The parent article got modded redundant and I got to metamoderate. As far as I can tell, the first similar article appeared about two minutes before this one, so technically this one _was_ redundant, so I metamodded as "Fair". However, both articles were about 10 minutes after the original posting, so it may really be an issue of who hit the Enter key first. Luck of the draw, I guess.
The only hardware customization I'd done to my work laptop was adding cat hair to the fan, which I've subcontracted to several of the local felines. Nonetheless, a month or so ago, my laptop started announcing that its cooling system had failed and that it needed to shut down immediately, and that I'd better save my work and press the OK dialog box when I was done. I'd typically get about 15 minutes of uptime before this happened. Fortunately I had relatively recent backups, so I only had to do a week or two of incrementals (external USB drives are a wonderful thing, even if you're stuck with USB1!) so it wasn't too tough to do.
The main hardware repair was blowing the cat fur out of the fan, but it still overheated after a while, so they also replaced the temperature sensor board.
Since this was a work laptop, there was an identical spare machine that I could swap disks with, so I could continue to work while waiting for my hardware to get fixed. Unfortunately, that machine got stolen:-(, but that meant that my backups got used on the repaired hardware.
There isn't a center, really. In the US there are about ~25 "Tier 1" ISPs, e.g. AT&T, C&W, MCI, Sprint, which mostly peer with each other and sell transit to smaller ISPs and end users. Tier 2 ISPs mostly buy transit from two or more Tier 1 carriers, and Tier 3 ISPs mostly buy transit from Tier 2 or Tier 1, but there are more fuzzily defined relationships between providers in colocation space (e.g. some colo spaces are run by a single carrier, mostly using their internet feeds, while others are essentially real estate dealers, selling connectivity to between customers including connections to multiple Tier 1 or Tier 2 ISPs, and hosting companies buy racks of machines in the colo centers to use for different levels of managed services to end users.)
The big ISPs originally connected at the NAP peering points, but in the US that's a relatively small percentage of traffic these days - most Tier 1 players connect directly to each other, either with fiber connections between POPs or buy buying racks in "carrier-neutral colo space" like Equinix, where they can buy cross-connects to each other within the building. Europe's different - the big access points like LINX and AMSIX dominate peering between big carriers as well as small carriers.
No, though I looked at Speakeasy as well. I'm using sonic.net. Their policies and prices are fairly similar, and were a slightly better match for my needs. They're a smaller operation, which I've found is usually a good thing (smaller service providers are usually more responsive, unless they get overwhelmed or run out of money, in which case they often fail badly.) The other interesting thing about Sonic.net at the time was that they were working on 802.11 rooftop mesh radio applications up in Santa Rosa area, where they're based, which had the potential to be really cool if it worked out.
Does sound a lot like you're correct, and the author's off by a factor of 1000, or 8000 (or maybe just 100 or 800 if it's 10 million cells per centimeter.) I suspect from the description "magnetized in one orientation or the other" that it's probably one bit per cell.
The Clipper system had a back door - it had a great big neon sign over it saying COPS ONLY, so it was pretty hard to miss. Skipjack was mostly used as a sleight-of-hand, so the government could dishonestly issue a report saying that a team of experts who should have known better didn't find a problem in a couple of weeks, when the key-handling parts of the system were a hopelessly designed charade. The Skipjack algorithm itself appeared to be not too bad for something with an inadequately short key - if nobody found significant weaknesses with it, it would have been marginally adequate for a couple decades worth of Moore's Law, but there was basically no way to tell without good documentation that the analysis community could use. For instance, what if there's an efficient method for key scheduling in brute-force applications, as was discovered for DES and used by Deep Crack, or some symmetry structure that makes it possible to use ten times as fast as the vanilla implementation under the proper conditions.
That was all a last gasp of the FBI's attempts to maintain government control over encryption, when the private sector world badly needed the real thing to use the Internet more effectively. They've basically given up on that years ago - they'd rather have the legal powers to put cameras in your ceiling and keystroke-recorder spyware or hardware on your machine and tap all your VOIP signals without needing sworn warrants. And the "Protecting US government communications" side of the NSA is trying to keep up with their job, which not only faces competition from the private sector but foreign spooks.
The really cool useful thing about Elliptic Curves, besides just being another set of math besides factoring that can be used for crypto, is that you can use really *short* keys, so you can fit them in places where an RSA or Diffie-Hellman key would be annoyingly long. 2048 bits is 256 bytes, which is an annoyingly long thing to put in a DNS record, for instance, where you can normally only hold ~512 bytes. But 165-200 bits are 20-25 bytes (usually 40-50 in practice), which make them convenient for applications like DNS certification and email signature lines.
PGP deals with the length of RSA keys by introducing a KeyID which is some kind of hash of a public key which can be used to look up the key on a server somewhere. But ECC-based crypto can hand over the whole key in the space that PGP uses for the hash, often eliminating the need for a table lookup (e.g. on a not necessarily trusted database somewhere across the Internet), and bad keyid handling was not only added complexity but led to several security bugs in early PGP versions.
"Server" seems to be defined as anything the ISP thinks looks vaguely server-like. Cable Modem companies in particular tend to be obsessively hung up about them, because early cable modem hardware had very limited upstream bandwidth and no flow control mechanisms, so one heavy data sender could dog down an entire neighborhood, and even though the technical issues are no longer relevant, the obsessiveness is still around.
From a technical perspective, a server is anything that sits around waiting for requests - for instance, a VOIP client or IM client or game program or P2P file sharing program are all servers, and a video conferencing connection is a server when you've got it turned on. But cable modem ISPs generally are happy about all of these except the P2P (and that's as much because it's "Stealing content", when the Television side of their company is in the content business, so that's obviously bad.) A Web Server is obviously intended to ship lots of content upstream, which the cable companies didn't like.
But they also often banned "mail servers", which are the harmless end of the email direction - they don't want something sending _out_ lots of mail, especially spam, but that's really the "client" direction of client-server interaction, and the server end mostly uses downstream bandwidth that they've got plenty of. So for this application, they're considering a server to be "a program that does something useful for somebody", and they're also viewing mail servers as "something businesses use", which is bad because either "businesses are willing to pay more for service so we should ban them on cheap accounts" (which some companies also tried doing with VPNs) or "businesses get grumpy if their service goes down, and we don't want to change our repair cost models to accommodate them", or "anything that receives lots of mail probably also sends lots of mail, which is bad."
In my case, I'm using DSL instead of cable largely because the cable modem companies really want to sell to couch potatoes, and arbitrarily ban applications they don't understand or are scared by, and at least in the past they had rules against sharing multiple computers on a single connection. I want an *Internet* connection, not an alternative television feed, and I'm using the DSL ISP I use partly because they give out static addresses and partly because they've got a strong philosophical position that if you've got an Internet connection, all the bits are yours, and you should be able to do absolutely anything you want with it except spamming and cracking.
Your point looks right on. The person who suggested possibly taxing computers also suggested simply taxing households (though perhaps the term "levy" has slightly different connotations than "poll tax" did?) I don't know the UK's tax system enough to know whether a specific TV tax on households would be perceived as better or worse than simply funding BBC from general taxation, either by the public who'd have to pay it or by the BBC, who'd have to keep fighting for higher amounts while risking having it cut if the party in power doesn't like their recent programming decisions.
I don't use AOL myself, but there are ~20 million people who do, including my mother-in-law. Including Netscape/Zilla/Firefox on the AOL coaster would help get those people off IE.
The judge decided that the evidence for convicting the sister didn't hold up and overturned her conviction. The brother, however, gets 9 years in the slammer, where they will hopefully put him to work deleting ads for bogus medical products and business offers from corrupt Nigerian officials, with time off for good behavior if he actually collects on the $14 million they're trying to get out of the country.
You certainly can blame a programming language for sloppy coding, just as you can blame it for low productivity. Yes, sloppy coders will be sloppy in whatever language they choose, and wizard programmers will be wizards in whatever languages they choose, but if a language won't let you shoot yourself in the foot, or at least won't let you shoot anyone else in the foot, then the consequence of having millions of sloppy coders out there is limited to lots of people writing applications that don't work and annoy their users, as opposed to the current environment where somebody making a mistake enables a rootkit exploit leading to the next Internet-choking worm of the week, or whatever other disaster you choose.
Are there better languages than C to write OSs in? Maybe not, but as I said, the number of people writing kernel code and device drivers is *really* limited - most code is userland code, and most exploits are userland exploits - C may be in wider user than ever in user space, but there are a couple of orders of magnitude more user-space programmers than kernel programmers. Sure, crackers can occasionally stomp on your IP stack by handing it unexpected packets, but that's rare, and it's usually a DDOS problem like the Ping of Death rather than an exploit. On the other hand, how many times have you seen security-critical bugs in web browsers, ftp servers, mail servers (sendmail is *much* less bad than it was, but I still wouldn't bet money on it being safe), other random things running from inetd, or for that matter even jpeg viewers have had security-critical buffer overflows in the last year.
That doesn't mean that enforcing safe languages will create total safety, of course:-) There are still lots of popular attacks that are language-independent, such as trying file pathnames with../..'s in them in case the program isn't checking carefully for things like that. Operating System permissions can help prevent attacks like that from cracking root, but they don't always stop a web server from letting browsers write to the wrong place in a single user's web space.
You've hit the nail right on the head with the core issue - user space code vs. kernel code. I disagree on one thing - C _was_ designed to work well in userland, but the world it lives in has changed out from under it. It's still a great language to implement some things in, even if too many people aren't good enough at it for that to be safe any more.
On the other hand, the number of people I know who rave about productivity in Python, and the convenience I've seen writing a few things in Perl, suggest that for many tasks in user space it's really better to invest the time learning a more productive language that's also safer, and Java's probably more productive than C on large projects even if it runs slower. Of course, there are the academics who'd recommend Scheme or Haskell instead of Python, but those are probably adequately safe languages as well.
Sorry, but it's hard not to visualize the scene in Spinal Tap where the dwarves are dancing around the really short dolmen that was supposed to be 18 feet tall instead of 18 inches...
This sounds like the kind of mistake made by somebody who's used to working with the metric system writing down the wrong name for unfamiliar foreign antique measurement systes, rather like most of us tend to misread things measured in pecks per square furlong or whatever.
I've upgraded my BIOSes a couple of times, with much fear and trepidation (:-) and made all the backup disks, etc., but as long as you install a BIOS that's close enough to sort of boot the machine and read the backup disk, it's usually safe. On both machines, the upgrades went in successfully without frying the motherboard (though in both cases, I was doing the upgrade hoping that it would let me use newer memory chips, and neither one worked...) The speed problems on the older machine were eventually fixed by the big electric zap that fried the motherboard, prompting me to buy the new machine I wanted:-)
TCPA is really an important issue - it has a model of "who's trusting whom to be allowed to do what" that's much different from mine, and while as a cryptographer there are times I want some somewhat similar capabiities, they've made too many wrong choices for me to trust a TCPA machine. They've occasionally hinted about not letting the machine boot without an "approved" OS - but as the owner of a machine, *I'm* the one who should be able to approve the OS, not the MPAA/RIAA/KGB.
200-pound granite blocks are great!
on
SLI Primer
·
· Score: 3, Interesting
I went to college before CDs came out (:-) so audiophiles back then were optimizing vinyl-player systems. After doing some sidewalk construction on my fraternity house, we were left with a number of big hunks of slate, fairly flat on top and weighing maybe 100 pounds. One of the guys used it as a stand for his turntable, set on top of cinder blocks, and it was fairly resistant to people dancing nearby. He mostly listened to classical music, and while his system wasn't high-end audiophile gear, he'd reached the point that he could pretty much hear anything the orchestra was playing - and spending more money to cut out the next little bit of distortion was nowhere near as effective as getting records of better orchestras with better conductors, because hearing the Boring Strings Orchestra slightly better wasn't going to improve their playing any, while getting Furtwangler or Stachowski conducting the Berlin Philharmonic was going to sound better even if the vinyl was old and scratchy.
I had that room the following year and used the slate as a plant stand:-)
Wikipedia's wrong, and it's *never* authoritative
on
SLI Primer
·
· Score: 1
The "I" originally stood for "Inexpensive", and just because somebody's decided they like a different meaning instead, that doesn't mean they're correct.
Wikipedia is great for getting wide coverage of content, but it's not the place to go when you want an Authoritay you can Respeck. It's often very good, and does better on contemporary material than traditional dead-tree single-editor encyclopedias, but the only times it's authoritative are when an article's written by somebody who's actually the authority about the topic and nobody's "improved" it since then.
NetHack still rocks...
on
SLI Primer
·
· Score: 0, Offtopic
The usual game I play is called "Slashdot", but when I want something obsessively gamerlike, Nethack is good - and it's better in colored-ASCII mode, without the silly graphics interface:-)
C is one of the best languages out there for many things, but nobody should still be using it, because there are too many people who are careless about subtle things and shoot themselves in the foot with it. Yes, if you're writing device drivers, C is probably still the language of choice, but the number of people who do that is pretty limited, and they can run lint and doublecheck their code to make sure they don't get overrun errors. C++ isn't much better - you _can_ write code using constructs that don't get buffer overflows, but you don't have to (if anything, the nicest thing about C++ is being able to fall back to C when you need it), so a random C++ program is no more trustable than a random C program. It's not the 20th century any more - stop doing dangerous things!
(And yes, I still write C/C++ when I need it, but that's laziness after 25 years of habitual use, and usually I use shel when I need to program:-)
Spimming pissed off enough people they made a word for it. The neologism probably won't go away unless the IM companies do a good job of making the problem difficult by including some decent security. So far, it's as limited a problem as it is only because the major IM providers don't want to cooperate with each other, preferring to keep their little closed systems hoping to make money by attracting customers to their ISP businesses.
One of the press releases contends that IM is really just about the same as email, so CAN-SPAM email rules should apply. I'm sorry, but that's bogus, and including it in this case appears to be intended to give the public a negative opinion of the accused person. While SPIM is certainly an annoyance, and at least as annoying as spam (with fewer tools to block it with), and the spimmer really does deserve the same social disdain that sleazy spammers get, that doesn't mean that it's appropriate to use that badly-written law to cover cases that it didn't cover, and probably some or most of the "18 years" are from that.
Similarly, just because the victim company abused the capabilities of the MySpace service to create lots of free accounts and spim from them, and cleaning up those accounts cost them money, that doesn't mean that the miscreant actually damaged their computers, and the legal doctrine of a "protected computer" is badly thought out and may not apply here. That doesn't mean that the sleazy spimmer didn't violate Myspace's terms of service (I haven't read them, but I'd hope they had the sense to write them in a way that his abuse was a violation), but that's something that ought to be a civil cost recovery issue, not a crime.
On the other hand, if you can believe the press release, the extortion part does sound like a legitimate criminal complaint, as opposed to mere sleaziness that isn't in the scope of the laws the DoJ is accusing him of breaking.
It's not like stupid jingoism isn't common in other parts of the world too, but this particular display of it was done by some American politicians and I've seen at least one restaurant (in Hawaii, a society that's multicultural enough that you can get saimin at MacDonalds') that actually had Freedom Fries on their menu without a politician telling them to. There were a couple of years of anti-French propaganda going on; I'm not sure who was behind it, but the "France Surrenders At The Smallest Threat" meme metastasized for a while while they were doing it.
And the current Bush Administration propagandists have always made sure to refer to the Iraqi resistence as "insurgents" or "terrorists" or "rebels" rather than "resistence", which would have invoked memories of the bravery of the French Resistence as well as implying that Americans (er, excuse me, the Coalition of the Willing) were the invading Bad Guys.
On the other hand, "CheeseEating Surrender Monkeys" was quite definitely a joke.
Has anybody bothered getting the actual paper from these people instead of the cutesy descriptions of envelopes, red/green ink, and carbon paper? The authors go out of their way to write a cutesy layperson's description of their work, but they've obfuscated the real math inside envelopes full of carbon paper (assuming that some of their readers are old enough to remember using carbon paper), instead of just giving us the math.
So nobody technical can tell if they've really done anything new or interesting, or if they've just done Yet Another Variant on mutual authentication that doesn't offer any advantages over existing techniques. MITM attacks aren't new, and needing twoway authentication for some applications isn't new, and using stolen passwords to crack machines isn't new, and using cracked machines to do Bad Things with isn't too new, though the popular approaches to cracking Windows machines don't usually bother with MITMing passwords because there are so many other back doors available. So what's new here?
The parent article got modded redundant and I got to metamoderate. As far as I can tell, the first similar article appeared about two minutes before this one, so technically this one _was_ redundant, so I metamodded as "Fair". However, both articles were about 10 minutes after the original posting, so it may really be an issue of who hit the Enter key first. Luck of the draw, I guess.
The main hardware repair was blowing the cat fur out of the fan, but it still overheated after a while, so they also replaced the temperature sensor board.
Since this was a work laptop, there was an identical spare machine that I could swap disks with, so I could continue to work while waiting for my hardware to get fixed. Unfortunately, that machine got stolen :-(, but that meant that my backups got used on the repaired hardware.
The big ISPs originally connected at the NAP peering points, but in the US that's a relatively small percentage of traffic these days - most Tier 1 players connect directly to each other, either with fiber connections between POPs or buy buying racks in "carrier-neutral colo space" like Equinix, where they can buy cross-connects to each other within the building. Europe's different - the big access points like LINX and AMSIX dominate peering between big carriers as well as small carriers.
No, though I looked at Speakeasy as well. I'm using sonic.net. Their policies and prices are fairly similar, and were a slightly better match for my needs. They're a smaller operation, which I've found is usually a good thing (smaller service providers are usually more responsive, unless they get overwhelmed or run out of money, in which case they often fail badly.) The other interesting thing about Sonic.net at the time was that they were working on 802.11 rooftop mesh radio applications up in Santa Rosa area, where they're based, which had the potential to be really cool if it worked out.
Does sound a lot like you're correct, and the author's off by a factor of 1000, or 8000 (or maybe just 100 or 800 if it's 10 million cells per centimeter.) I suspect from the description "magnetized in one orientation or the other" that it's probably one bit per cell.
That was all a last gasp of the FBI's attempts to maintain government control over encryption, when the private sector world badly needed the real thing to use the Internet more effectively. They've basically given up on that years ago - they'd rather have the legal powers to put cameras in your ceiling and keystroke-recorder spyware or hardware on your machine and tap all your VOIP signals without needing sworn warrants. And the "Protecting US government communications" side of the NSA is trying to keep up with their job, which not only faces competition from the private sector but foreign spooks.
PGP deals with the length of RSA keys by introducing a KeyID which is some kind of hash of a public key which can be used to look up the key on a server somewhere. But ECC-based crypto can hand over the whole key in the space that PGP uses for the hash, often eliminating the need for a table lookup (e.g. on a not necessarily trusted database somewhere across the Internet), and bad keyid handling was not only added complexity but led to several security bugs in early PGP versions.
From a technical perspective, a server is anything that sits around waiting for requests - for instance, a VOIP client or IM client or game program or P2P file sharing program are all servers, and a video conferencing connection is a server when you've got it turned on. But cable modem ISPs generally are happy about all of these except the P2P (and that's as much because it's "Stealing content", when the Television side of their company is in the content business, so that's obviously bad.) A Web Server is obviously intended to ship lots of content upstream, which the cable companies didn't like.
But they also often banned "mail servers", which are the harmless end of the email direction - they don't want something sending _out_ lots of mail, especially spam, but that's really the "client" direction of client-server interaction, and the server end mostly uses downstream bandwidth that they've got plenty of. So for this application, they're considering a server to be "a program that does something useful for somebody", and they're also viewing mail servers as "something businesses use", which is bad because either "businesses are willing to pay more for service so we should ban them on cheap accounts" (which some companies also tried doing with VPNs) or "businesses get grumpy if their service goes down, and we don't want to change our repair cost models to accommodate them", or "anything that receives lots of mail probably also sends lots of mail, which is bad."
In my case, I'm using DSL instead of cable largely because the cable modem companies really want to sell to couch potatoes, and arbitrarily ban applications they don't understand or are scared by, and at least in the past they had rules against sharing multiple computers on a single connection. I want an *Internet* connection, not an alternative television feed, and I'm using the DSL ISP I use partly because they give out static addresses and partly because they've got a strong philosophical position that if you've got an Internet connection, all the bits are yours, and you should be able to do absolutely anything you want with it except spamming and cracking.
Your point looks right on. The person who suggested possibly taxing computers also suggested simply taxing households (though perhaps the term "levy" has slightly different connotations than "poll tax" did?) I don't know the UK's tax system enough to know whether a specific TV tax on households would be perceived as better or worse than simply funding BBC from general taxation, either by the public who'd have to pay it or by the BBC, who'd have to keep fighting for higher amounts while risking having it cut if the party in power doesn't like their recent programming decisions.
I don't use AOL myself, but there are ~20 million people who do, including my mother-in-law. Including Netscape/Zilla/Firefox on the AOL coaster would help get those people off IE.
Actually, she gets out of the slammer Real Soon Now.
The judge decided that the evidence for convicting the sister didn't hold up and overturned her conviction. The brother, however, gets 9 years in the slammer, where they will hopefully put him to work deleting ads for bogus medical products and business offers from corrupt Nigerian officials, with time off for good behavior if he actually collects on the $14 million they're trying to get out of the country.
The folks who did the airplane bowdlerization for the movie "Sideways" decided they should replace one insult starting with "As" with another one.
Are there better languages than C to write OSs in? Maybe not, but as I said, the number of people writing kernel code and device drivers is *really* limited - most code is userland code, and most exploits are userland exploits - C may be in wider user than ever in user space, but there are a couple of orders of magnitude more user-space programmers than kernel programmers. Sure, crackers can occasionally stomp on your IP stack by handing it unexpected packets, but that's rare, and it's usually a DDOS problem like the Ping of Death rather than an exploit. On the other hand, how many times have you seen security-critical bugs in web browsers, ftp servers, mail servers (sendmail is *much* less bad than it was, but I still wouldn't bet money on it being safe), other random things running from inetd, or for that matter even jpeg viewers have had security-critical buffer overflows in the last year.
That doesn't mean that enforcing safe languages will create total safety, of course :-) There are still lots of popular attacks that are language-independent, such as trying file pathnames with ../..'s in them in case the program isn't checking carefully for things like that. Operating System permissions can help prevent attacks like that from cracking root, but they don't always stop a web server from letting browsers write to the wrong place in a single user's web space.
On the other hand, the number of people I know who rave about productivity in Python, and the convenience I've seen writing a few things in Perl, suggest that for many tasks in user space it's really better to invest the time learning a more productive language that's also safer, and Java's probably more productive than C on large projects even if it runs slower. Of course, there are the academics who'd recommend Scheme or Haskell instead of Python, but those are probably adequately safe languages as well.
This sounds like the kind of mistake made by somebody who's used to working with the metric system writing down the wrong name for unfamiliar foreign antique measurement systes, rather like most of us tend to misread things measured in pecks per square furlong or whatever.
TCPA is really an important issue - it has a model of "who's trusting whom to be allowed to do what" that's much different from mine, and while as a cryptographer there are times I want some somewhat similar capabiities, they've made too many wrong choices for me to trust a TCPA machine. They've occasionally hinted about not letting the machine boot without an "approved" OS - but as the owner of a machine, *I'm* the one who should be able to approve the OS, not the MPAA/RIAA/KGB.
I had that room the following year and used the slate as a plant stand :-)
Wikipedia is great for getting wide coverage of content, but it's not the place to go when you want an Authoritay you can Respeck. It's often very good, and does better on contemporary material than traditional dead-tree single-editor encyclopedias, but the only times it's authoritative are when an article's written by somebody who's actually the authority about the topic and nobody's "improved" it since then.
The usual game I play is called "Slashdot", but when I want something obsessively gamerlike, Nethack is good - and it's better in colored-ASCII mode, without the silly graphics interface :-)
(And yes, I still write C/C++ when I need it, but that's laziness after 25 years of habitual use, and usually I use shel when I need to program :-)
Spimming pissed off enough people they made a word for it. The neologism probably won't go away unless the IM companies do a good job of making the problem difficult by including some decent security. So far, it's as limited a problem as it is only because the major IM providers don't want to cooperate with each other, preferring to keep their little closed systems hoping to make money by attracting customers to their ISP businesses.
Similarly, just because the victim company abused the capabilities of the MySpace service to create lots of free accounts and spim from them, and cleaning up those accounts cost them money, that doesn't mean that the miscreant actually damaged their computers, and the legal doctrine of a "protected computer" is badly thought out and may not apply here. That doesn't mean that the sleazy spimmer didn't violate Myspace's terms of service (I haven't read them, but I'd hope they had the sense to write them in a way that his abuse was a violation), but that's something that ought to be a civil cost recovery issue, not a crime.
On the other hand, if you can believe the press release, the extortion part does sound like a legitimate criminal complaint, as opposed to mere sleaziness that isn't in the scope of the laws the DoJ is accusing him of breaking.
And the current Bush Administration propagandists have always made sure to refer to the Iraqi resistence as "insurgents" or "terrorists" or "rebels" rather than "resistence", which would have invoked memories of the bravery of the French Resistence as well as implying that Americans (er, excuse me, the Coalition of the Willing) were the invading Bad Guys.
On the other hand, "CheeseEating Surrender Monkeys" was quite definitely a joke.
So nobody technical can tell if they've really done anything new or interesting, or if they've just done Yet Another Variant on mutual authentication that doesn't offer any advantages over existing techniques. MITM attacks aren't new, and needing twoway authentication for some applications isn't new, and using stolen passwords to crack machines isn't new, and using cracked machines to do Bad Things with isn't too new, though the popular approaches to cracking Windows machines don't usually bother with MITMing passwords because there are so many other back doors available. So what's new here?