical American car consumer - I buy cars with cash, generally new, don't drive very far most days, and keep them till they die of old age or are sufficiently close financially, so I spend less on cars and more on repairs (though replacing the engine in an old van did cost about the same as buying a used van of similar vintage, but since it had spent most of its years in California instead of New Jersey, the body was in really good shape.) A few years back, when my 1985 Toyota was getting old, we were thinking about keeping it running for a couple more years and getting an electric, but then the PT Cruiser came out, so we decided to go with the cool car instead... bought it on eBay.

  8. Re:Mass transit is only useful in NYC on The Math Behind the Hybrid Hype · · Score: 1

    Much of the US population lives in suburbs that developed after the automobile, and simply don't work without it, and in areas that have zoning laws that make sure than most people can't walk to work or to stores. Some of us live in cities that evolved around trains, and some of us live in cities like New York where public transit works fairly well and automobile ownership is silly and impractical. That's a big contrast to Europe, where much of the population is in cities that originally evolved for walking or horses or later for streetcars and trains. The traditional model where you've got a store or shop on the ground floor and several floors of apartments above it works very well. The industrial model where factories were surrounded by dirty sooty tenement housing for the workers wasn't great, and the alternative where the factory is along a railroad track that carries commuting workers as well as freight was a big step up.

  9. Sony's DRM *is* a Darknet on Darknets Coming Soon? · · Score: 1
    Sony's DRM system that installs rootkits on customers' PCs that can do arbitrary things including connecting to Sony *is* a Darknet, as is any other set of zombie slaves and their cracker overlords. They're not doing very much evil with it except lying to their customers and preventing them from making Fair Use of the music they've bought, and are probably much less chatty than most spyware, but an army of usually-sleeping zombies is simply a Bad Thing.

    Not sure if the "national security" sentence was intended as a troll, but no, encouraging encryption, everywhere, in everything, is *good* for national security, even if governments don't like not being able to wiretap everybody. The real strength of democratic countries comes from freedom of speech and association and strong economies that come from freedom of internal and external trade, and encryption strengthens that by preventing thieves from stealing everybody's stuff and thugs from attacking people they disagree with, regardless of whether those thieves and thugs are wearing stinkin' badges or not.

  10. Diffie-Hellman vs. RSA on Research Group Pushes to Ban Skype · · Score: 1
    Actually, no, RSA is *not* much more secure than DH against typical threats, because it doesn't provider Perfect Forward Secrecy. If anybody compromises your RSA private keys (e.g. steals your PC or gets a search warrant), they can crack any previous calls they've wiretapped. Depending on how they've implemented key exchange, RSA can also have MITM attacks (e.g. compromise a supernode), and I don't remember if the security analysis paper found that to be a risk or not.

    Diffie-Hellman _does_ require MITM protection, and you can either implement that using digital signatures (RSA is just fine here) or password-hash approaches between the client and Skype's authentication server. Whit Diffie likes DH with RSA signatures, and that's probably what Skype should have done.

  11. Skype vs. Firewalls on Research Group Pushes to Ban Skype · · Score: 1
    You put the firewall there to keep outsiders out, not to keep insiders in. To some extent you do care about outbound traffic, so you can contain viruses and such, but the popular firewall traversal method is typically "wrap it in HTTP or SSL", making Skype not much different from AJAX or other http-overloading systems, and from a security perspective, Skype may expose you to some risks if somebody exploits a buffer overflow, but if your users are already running IE and Flash and dozens of plugins, you're exposed to that anyway.

    There are companies making firewalls that do deeper packet inspection to detect things like Skype, because *everybody* does the Port 80/443 wrapper approach, but it's still an arms race. Of course, there are people like Dan Kaminsky doing tricks like tunnels-over-DNS, which are cute but really really abusive, e.g. getting multi-megabit/sec video to run over DNS requires splattering DNS requests across thousands of domains, but in practice most of the tunnel systems work just fine on standard protocols.

    There are companies and universities that worry that Skype users are providing services to outsiders, because of Skype's supernode system for letting people behind overly tight firewalls get out, but the supernodes can only provide service to outsiders if they're outside the firewall, so that's mainly a university problem, not a corporate problem (or at least, not a problem for the kinds of corporations that worry about Skype penetrating their firewalls.)

  12. Re:network security - not really on Fiber Optic vs Copper · · Score: 1
    I didn't say you're not going to take the circuit down for a few minutes in the process. But most targets aren't going to notice that if it happens at night, especially if you hit some time like Sunday at 1am, a common telco critical-equipment maintenance time (or 2am on Daylight-Savings-Switchover Sunday :-).

    Also, with larger companies that use fiber, it's fairly typical to configure it in a ring for reliability, with the signal transmitted on both sides of the ring so it can switch over rapidly if one side fails, so the victim either won't see a failure unless they're monitoring fiber-level alarms carefully, or else they'll see a ~50ms hit on the end-to-end connection even if you took their circuit down for an hour. That's if they're using Unidirectional Path-Switched Rings, which are the most common configuration for local access; long-haul rings between telco POPs are more likely to be Bidirectional Line-Switched Rings, which have a more complex switchover configuration (similar to FDDI), and also have the problem that each data channel is only on one half of the circuit except during a failure - but BLSR's pretty rare in local access rings, and if you want to wiretap between telco offices you get yourself a wiretap warrant, and if you want to do _that_ illegally, do it by forging paperwork or lying to a judge, not by climbing around some manhole with a splicer.

  13. Asterisk, SIP systems and older H.323. on Research Group Pushes to Ban Skype · · Score: 2
    Anonymous Coward mentions SIP and Asterisk. SIP is the emerging standard for VOIP, designed by Internet type people as a followon to the older H.323, which looks too much like ugly ISDN telco standards. Asterisk is a popular SIP-based PBX implementation, and there are other open-source SIP systems as well. Pulver.com's Free World Dialup is another good source of information. But there's a lot of legacy H.323 as well, and most of the Cisco gear runs a Cisco-proprietary/prestandard protocol called "Skinny", though it's gradually evolving to SIP support.

    If connections to the old phone networks are important, your choices are either to use a gateway box that converts VOIP to telco and connect it to a telco trunk (typically Asterisk PBX or a Cisco router with VOIP), or else use a service that will accept VOIP connections outbound to the PSTN and maybe inbound PSTN calls to you. SkypeOut and SkypeIn are Skype's answer to this, but there are a half-dozen wellknown companies that at least handle the outbound calls.

    Skype does two technical things particularly well, which helps account for their popularity (they also market well):

    • Good Voice Codecs - Skype licenses some codecs from GlobalIP which are designed to sound really good even when there are common bad data transmission problems; the standard codecs don't handle packet loss and random jitter very well, and they're usually limited to the telephony 4kHz audio 8000 samples/second 8-bit mu-law, while PCs have better soundcards that Skype's codecs can take advantage of.
    • NAT/firewall traversal - NAT breaks the Internet End-to-End principle in many ugly ways, resulting in many non-standardized ugly workarounds, and corporate firewalls and some personal firewalls also break it. Skype has a well-thought-out and extremely aggressive set of tools for escaping from this, which means you can plug your stuff in and it'll just work, as opposed to your mom having to figure out how to configure that $29 no-name firewall or you getting get your corporate IT droids to support you. (Of course, Info-Tech is giving advice to those same corporate IT droids about stopping you from using Skype to traverse their firewalls....)
  14. You're incorrect about the crypto issues on Research Group Pushes to Ban Skype · · Score: 1
    No, what they mean by "closed source" really *is* "closed source and no useful documentation on the internals or protocols". For many products, this tends to mean proprietary algorithms and a bunch of bogus junk, but that's not quite the case here. They've released some statements to the public, and had some consultants look at it under appropriate non-disclosure, and some researchers have done some reverse-engineering. They're quite explicit about the fact that they *do* use AES for the media encryption, which is a good choice, and they use RSA for some things, but it doesn't appear that they're using Diffie-Hellman for the key exchange (or if they are, they're not documenting it well), and there are some other concerns about whether their key exchange is implemented correctly as well as whether it meets the kinds of requirements *I* think it ought to have (:-), but it's at least done some of the obvious things correctly.

    Steve Bellovin reported to the cryptography mailing list that
    Skype has released an external security evaluation of its product; you
    can find it at
    http://www.skype.com/security/files/2005-031%20sec urity%20evaluation.pdf
    (Skype was also clueful enough to publish the PGP signature of the
    report, an excellent touch -- see
    http://www.skype.com/security/files/2005-031%20sec urity%20evaluation.pdf.sig)
    The author of the report, Tom Berson, has been in this business for many
    years; I have a great deal of respect for him.

  15. Bogus and Disingenuous at that on Research Group Pushes to Ban Skype · · Score: 1
    The company makes the following arguments:
    • Skype is not standards-compliant, allowing it and any vulnerability to
      pass through corporate firewalls.

        Skype doesn't comply with many of the popular standards, and it is designed to pass through firewalls fairly aggressively, including NAT traversal, which most of the standards-compliant VOIP protocols aren't very good at. But those are separate issues, and should be dealt with honestly. Beating them up for these problems separately is a much much stronger case than mashing them together incorrectly. And way too many applications need to be built to cooperate with firewalls, but instead are being built to work around them because the firewalls don't play well with others either.
    • Skype's encryption is closed source and prone to man-in-the-middle
      attacks. There are also some unanswered questions about how well the
        keys are managed.

        It *is* closed source, and there *are* serious questions. That doesn't mean they're prone to man-in-the-middle attacks, except attacks from Skype's own presence server - but traditional telco services can be attacked by bribing or subpoenaing the phone company, and newer VOIP services appear to have more vulnerabilities than Skype because the US is convincing their vendors to build in wiretap support.
    • Enterprises using Skype risk a communication barrier with countries
      and institutions that have already banned the service.

      There are people you want to talk to who don't use Skype for various reasons, but that just means you call them the old-fashioned way, or use SkypeOut to make a telco call to them if it's cheaper than your regular telco rates. Doesn't mean you should ban using Skype for calling people who do use it. If there are any countries that ban Skype, it's either because their monopoly telco doesn't like low-priced competition or because they want to wiretap their subjects' calls and Skype isn't helping them; there's no good reason to cooperate with that. There are institutions who've done the knee-jerk conservative paranoia ban on Skype for security reasons, but one of the largest concerns has been that Skype's supernodes can let outsiders use some of their resources in ways they don't understand well enough to trust. SkypeOut lets you call them for cheap, which isn't quite as good as free.
    • Skype is undetectable, untraceable, and unauditable, putting organizations that are subject to compliance laws at risk.
        If your organization has a legal obligation to record what phone calls your users make, and possibly to record the calls themselves, then yes, Skype is probably not currently for you. Very few businesses and not many governments are in this position, and telling everybody that they shouldn't use it because some kinds of users really shouldn't is disingenuous and tacky. But if you're only doing the recording for accounting purposes, so you can make sure that Department X pays for its fair share of the company phone bill, you simply don't need to do that for Skype calls.
    • The question of whether VoIP calls constitute a business record is a legal quagmire. Throwing Skype into the communications mix further clouds the issue.
          No, it doesn't further cloud the issue, even though your SkypeOut phone bill is separate from your local telco bill and long distance bill and calling card bills and employees' cellphone bills. If your organization needs to record its telephone calls for regulatory reasons, Skype might not be for you, but as with the previous bullet item, that's not very common, and waving your hands in the air to scare people is disingenuous

    Disclaimer: I work for a telecom company that provides many different kinds of traditional and VOIP voice and data services, not including Skype, and this is my personal opinion from several decades of professional experience, not an official position of my employer.

  16. Re:network security - not really on Fiber Optic vs Copper · · Score: 5, Interesting

    It's not really that different. If somebody wants to wiretap your home's or business's Internet connection by climbing telephone poles or popping manhole covers, the fact that the connection is fiber just means they need to bring some splicing hardware instead of copper alligator clips, and have a co-conspirator / getaway-driver with you to explain why your fake phone company truck is working at Midnight ("because that way it won't interfere with our customer's business", which is true for real repair people as well as wiretappers.) It's a bit more of a skilled job, but it's not the easiest place to attack most businesses anyway. More typically, you're an insider, but if you're an outsider, you want to crack into the victim's firewall over the Internet, or email them trojan horses, or if you *must* do hardware, you want to get into their phone closet where they've got the yellow sticky with the router password. But it's probably an inside job.

  17. Re:Multiple Routers - Client Configuration Issues on Google Offers Free WiFi for Mountain View, CA · · Score: 1
    I'd say it's gotten a lot of attention - it's just that the problems the vendors are trying to solve don't resemble the problems *I* want solved :-)

    Some of that's also an evolutionary problem - the right way to do encryption setup is to use Diffie-Hellman key exchange, but that takes more horsepower than the earlier generations of Wifi cards had, so they just didn't do any encryption except for people who explicitly set up passwords. On the other hand, they did all that lame broken WEP stuff, and it took a couple generations of standards for them to recover from having a couple of Berkeley grad students rip it to shreds, so the fact that they *also* didn't have enough horsepower to do the right thing doesn't excuse them for being bleeding incompetents who were doing seriously broken wrong things.

    If I want NSA-proof communications, I'll run IPSEC or SSL VPN connections, but it'd be nice if the default behaviour of the most widely deployed systems were at least neighbor's-kid-proof.

  18. Good beer, low corporate taxes on Google Offers Free WiFi for Mountain View, CA · · Score: 1
    A lot of multinational companies have headquarters in Dublin, because the corporate taxes are much much lower than if they were legally based in other places in the EU where they're actually doing most of their business, rather like US corporations being based in Delaware or Nevada. So we get to sell them data center space and Internet or MPLS connections for their offices, even if the office itself is just a couple of rooms with a secretary and a couple of bureaucrats and solicitors.

    So far none of my customers have ordered RFC1149 service instead of Internet, and if they're building IP-over-pressurized-nitrogen using Guinness cans and string, they're obtaining them locally.

  19. Premium Service == Higher Speed on Google Offers Free WiFi for Mountain View, CA · · Score: 1
    The local free dead-tree newspaper had an article on Google's proposed free wireless service :-) The free service gets you a certain speed, and if you want to go faster, you can subscribe. The article said the free-service speed was "300 kilobytes/second", but I have low confidence about whether that's really kilobits or kilobytes, given the usual accuracy of newspaper reporters writing about technologies they don't really understand. Getting 300 kBytes/sec reliably over a wide area is pretty tough, and it's faster than most DSL service around here; getting 300 kbits/sec is a lot easier, and it's a speed that's plenty fast enough to use at a random coffee-shop or bookstore but slow enough that people might be willing to pay more to get faster service at home, if their radio connections are good enough to actually get it. (Slower home use is still free, but you do need to buy a ~$100 outdoor antenna frob.) For instance, I live about 2 miles from downtown Castro St., so I don't know how much radio coverage they'll have at my end of town.

    What the article doesn't even *begin* to talk about is what privacy protections Google will provide, if any, or whether it's possible to get a static address (extra-price, if at all?), or whether you'll be allowed to run servers on it (and what's a server, anyway? IM clients are really servers for the media channel, as are many game clients.)

  20. Multiple Routers - Client Configuration Issues on Google Offers Free WiFi for Mountain View, CA · · Score: 1
    802.11 has a code called the "SSID" which is used to identify set up and authenticate connections. Most manufacturers have some default value, e.g. "Linksys", but you're supposed to set it yourself.


    I live in a building where I can see about five wireless APs most of the time. Two of them (including mine) are open-access, and the others doing encryption*. My work laptop is an IBM Thinkpad, which has some friendly IBMware for wireless as well as the built-in Windows XP Pro 1.1 software, so it's never clear to me exactly _which_ client configuration stuff is really in control :-) Most of the time I have it configured to use my access point, except for the couple of days last month when my DSL flaked out and I leeched off my neighbor's service, but occasionally something glitches and I get disconnected from my AP and connected to my neighbor's.

    *Unfortunately, the standards seem to be designed so you only get encryption if you're doing authentication, either with pre-shared secrets or with X.509 certs or something, and you're either authenticating all connections or none of them. I'd really prefer to have my connections encrypted but leave the AP open for guests as well. (In practice, most of the day I'm connected to work using IPSEC, so there's encryption at that layer and I don't worry about security, and when I disconnect from the VPN to download my personal email, it's configured to use SSL to keep it private.)

  21. Computational/Physical/Info-Theoretical security on Quantum Computing Regulation Already? · · Score: 1
    That's a good point. I was referring to computational security, not information-theoretical. Information-Theoretical security is basically one-time pads, and the standard method for OTP key distribution is couriers with briefcases handcuffed to their arms (and of course, one-time pads are only secure if you really only use them once and then dispose of any bits you've used immediately) - but you can use OTPs as keying material for conventional symmetric crypto, so rather than sending couriers with OTPs the size of your total message flow, you can send OTPs with N months worth of keys - and it's probably a lot cheaper than installing dedicated fiber-optic lines.


    But there's a lot of work out there on key distribution methods that don't use public-key crypto, such as Kerberos and the various other flavors of Key Distribution Center systems. Sure, they're a lot more annoying, and there are real benefits from public-key that made most of that stuff get left in the dust, but within the capabilities they have, they really do work.

    Quantum computing doesn't appear to bother symmetric crypto algorithms much - it's a sqrt(N) attack, so you basically need to double key sizes, but you can still play the usual "computer the size of a planet" keysize calculation games, unless you believe that Moore's Law really will continue indefinitely, in which case you add 100 bits to the keylength to get yourself an extra 100-200 years of coverage. And you also make sure that when you're done using stuff, you delete it.

    Medical records turn out to be an interesting special case - consumers all want that information to be kept private, but insurance companies want it spread around to everybody who might need to use it, and HIPAA gets balanced by the "keep records of everything so you don't get malpractice suits" precautions. It was relatively easy to protect records privacy when the records were kept on paper and the main threats were Xerox and carbon paper. These days, rather than wiretap your doctor's internet connection, it's much easier for the Feds to subpoena your insurance company. (Not everybody has insurance, of course, but most people who don't have it aren't important enough to get a court order to wiretap their doctor for either, except maybe drug dealers who can pay cash.)

  22. Re:TFA's really stretching, but there are real iss on Quantum Computing Regulation Already? · · Score: 1

    At least by the 1990s, and for the most part by the late 80s, almost all of the political pressure was coming from the FBI, and most of the PR examples they were giving were about domestic situations such as narcotics wiretapping. Especially after the fall of the Soviet Union, it was pretty obvious that there was no remaining threat from Communist spies.

  23. TFA's really stretching, but there are real issues on Quantum Computing Regulation Already? · · Score: 1
    Declan's travelling, so I can't harass him for a couple of weeks, so I'll rant here :-)

    The concept of _regulating_ quantum crypto is really a stretch, though it's possible some bureaucrat wanted some Top Scientist to come tell them whether they needed to worry about it. After all, the real threat to US military crypto from QC isn't citizens, it's Foreign Spies using Foreigner-developed computers to crack it (though the main threats to military crypto are still bribery and carelessness, not technology.) This is basically the opposite of the 1970s-1990s Export Control regulations scenarios, where the US government was using the excuse that Commies might get secure communications as a way to prevent US citizens from getting non-wiretappable communications. With Quantum Crypto, they should really *want* Americans to develop it first, because that'll let them eavesdrop on lots more foreign communications than if they force the development to happen overseas in secret where only the KGB and Chinese Army have it.

    What the US NSA and military most need to worry about with Quantum Crypto is knowing how close it is to feasibility, knowing which of their systems could be cracked by it, and when to start planning on systems that aren't affected. For instance, RSA and Diffie-Hellman public-key crypto get trashed, and I'm not sure about elliptic-curve crypto, but symmetric crypto just gets its effective keylength cut in half, so you just need to use longer keys; if the military has to resort to a modernized version of Kerberos, or traditional key-distribution solutions like Marine couriers with briefcases handcuffed to their wrists, that stuff is pretty straightforward to implement if they need it.

  24. Quantum Crypto is Boring; Q Computing interesting on Quantum Computing Regulation Already? · · Score: 1
    Quantum crypto is theoretically amusing, but it practice it's boring. It lets you connect two sites together with dedicated fiber optics and run unbreakable-via-physics crypto over it, but that's a lot more expensive and incovenient that using whatever transmission medium supports your communication speeds and running unbreakable-via-mathematics crypto over it. There are probably people paranoid enough to buy Quantum Crypto hardware to do things like connecting nearby bank data centers together or multiple buildings in a Weapons of Mass Destruction factory, and I'm not saying you shouldn't take their money if they want to do that sort of thing, but standard crypto is just fine.

    Quantum computing is much more radical. OK, it's partly radical in the sense that we don't really know how to implement it yet, at least for problems bigger than a few bits, but if you can get it to answer questions longer than the Heisenberg Uncertainty limit (about 100 bits), you can really annoy anybody who was assuming that current public-key cryptography was secure. That doesn't mean all crypto is insecure - factoring problems get solved in time ~N, instead of the current 2**(N/3), but symmetric algorithms mostly either don't get hit at all or at worst get solved in time 2**(N/2) instead of 2**N (i.e. SQRT(current_time), so if you double the number of key bits, you're still secure. I'm not sure if elliptic-curve public-key crypto is affected or not. It *does* mean re-inventing key distribution, using techniques like Kerberos or other key-server solutions we had happily left in the past, but we don't lose security entirely.

  25. Re:IPv6 doesn't actually help routing, browsers hu on IPv6 Still Hotly Debated · · Score: 1
    There isn't a solution everybody's happy about yet. I think Shim6 is more of a Layer 3.5 hack than a Layer 4.5-5 hack, but I could be misremembering it.

    The goal was definitely supposed to be that individual end-user companies don't get Provider Independent address space - they get chunks of ISP-owned space (which are big enough for anything they want to do inside it, because IPv6 has lots of bits), and they were expected to use DNS and DHCP or similar approaches to renumbering rather than hard-coding addresses (seemed reasonable at the time.)