Not sure how it works with voice, but I know with text, if you have a part of the message, it's a lot easier to break the encryption method - assuming it's breakable. Security is just a cat and mouse game, anyway. Someone finds a hole, someone plugs the hole, then someone finds another hole...etc. Fun stuff though!
Operating systems are still running user applications as an administrative user? I sign into my systems as a regular user, and I execute applications as a regular user. Administrative privileges should be for approved installation and removal of applications. On the other hand, It's silly to think that in this day and age, malicious behavior isn't automatically detected by the operating system and squashed - and I don't mean by an anti-virus or anti-malware application that one needs to purchase. Operating systems should have security built-in, not tacked-on later.
I'm pretty sure I had an account on LinkedIn once. Then I realized that it's just another way for a company to capitalize on what should probably be semi-private information: my work-history. Sure, with enough time and effort anyone could figure it out, but to give your entire business social network over to a third-party for data-mining purposes? Not sure I buy that.
It was probably "nice" of him to report his findings to China CERT but as a citizen of the U.S. (I'm assuming, if he's working for NSS) couldn't that be considered something, I dunno...bad? I mean, China is an enemy of the U.S., and the cold war is based on information. "Hey, dude, your fortifications are weak here, here and...oh here." Seems a little off. I would probably have submitted the information to someone on our side, but I do see his neutrality point - a bit.
On the one hand, it's a trust issue. I'm must less likely to trust Sony's network at this point. They would have to proactively earn my trust back in various, public, audited ways.
On the other hand, what do you do when this happens to one of your accounts? The network isn't even back up yet. If the criminals have all of my information that Sony has, how can Sony guarantee that I'm a legitimate person, signing in and changing my password? Send me snail-mail with a one-time password? That's so costly and time-consuming.
I don't want to have to think about, or worry about, any of this security crap when I just want to play a game.
And this is why I think "cloud computing" is a bad idea. Putting all of your stuff out there, where someone could gain access to it? Scary!
I guess my problem is this: I realize it's capitalism, and we all have to spend money, regularly, to buy operating systems and applications. However, what happens when you (or, for example, Corporate America) gets into a situation where you like the stability and work-flow of a particular environment? I don't want to buy another computer yet, and upgrading can be almost just as expensive. Add to that the fact that if I upgrade from XP to 7, I then have to reinstall all of my applications and potentially lose all of my previous settings, plus not all applications run on 7, and there are many pieces of (rather expensive) hardware that don't have drivers for 7 yet - it's sickening. I have enough experience with computers that upgrades and reinstalls don't stress me out, but still...it's a capital investment of time and money, and there's no really compelling reason to move forward except corporate greed.
Yes, XP is 10 years old. We should celebrate the fact that Microsoft actually gets it right sometimes, and perhaps Microsoft could charge folks a fee for supporting and operating system that "just works." It's mature enough that it shouldn't need many bug fixes, just closing off security holes.
Having said that, if Linux did all the things I wanted it to do, I would gladly choose a winning distribution and sail it for the next 30 years. As it is, I use Linux all over the place, and love how easy it is to patch/update/upgrade. Speaking of 30 years...I have never heard of anyone successfully, happily upgrading Windows from an older version to a newer version without having niggling, persistent, long-term problems. Why can't Microsoft get it right?
The main thing to remember is that this is a government, or two, asking for this information - not another company.
I'd be FURIOUS if Blackberry opened any of my information up to a third-party without my consent, and I would expect all subscribers to feel the same way. But a government? They have the laws and the weapons. The only option would be to simply remove their product/service from the countries asking; which is lunacy.
Best to use your own encryption, if your privacy matters that much to you, and encrypt everything you send, so it's all equally important.
I used to have mild pain in my wrists when I'd type a lot...and I do type a lot. I always have an ergonomic keyboard and mouse, marked as my personal property, with the receipt taped to the bottom of the keyboard in case there's any question. However, not all workplaces suck. My current job has replaced my keyboard and mouse with an ergonomic unit of my choice whenever it needs it. I haven't had pain in my wrists for years, and I owe most of it to the keyboard and mouse, proper placement of my monitor/chair, and taking frequent breaks to stretch out.
But, yeah...it stinks when you have a crappy mouse/keyboard/computer and have no way of upgrading, replacing or fixing deficiencies. If your computer at work sucks that hard that you want to break it, perhaps it's time to search for a new job?
Storing permanent keys in memory is great for us, and bad for the companies that want to keep things hidden. I'd say "Please, keep doing that!" Well, I mean, both to the type of person who's willing to go through this process and reverse engineer things, and the companies that add lame security to their products. One might ask: "Why add the security in the first place?"
What I'd like to see is a well-defined and documented, open-source released method for "dumping ROMs." I'm sure it's out there on the Internet. While this is a great example of someone taking the time to rip something important (to them) out of a closed-system, it might be nice to actually document how he did it.
I've seen a few people here say something about how when secure web-sites become the norm, more people will break the encryption, so it doesn't make any sense to encrypt. That's a pretty silly argument against secure web-sites. If a specialist wants to get into my house, I'm going to have a hard time stopping them; but it doesn't stop me from putting a lock on my front door. Also, an open door might be construed as an open invitation to enter, whereas a locked door cannot be. If someone enters my house without my consent, I want evidence that they defeated my security. Also, most physical security (safes and vaults to name two examples) is rated in time. You never buy an impenetrable vault, you buy a vault that would take two hours to breach with the best, currently-available tools. Digital security should be viewed the same way, and it should be augmented with other features such as Intrusion Detection, and Intrusion Prevention countermeasures. As a greater number of web-sites are compelled to become more secure (HIPAA and SOX compliance), point-to-point encryption will be just one of the many required tools in the data owner's/manager's toolkit.
Having said that, it makes sense for all business to secure their web-sites if they are requiring users to create accounts (because sometimes people are still foolish enough to use the same or similar password in different locations), share private information, or make purchases using financial information such as credit cards or Pay Pal accounts. Of course, there should be a reasonable, well-known scale defining how much and what type of security is required based on the type of information stored. This should be audited regularly by the business ("has the information we are storing changed enough to change our security?" and "are we secure enough based on the data we are currently storing?") in addition to regular external audits to ensure that the minimum requirements are met.
All of this, of course, introduces cost into the equation. A small business might not be able to afford a systems administrator to watch the logs, or even to be able to pay for the annual certificate fee, not to mention the dedicated static IP address required for proper certificate usage. This means that larger businesses (banks, insurance companies, large corporations, the military and government) will always have better security than your average smaller business. This means that you, the information originator, need to be conscious of where you share your information, and what you are sharing.
I think certificates should be free, or at least reasonably priced - free would be best - and that security not be tied to IP addresses, which are pretty limited in the IPv4 world.
So, yes, even though a lock won't keep out every intruder, it will keep out the majority of prying eyes. As information security needs continue to improve, so will the associated algorithms used to keep things moderately secure.
Of course, as important as it is to secure the line/connection itself, one should also be very concerned about the authenticity of the person connecting, in addition to the site being connected to. How do you know that you aren't being DNS poisoned or some other man-in-the-middle attack? Is this really your bank? Your insurance company? Your favorite on-line merchant? How do you know? Is the strength of the encryption algorithm really important if you're actually connecting to a thief masquerading as the desired site, intent on stealing your information?
So both of these key factors need to be made affordable (cheap or free), and available to all, not just large businesses with deep pockets and a Class C to throw around. That's when things get moderately more secure.
Yes, just what I need, another sensor to fail and make my car not start. However, this is just one more device/sensor to override and hack into submission. Drunk drivers have been overriding keys, buttons, switches and sensors ever since they were employed. What makes anyone think this will be different? I hear people talking about wearing gloves...I imagine the car won't start without some sort of baseline conductivity check - otherwise every drunk would wear gloves to bypass. If it checks every second, does that mean that it would check only once prior to starting the engine, and not check until the engine was turned off; or continuously check as you drove, and turn the car off if you suddenly show positive for alcohol? False positives are scary. Also, would it "report" you? Nice, a tattletale car.
This is how laws get passed: fear. Over 9,000 road traffic deaths could be saved, great. But how about the inconvenience to the other 254,000,000 (Wiki) registered drivers. I'm sorry, but that's like 0.004%. Law enforcement already has great programs for stopping drunk drivers and, hey, if someone gets a DUI, take away their license for a longer period of time, increase the fine, throw them in jail - I don't care. What I do care about, strongly, are my civil liberties. If I'm not a criminal, don't treat me like one.
This goes back to the whole enforced seatbelt thing. Why does it matter if I choose to wear a seatbelt or not? If I die, it's my own life. Why shouldn't it be my choice? I've heard of several friends getting into wrecks over the years where they were saved by not wearing their seatbelt. Officer on the scene said something like "if you had been wearing your seatbelt, you would have been crushed where you sat. Here, have a ticket for not wearing a seatbelt." Nice, right?
Now, having said that, I think this is a great idea to put into the cars of people who have proven themselves to be dangerous by getting behind the wheel of a car drunk. Retrofit it into every vehicle in their household, and if they're caught driving a vehicle without the device, revoke their driving privileges. But, again, I'm only talking about the idea of putting this into vehicles that are driven by people who have a history (once is enough for me) of DUI. When you drive drunk, you could easily kill a single innocent person, so I'm willing to limit someone who obviously can't control their impulses and make the adult decision to either drink, or drive, but not both.
I've been playing Fallout: New Vegas a lot recently, and it's directly because of the different paths I can take. In real life, my options are pretty clear-cut as far as theft and murder, as are the consequences when caught. In a video game, I always play through the first time as a "good" player: not stealing anything marked as owned, and not killing anyone until they "show red." It makes playing the game a little easier, knowing which characters you can kill with no repercussions and which will give you bad karma and standing.
In New Vegas, it's generally clear when I'm working for the good guys (NCR/democracy) and when I'm not (Legion/slavers). I play the game as good, by doing good things. If something bad happens, it's generally not because of any choices I've made, unless that's just the way the story goes.
While I do prefer the linear storyline concept, I also like the semi-randomness of an open-world. Yes, the choices I make should make a difference in the way the game reacts to me, but I don't think that one false move should cause me to restart my game, either. If I spent a few hours playing an evil character (killing good guys, not killing bad guys, stealing and looting) and something bad happens as a result, that's cool - Hollywood logic. I guess the problem occurs when a random event happens despite what you do (zero control) or counter to what you do (inverse control).
People have to keep reminding themselves that it's just a game, that game designers make choices to try and differentiate the game-play from all the other games out there, and sometimes they make decisions that don't fit your style or expectations of a good game.
Having said that, I think there needs to be a full-blown sequel to both Red Dead Redemption and Borderlands. Those were fun games, but the narrative story was way too short with somewhat limited replay value for me. I did like the zombie pack for Borderlands, though....
One of my favorite books is The Pirate's Dilemma: http://thepiratesdilemma.com/ It talks about the association between ancient methods of production and distribution, and streamlined methods of delivery. Piracy has always been on the bleeding-edge of mixing things up, and getting things out there faster than any large corporation could handle. I don't see that changing any time soon. Sure, the corporations might force governments to lean on the pirates, but they will just push them underground - won't stop the signal. Corporations and governments should earn from piracy, improve their business models, and give the people what they want - not what they think they want.
I have personally experienced the taking-down of sites and content by ISPs which were legally bullied (cease and desist orders) by large companies to make the site/content go away. It's possible that for every one site/piece of content that I've seen taken down outside of due process, short-circuiting the burden of proof, there may be many other sites where the ISP referred the matter to a legal department and determined that it was just corporate bullying, and took no action.
In my personal experience, when a big company threatens to take action against a smaller company, unless it's a high-profile case that the EFF is willing to tackle, the smaller company seems to fold and remove the site/content. It simply costs too much to battle it out in court, so the big guy often wins.
Does anyone have any experience with a smaller company telling a larger company to go suck eggs and successfully fighting a suit or threat to sue? Maybe I'm just cynical....
You'd think it would just be cheaper to sue - or threaten to sue (the ISP?) - anyone creating a defamatory web-site for defamation of character. Lawyer letters to the ISP of "offending" web-sites are generally effective, especially from a Big Bank.
how many top-of-the-line professional cameras could I buy with that?
Your question is rather recursive, as one of the items happens to be an OMG EXPENSIVE Leica.
I don't consider an item created under a limited production run ("limited edition to 500") made with specialty components ("sapphire-crystal glass monitor...all visible elements...made from solid titanium") a top-of-the-line professional camera. I don't think a lot of serious photographers, professional photographers, are going to be snapping this one up. It's a toy; and at $29,000, is a very expensive toy.
Just don't put this on the Christmas Elves or Elf Bowling sites.... Let's see, risk factors:
* Tech-clueless relative just got their first computer for Christmas. "Chooses" I.E. as browser. Drawn in by Elf Bowling. There's a virus on your computer, click here!
Oh, man....
And related to what an earlier poster said, why is it that we need to use Internet Explorer in order to update our Windows boxes? I still find that a little bit anti-trust.
There's not a single item on that list that interests me. When I went to the Smithsonian in DC, I saw a lot of jewel-encrusted items (cell phones, Monopoly board). Once you spend a fortune on having a unique cellphone, what do you do with it when the next model comes out? Toss it away to the peasants? Perhaps donate it to the Smithsonian for others to gawk at? Walk through and take a look at some of the crazy jewelry and precious stones there, and for me, the only thing that comes to mind is: "You can't take it with you!" and "I wonder how many people owned these items before they ended up here?"
The submersible shark seems neat, until you realize that it's just a sub, and requires a lot of upkeep, in addition to a place to use it, and store it when not in use. As if a helicopter needs to be made more elite? Not many of us would have a place to land one, regardless of how it was outfitted. The Kid's walker seems pretty cool, but then I looked at the scale and found it frighteningly large. Would it fit through doors? At least handi-capable kids wouldn't be teased as much. Just need a few shoulder-mounted rockets, grenade launchers and machine guns.
The most expensive TV? Okay, it has diamonds...but what device besides a computer would be able to put out a signal at the native resolution of 4,096 x 2,160? For that price, it better have some sort of specialized Blu-Ray player than up-scales...I actually just realized that it's twice as many pixels as 1080i, so I guess you could watch two HD signals at once? Opulence!
I'm surprised the speakers made the list, as $8,000 isn't out of the price range of a real audiophile. I just wonder what their actual acoustic characteristics are. Glass? That can't be the ideal medium for sound.
In the end, when I see a list like this, at prices like that, I instantly wonder "how many top-of-the-line professional cameras could I buy with that?" or "wouldn't I rather have an observatory?" For the price of that TV, I could have a small secret lair, with hidden entrances, all sorts of bubbling items and at least one assistant with a hunchback for atmosphere!
It always makes sense to operate based on the assumption that you may already be compromised. If you take a look at your data, and you think that impenetrable firewall is going to keep people from accessing it, you're delusional. Security, or lack thereof, is measured in time. If what you're securing is important, the question is not can this information be accessed but how long until it can be accessed. Compartmentalization is an important part of any security plan. Finding ways of keeping people out is something the security field has been working on for ages. Have different passwords for everything. Change passwords regularly. Audit data accesses. Watch for suspicious behavior. Keep off-site backup of data and forensics information. Create different subnets and VLANs to segregate traffic. Train all employees in basic security measures. Ensure that no employees are above security - no backdoors, everything audited. I'd say the most important thing to recognize, though, is exactly what they said: unless a resource is sitting in a heavily-guarded Faraday-cage, inside a vault, turned off, and not connected to anything else, it can not be considered 100% secure. Everything else is risk management.
I love Wikipedia because it's free. I also love Slashdot because it's free.
Why do I pay Slashdot $5 every once in awhile? Because of the cool benefits! I mean, I get a special asterisk, am allowed to see things a few minutes before they're actually posted to the rest of the site, and it just feels cool to donate money to a geeky/techie site. If everyone here donated $5, it would change the face of Slashdot, or something.... I like supporting a community that I believe in.
Why do I not pay Wikipedia anything? Well, I just don't see the benefit. To me, Wikipedia is a community managed product. We're already spending our time keeping things accurate and up-to-date. Why pay to work?
While editing an encyclopedia feels like work, moderating Slashdot actually feels like I'm accomplishing something important. I'm helping other people filter junk, and they are (conversely) doing the same thing. Everyone loves power, but as we know, power corrupts and absolute power corrupts absolutely. So if you give a BUNCH of people a little power, they'll enjoy it, but not really be able to abuse it in any real sense.
If Wikipedia wants my money, they should consider adding cool features like Accomplishments, and making it easier to "moderate" the content. Anyway, more important than all that: Rob Malda is simply more cool than Jimmy Wales. What Mr. Wales needs is a cool name, like CmdrTaco, and then we'll talk. Also, just gut feeling, if I had to choose a guy to fix my computer, or hang out and geek with, it'd be Rob. I wonder if Jimmy is a PC, and Rob is a Mac? Just saying!
I think this is a good step forward. I'd like to see the majority of plugins in a sandbox. I like to use them, but you can't always be 100% sure if you can trust them or not. Sure, there are applications that have been around for ages, are designed by good companies that have decent reputations - but what about that "must have app" that you're not completely sure about? I know on my Blackberry, each application has its own permissions. I can add and remove permissions at will, and even set them to prompt me. I've always found Internet Explorer a bit scary, but have never worried much about Firefox. With some plugins, it should be a no brainer: does a weather application need access to my hard drive, aside from a caching space? I don't think so. Possibly plugins could be vetted and reviewed by a committee, and given permissions within the browser/OS based on what they need to do, and each plugin would have a "safety rating" (red, yellow, green) so you can choose your exposure. If all of your plugins were "green," you'd know that the committee reviewed the code and set the permissions in such a way that your data could not be compromised. If code could not be reviewed, it would automatically be marked yellow or red. I like the idea of choice as equally well as I like safety and security.
I have to say, the new Tron movie has certainly reminded me that I should go back and re-watch the original Tron movie. There's another article on Slashdot talking about how special effects just don't have the same impact now.
Before CGI was the standard, you actually had to build models, use actual smoke and pyrotechnics. I have respect for vintage movies that had to work for it and that didn't have the same tools we had today. When a 10-year old girl today has a better processor and more memory in her cellphone than any of the computers used during the creation of Star Wars, that turns the tables a bit.
My problem is that special effects should enhance a story-line or visual, not be the story-line or visual itself. As has been proven by many excellent movies in the past, you don't need to render a 3-D space scene to make the audience believe that our actor is in space. Science fiction stories have also proven for decades that you don't need a visual or even much detail about the technology itself, to build a compelling world that people will visit and revisit again and again. In the end, our minds will always have a greater capacity for creativity than anything that can be generated by a computer, and sometimes leaving out details (Hitchcock? Asimov?) can make a piece have greater significance and longevity than one that pulls out all the stops and ends up leaving the audience feeling empty. Storytelling is becoming a lost art, sadly.
Yahoo is a bit weak in the search engine area, but as someone mentioned earlier, they do own Flickr. When signing-in, I've noticed that Yahoo is trying to capture the "portal" status it once had. The campaign talks about having all your stuff in one place, but what it seems like is having all of your passwords stored in a central location, which to me is just a bad idea. Yahoo's not as likely to get hacked as, say, Lifehacker's site - but do I really want to access my bank through Yahoo? Not likely. I use Google for searching and Yahoo because of Flickr - but that's it. When people send me e-mail to my Yahoo account, I summarily ignore it. There have been people who have spoken to me months later saying "hey, did you ever get my e-mail?" It's funny. Then I give them my real e-mail address, and we're good.
I lost faith in Yahoo when they locked down their web-based e-mail service into this Ajax-y, Flash-y garbage. When will companies learn I want to browse using my browser? Also, you can't POP/IMAP your e-mail without paying, and who wants to pay for e-mail when I can have it free elsewhere?
For what I do, Yahoo just isn't relevant for much of anything anymore. The secret to making an award-winning portal site is to create content that people will come back to and visit every day. Heck, Slashdot with achievements has far more pull for me daily than Yahoo's messy cluttered flashy home-page.
As an open-source advocate, I often tell people the "more eyes on the code means improved security." I would say this is true in general, on average, given large values of X. For specific issues, well-buried in the code, you might not catch it. Back when I was in development, they used to use all sorts of tools to find backdoors, hidden code loops, unused code fragments. I'm wondering why after all these years, no one caught it? I guess my pie-in-the-sky fantasy is that my security buddies in the open-source community are ever vigilant, actively seeking this very thing, and squashing any attempts to insert something so malicious into the code base. On the other hand, hardly anyone would have the chance to find this on the closed-source side, so even just the opportunity to review/audit the code is far better, IMHO, than no opportunity at all.
Someone posted a code snippet earlier. I'm not sure if it was a joke or the actual backdoor grepped and shown here. However, this type of backdoor should have a signature, and someone should write an open-source application that constantly searches through the code-base looking for logic that doesn't look right. If that snippet is what all this fuss is about, that could have easily been found with a simple grep command...years ago. I'm not just worried about the government, but what about just malicious people in general? Who's to say there haven't been sophisticated, hacker-friendly vulnerabilities just waiting to be exploited in Linux, BSD or Windows?
On the one hand, I see how important it is to control personal information, whether it's your information or if you are the person entrusted to keep it safe. On the other hand, I see government-style regulations like HIPAA causing nothing but heartache and useless redundant paperwork for service providers and consumers alike. I mean, Jesus, how many times should I have to sign a HIPAA disclosure statement? Multiply that times the number of people in the United States who visit the doctor, times the number of times those people go to the doctor per year; that's a lot of trees, and that's just one single form that everyone is required to fill out. Disaster. In the end, does it really keep your information safe, or is it just the appearance of safety? Would that disclosure keep someone from hacking into a database server and performing a full dump of its contents? I don't think so. I mean, it might compel improved security, better training, and (once again) more paperwork and identification checking - but credentials can be forged, people can be compromised using social engineering strategies and paperwork is pretty much useless except for lawyers to pour through later at $250 an hour.
I do like the idea of a set of standardized, public, standards-based (open-source?) information security guidelines that businesses can follow check-list style, with auditing for maximum benefit, possibly tiers ("Silver" for check-list compliance, "Gold" for annual audits, "Platinum" for monthly audits by a certified third-party). My password was one of the many leaked over on Lifehacker, but that's okay, because compartmentalization is a basic security premise I live by. Compromised in one area? That's okay. The 200+ other places I connect are still secure. But, seriously, how would one know when creating an account for the first time on a service that the place is secure or not?
Take that a step further, and more germane to this discussion, any of these informants could be tracked down and killed. Granted, if someone were to gain access to my "I Can Haz Cheeseburger?" profile, they could wreak some serious havoc. But if local criminals had access to an indexed database of informants, I would consider that a slightly more serious compromise.
The government needs to have some sort of oversight department (Homeland Security, perhaps?) that has the authority and responsibility to randomly audit every agency in the US that stores sensitive information. The data owners need to be held accountable for their fiduciary responsibility for this information, and heads would need to roll if there's a compromise of this nature and depth. In the case of an audited system, why wasn't this caught? What was that, six or seven months? It's a bit scary that it took someone performing an Internet search to fix this leak. An easy way to fix this problem would be to pepper all databases with normal-looking but fake information. Set-up a Google Alert for each piece of information and if that info is seen anywhere by Google, trace the leak. I'll bet Google could have found the leak much sooner, and a large company like that could easily be asked to purge the data and assist with forensics.
Slashdot Mirror
Not sure how it works with voice, but I know with text, if you have a part of the message, it's a lot easier to break the encryption method - assuming it's breakable. Security is just a cat and mouse game, anyway. Someone finds a hole, someone plugs the hole, then someone finds another hole...etc. Fun stuff though!
Operating systems are still running user applications as an administrative user? I sign into my systems as a regular user, and I execute applications as a regular user. Administrative privileges should be for approved installation and removal of applications. On the other hand, It's silly to think that in this day and age, malicious behavior isn't automatically detected by the operating system and squashed - and I don't mean by an anti-virus or anti-malware application that one needs to purchase. Operating systems should have security built-in, not tacked-on later.
I'm pretty sure I had an account on LinkedIn once. Then I realized that it's just another way for a company to capitalize on what should probably be semi-private information: my work-history. Sure, with enough time and effort anyone could figure it out, but to give your entire business social network over to a third-party for data-mining purposes? Not sure I buy that.
It was probably "nice" of him to report his findings to China CERT but as a citizen of the U.S. (I'm assuming, if he's working for NSS) couldn't that be considered something, I dunno...bad? I mean, China is an enemy of the U.S., and the cold war is based on information. "Hey, dude, your fortifications are weak here, here and...oh here." Seems a little off. I would probably have submitted the information to someone on our side, but I do see his neutrality point - a bit.
It's scary that Sony would allow this to happen.
On the one hand, it's a trust issue. I'm must less likely to trust Sony's network at this point. They would have to proactively earn my trust back in various, public, audited ways.
On the other hand, what do you do when this happens to one of your accounts? The network isn't even back up yet. If the criminals have all of my information that Sony has, how can Sony guarantee that I'm a legitimate person, signing in and changing my password? Send me snail-mail with a one-time password? That's so costly and time-consuming.
I don't want to have to think about, or worry about, any of this security crap when I just want to play a game.
And this is why I think "cloud computing" is a bad idea. Putting all of your stuff out there, where someone could gain access to it? Scary!
I guess my problem is this: I realize it's capitalism, and we all have to spend money, regularly, to buy operating systems and applications. However, what happens when you (or, for example, Corporate America) gets into a situation where you like the stability and work-flow of a particular environment? I don't want to buy another computer yet, and upgrading can be almost just as expensive. Add to that the fact that if I upgrade from XP to 7, I then have to reinstall all of my applications and potentially lose all of my previous settings, plus not all applications run on 7, and there are many pieces of (rather expensive) hardware that don't have drivers for 7 yet - it's sickening. I have enough experience with computers that upgrades and reinstalls don't stress me out, but still...it's a capital investment of time and money, and there's no really compelling reason to move forward except corporate greed.
Yes, XP is 10 years old. We should celebrate the fact that Microsoft actually gets it right sometimes, and perhaps Microsoft could charge folks a fee for supporting and operating system that "just works." It's mature enough that it shouldn't need many bug fixes, just closing off security holes.
Having said that, if Linux did all the things I wanted it to do, I would gladly choose a winning distribution and sail it for the next 30 years. As it is, I use Linux all over the place, and love how easy it is to patch/update/upgrade. Speaking of 30 years...I have never heard of anyone successfully, happily upgrading Windows from an older version to a newer version without having niggling, persistent, long-term problems. Why can't Microsoft get it right?
The main thing to remember is that this is a government, or two, asking for this information - not another company.
I'd be FURIOUS if Blackberry opened any of my information up to a third-party without my consent, and I would expect all subscribers to feel the same way. But a government? They have the laws and the weapons. The only option would be to simply remove their product/service from the countries asking; which is lunacy.
Best to use your own encryption, if your privacy matters that much to you, and encrypt everything you send, so it's all equally important.
I used to have mild pain in my wrists when I'd type a lot...and I do type a lot. I always have an ergonomic keyboard and mouse, marked as my personal property, with the receipt taped to the bottom of the keyboard in case there's any question. However, not all workplaces suck. My current job has replaced my keyboard and mouse with an ergonomic unit of my choice whenever it needs it. I haven't had pain in my wrists for years, and I owe most of it to the keyboard and mouse, proper placement of my monitor/chair, and taking frequent breaks to stretch out.
But, yeah...it stinks when you have a crappy mouse/keyboard/computer and have no way of upgrading, replacing or fixing deficiencies. If your computer at work sucks that hard that you want to break it, perhaps it's time to search for a new job?
Storing permanent keys in memory is great for us, and bad for the companies that want to keep things hidden. I'd say "Please, keep doing that!" Well, I mean, both to the type of person who's willing to go through this process and reverse engineer things, and the companies that add lame security to their products. One might ask: "Why add the security in the first place?"
What I'd like to see is a well-defined and documented, open-source released method for "dumping ROMs." I'm sure it's out there on the Internet. While this is a great example of someone taking the time to rip something important (to them) out of a closed-system, it might be nice to actually document how he did it.
Open-source the world! :)
I've seen a few people here say something about how when secure web-sites become the norm, more people will break the encryption, so it doesn't make any sense to encrypt. That's a pretty silly argument against secure web-sites. If a specialist wants to get into my house, I'm going to have a hard time stopping them; but it doesn't stop me from putting a lock on my front door. Also, an open door might be construed as an open invitation to enter, whereas a locked door cannot be. If someone enters my house without my consent, I want evidence that they defeated my security. Also, most physical security (safes and vaults to name two examples) is rated in time. You never buy an impenetrable vault, you buy a vault that would take two hours to breach with the best, currently-available tools. Digital security should be viewed the same way, and it should be augmented with other features such as Intrusion Detection, and Intrusion Prevention countermeasures. As a greater number of web-sites are compelled to become more secure (HIPAA and SOX compliance), point-to-point encryption will be just one of the many required tools in the data owner's/manager's toolkit.
Having said that, it makes sense for all business to secure their web-sites if they are requiring users to create accounts (because sometimes people are still foolish enough to use the same or similar password in different locations), share private information, or make purchases using financial information such as credit cards or Pay Pal accounts. Of course, there should be a reasonable, well-known scale defining how much and what type of security is required based on the type of information stored. This should be audited regularly by the business ("has the information we are storing changed enough to change our security?" and "are we secure enough based on the data we are currently storing?") in addition to regular external audits to ensure that the minimum requirements are met.
All of this, of course, introduces cost into the equation. A small business might not be able to afford a systems administrator to watch the logs, or even to be able to pay for the annual certificate fee, not to mention the dedicated static IP address required for proper certificate usage. This means that larger businesses (banks, insurance companies, large corporations, the military and government) will always have better security than your average smaller business. This means that you, the information originator, need to be conscious of where you share your information, and what you are sharing.
I think certificates should be free, or at least reasonably priced - free would be best - and that security not be tied to IP addresses, which are pretty limited in the IPv4 world.
So, yes, even though a lock won't keep out every intruder, it will keep out the majority of prying eyes. As information security needs continue to improve, so will the associated algorithms used to keep things moderately secure.
Of course, as important as it is to secure the line/connection itself, one should also be very concerned about the authenticity of the person connecting, in addition to the site being connected to. How do you know that you aren't being DNS poisoned or some other man-in-the-middle attack? Is this really your bank? Your insurance company? Your favorite on-line merchant? How do you know? Is the strength of the encryption algorithm really important if you're actually connecting to a thief masquerading as the desired site, intent on stealing your information?
So both of these key factors need to be made affordable (cheap or free), and available to all, not just large businesses with deep pockets and a Class C to throw around. That's when things get moderately more secure.
Yes, just what I need, another sensor to fail and make my car not start. However, this is just one more device/sensor to override and hack into submission. Drunk drivers have been overriding keys, buttons, switches and sensors ever since they were employed. What makes anyone think this will be different? I hear people talking about wearing gloves...I imagine the car won't start without some sort of baseline conductivity check - otherwise every drunk would wear gloves to bypass. If it checks every second, does that mean that it would check only once prior to starting the engine, and not check until the engine was turned off; or continuously check as you drove, and turn the car off if you suddenly show positive for alcohol? False positives are scary. Also, would it "report" you? Nice, a tattletale car.
This is how laws get passed: fear. Over 9,000 road traffic deaths could be saved, great. But how about the inconvenience to the other 254,000,000 (Wiki) registered drivers. I'm sorry, but that's like 0.004%. Law enforcement already has great programs for stopping drunk drivers and, hey, if someone gets a DUI, take away their license for a longer period of time, increase the fine, throw them in jail - I don't care. What I do care about, strongly, are my civil liberties. If I'm not a criminal, don't treat me like one.
This goes back to the whole enforced seatbelt thing. Why does it matter if I choose to wear a seatbelt or not? If I die, it's my own life. Why shouldn't it be my choice? I've heard of several friends getting into wrecks over the years where they were saved by not wearing their seatbelt. Officer on the scene said something like "if you had been wearing your seatbelt, you would have been crushed where you sat. Here, have a ticket for not wearing a seatbelt." Nice, right?
Now, having said that, I think this is a great idea to put into the cars of people who have proven themselves to be dangerous by getting behind the wheel of a car drunk. Retrofit it into every vehicle in their household, and if they're caught driving a vehicle without the device, revoke their driving privileges. But, again, I'm only talking about the idea of putting this into vehicles that are driven by people who have a history (once is enough for me) of DUI. When you drive drunk, you could easily kill a single innocent person, so I'm willing to limit someone who obviously can't control their impulses and make the adult decision to either drink, or drive, but not both.
I've been playing Fallout: New Vegas a lot recently, and it's directly because of the different paths I can take. In real life, my options are pretty clear-cut as far as theft and murder, as are the consequences when caught. In a video game, I always play through the first time as a "good" player: not stealing anything marked as owned, and not killing anyone until they "show red." It makes playing the game a little easier, knowing which characters you can kill with no repercussions and which will give you bad karma and standing.
In New Vegas, it's generally clear when I'm working for the good guys (NCR/democracy) and when I'm not (Legion/slavers). I play the game as good, by doing good things. If something bad happens, it's generally not because of any choices I've made, unless that's just the way the story goes.
While I do prefer the linear storyline concept, I also like the semi-randomness of an open-world. Yes, the choices I make should make a difference in the way the game reacts to me, but I don't think that one false move should cause me to restart my game, either. If I spent a few hours playing an evil character (killing good guys, not killing bad guys, stealing and looting) and something bad happens as a result, that's cool - Hollywood logic. I guess the problem occurs when a random event happens despite what you do (zero control) or counter to what you do (inverse control).
People have to keep reminding themselves that it's just a game, that game designers make choices to try and differentiate the game-play from all the other games out there, and sometimes they make decisions that don't fit your style or expectations of a good game. Having said that, I think there needs to be a full-blown sequel to both Red Dead Redemption and Borderlands. Those were fun games, but the narrative story was way too short with somewhat limited replay value for me. I did like the zombie pack for Borderlands, though....
One of my favorite books is The Pirate's Dilemma: http://thepiratesdilemma.com/ It talks about the association between ancient methods of production and distribution, and streamlined methods of delivery. Piracy has always been on the bleeding-edge of mixing things up, and getting things out there faster than any large corporation could handle. I don't see that changing any time soon. Sure, the corporations might force governments to lean on the pirates, but they will just push them underground - won't stop the signal. Corporations and governments should earn from piracy, improve their business models, and give the people what they want - not what they think they want.
I have personally experienced the taking-down of sites and content by ISPs which were legally bullied (cease and desist orders) by large companies to make the site/content go away. It's possible that for every one site/piece of content that I've seen taken down outside of due process, short-circuiting the burden of proof, there may be many other sites where the ISP referred the matter to a legal department and determined that it was just corporate bullying, and took no action.
In my personal experience, when a big company threatens to take action against a smaller company, unless it's a high-profile case that the EFF is willing to tackle, the smaller company seems to fold and remove the site/content. It simply costs too much to battle it out in court, so the big guy often wins.
Does anyone have any experience with a smaller company telling a larger company to go suck eggs and successfully fighting a suit or threat to sue? Maybe I'm just cynical....
You'd think it would just be cheaper to sue - or threaten to sue (the ISP?) - anyone creating a defamatory web-site for defamation of character. Lawyer letters to the ISP of "offending" web-sites are generally effective, especially from a Big Bank.
how many top-of-the-line professional cameras could I buy with that?
Your question is rather recursive, as one of the items happens to be an OMG EXPENSIVE Leica.
I don't consider an item created under a limited production run ("limited edition to 500") made with specialty components ("sapphire-crystal glass monitor...all visible elements...made from solid titanium") a top-of-the-line professional camera. I don't think a lot of serious photographers, professional photographers, are going to be snapping this one up. It's a toy; and at $29,000, is a very expensive toy.
Just don't put this on the Christmas Elves or Elf Bowling sites.... Let's see, risk factors:
* Tech-clueless relative just got their first computer for Christmas. "Chooses" I.E. as browser. Drawn in by Elf Bowling. There's a virus on your computer, click here!
Oh, man....
And related to what an earlier poster said, why is it that we need to use Internet Explorer in order to update our Windows boxes? I still find that a little bit anti-trust.
To borrow from 2001: My God--it's full of holes!
There's not a single item on that list that interests me. When I went to the Smithsonian in DC, I saw a lot of jewel-encrusted items (cell phones, Monopoly board). Once you spend a fortune on having a unique cellphone, what do you do with it when the next model comes out? Toss it away to the peasants? Perhaps donate it to the Smithsonian for others to gawk at? Walk through and take a look at some of the crazy jewelry and precious stones there, and for me, the only thing that comes to mind is: "You can't take it with you!" and "I wonder how many people owned these items before they ended up here?"
The submersible shark seems neat, until you realize that it's just a sub, and requires a lot of upkeep, in addition to a place to use it, and store it when not in use. As if a helicopter needs to be made more elite? Not many of us would have a place to land one, regardless of how it was outfitted. The Kid's walker seems pretty cool, but then I looked at the scale and found it frighteningly large. Would it fit through doors? At least handi-capable kids wouldn't be teased as much. Just need a few shoulder-mounted rockets, grenade launchers and machine guns.
The most expensive TV? Okay, it has diamonds...but what device besides a computer would be able to put out a signal at the native resolution of 4,096 x 2,160? For that price, it better have some sort of specialized Blu-Ray player than up-scales...I actually just realized that it's twice as many pixels as 1080i, so I guess you could watch two HD signals at once? Opulence!
I'm surprised the speakers made the list, as $8,000 isn't out of the price range of a real audiophile. I just wonder what their actual acoustic characteristics are. Glass? That can't be the ideal medium for sound.
In the end, when I see a list like this, at prices like that, I instantly wonder "how many top-of-the-line professional cameras could I buy with that?" or "wouldn't I rather have an observatory?" For the price of that TV, I could have a small secret lair, with hidden entrances, all sorts of bubbling items and at least one assistant with a hunchback for atmosphere!
It always makes sense to operate based on the assumption that you may already be compromised. If you take a look at your data, and you think that impenetrable firewall is going to keep people from accessing it, you're delusional. Security, or lack thereof, is measured in time. If what you're securing is important, the question is not can this information be accessed but how long until it can be accessed. Compartmentalization is an important part of any security plan. Finding ways of keeping people out is something the security field has been working on for ages. Have different passwords for everything. Change passwords regularly. Audit data accesses. Watch for suspicious behavior. Keep off-site backup of data and forensics information. Create different subnets and VLANs to segregate traffic. Train all employees in basic security measures. Ensure that no employees are above security - no backdoors, everything audited. I'd say the most important thing to recognize, though, is exactly what they said: unless a resource is sitting in a heavily-guarded Faraday-cage, inside a vault, turned off, and not connected to anything else, it can not be considered 100% secure. Everything else is risk management.
I love Wikipedia because it's free. I also love Slashdot because it's free.
Why do I pay Slashdot $5 every once in awhile? Because of the cool benefits! I mean, I get a special asterisk, am allowed to see things a few minutes before they're actually posted to the rest of the site, and it just feels cool to donate money to a geeky/techie site. If everyone here donated $5, it would change the face of Slashdot, or something.... I like supporting a community that I believe in.
Why do I not pay Wikipedia anything? Well, I just don't see the benefit. To me, Wikipedia is a community managed product. We're already spending our time keeping things accurate and up-to-date. Why pay to work?
While editing an encyclopedia feels like work, moderating Slashdot actually feels like I'm accomplishing something important. I'm helping other people filter junk, and they are (conversely) doing the same thing. Everyone loves power, but as we know, power corrupts and absolute power corrupts absolutely. So if you give a BUNCH of people a little power, they'll enjoy it, but not really be able to abuse it in any real sense.
If Wikipedia wants my money, they should consider adding cool features like Accomplishments, and making it easier to "moderate" the content. Anyway, more important than all that: Rob Malda is simply more cool than Jimmy Wales. What Mr. Wales needs is a cool name, like CmdrTaco, and then we'll talk. Also, just gut feeling, if I had to choose a guy to fix my computer, or hang out and geek with, it'd be Rob. I wonder if Jimmy is a PC, and Rob is a Mac? Just saying!
I think this is a good step forward. I'd like to see the majority of plugins in a sandbox. I like to use them, but you can't always be 100% sure if you can trust them or not. Sure, there are applications that have been around for ages, are designed by good companies that have decent reputations - but what about that "must have app" that you're not completely sure about? I know on my Blackberry, each application has its own permissions. I can add and remove permissions at will, and even set them to prompt me. I've always found Internet Explorer a bit scary, but have never worried much about Firefox. With some plugins, it should be a no brainer: does a weather application need access to my hard drive, aside from a caching space? I don't think so. Possibly plugins could be vetted and reviewed by a committee, and given permissions within the browser/OS based on what they need to do, and each plugin would have a "safety rating" (red, yellow, green) so you can choose your exposure. If all of your plugins were "green," you'd know that the committee reviewed the code and set the permissions in such a way that your data could not be compromised. If code could not be reviewed, it would automatically be marked yellow or red. I like the idea of choice as equally well as I like safety and security.
I have to say, the new Tron movie has certainly reminded me that I should go back and re-watch the original Tron movie. There's another article on Slashdot talking about how special effects just don't have the same impact now.
http://entertainment.slashdot.org/story/10/12/14/1853200/Why-Special-Effects-No-Longer-Impress
Before CGI was the standard, you actually had to build models, use actual smoke and pyrotechnics. I have respect for vintage movies that had to work for it and that didn't have the same tools we had today. When a 10-year old girl today has a better processor and more memory in her cellphone than any of the computers used during the creation of Star Wars, that turns the tables a bit.
My problem is that special effects should enhance a story-line or visual, not be the story-line or visual itself. As has been proven by many excellent movies in the past, you don't need to render a 3-D space scene to make the audience believe that our actor is in space. Science fiction stories have also proven for decades that you don't need a visual or even much detail about the technology itself, to build a compelling world that people will visit and revisit again and again. In the end, our minds will always have a greater capacity for creativity than anything that can be generated by a computer, and sometimes leaving out details (Hitchcock? Asimov?) can make a piece have greater significance and longevity than one that pulls out all the stops and ends up leaving the audience feeling empty. Storytelling is becoming a lost art, sadly.
Yahoo is a bit weak in the search engine area, but as someone mentioned earlier, they do own Flickr. When signing-in, I've noticed that Yahoo is trying to capture the "portal" status it once had. The campaign talks about having all your stuff in one place, but what it seems like is having all of your passwords stored in a central location, which to me is just a bad idea. Yahoo's not as likely to get hacked as, say, Lifehacker's site - but do I really want to access my bank through Yahoo? Not likely. I use Google for searching and Yahoo because of Flickr - but that's it. When people send me e-mail to my Yahoo account, I summarily ignore it. There have been people who have spoken to me months later saying "hey, did you ever get my e-mail?" It's funny. Then I give them my real e-mail address, and we're good.
I lost faith in Yahoo when they locked down their web-based e-mail service into this Ajax-y, Flash-y garbage. When will companies learn I want to browse using my browser? Also, you can't POP/IMAP your e-mail without paying, and who wants to pay for e-mail when I can have it free elsewhere?
For what I do, Yahoo just isn't relevant for much of anything anymore. The secret to making an award-winning portal site is to create content that people will come back to and visit every day. Heck, Slashdot with achievements has far more pull for me daily than Yahoo's messy cluttered flashy home-page.
As an open-source advocate, I often tell people the "more eyes on the code means improved security." I would say this is true in general, on average, given large values of X. For specific issues, well-buried in the code, you might not catch it. Back when I was in development, they used to use all sorts of tools to find backdoors, hidden code loops, unused code fragments. I'm wondering why after all these years, no one caught it? I guess my pie-in-the-sky fantasy is that my security buddies in the open-source community are ever vigilant, actively seeking this very thing, and squashing any attempts to insert something so malicious into the code base. On the other hand, hardly anyone would have the chance to find this on the closed-source side, so even just the opportunity to review/audit the code is far better, IMHO, than no opportunity at all.
Someone posted a code snippet earlier. I'm not sure if it was a joke or the actual backdoor grepped and shown here. However, this type of backdoor should have a signature, and someone should write an open-source application that constantly searches through the code-base looking for logic that doesn't look right. If that snippet is what all this fuss is about, that could have easily been found with a simple grep command...years ago. I'm not just worried about the government, but what about just malicious people in general? Who's to say there haven't been sophisticated, hacker-friendly vulnerabilities just waiting to be exploited in Linux, BSD or Windows?
On the one hand, I see how important it is to control personal information, whether it's your information or if you are the person entrusted to keep it safe. On the other hand, I see government-style regulations like HIPAA causing nothing but heartache and useless redundant paperwork for service providers and consumers alike. I mean, Jesus, how many times should I have to sign a HIPAA disclosure statement? Multiply that times the number of people in the United States who visit the doctor, times the number of times those people go to the doctor per year; that's a lot of trees, and that's just one single form that everyone is required to fill out. Disaster. In the end, does it really keep your information safe, or is it just the appearance of safety? Would that disclosure keep someone from hacking into a database server and performing a full dump of its contents? I don't think so. I mean, it might compel improved security, better training, and (once again) more paperwork and identification checking - but credentials can be forged, people can be compromised using social engineering strategies and paperwork is pretty much useless except for lawyers to pour through later at $250 an hour.
I do like the idea of a set of standardized, public, standards-based (open-source?) information security guidelines that businesses can follow check-list style, with auditing for maximum benefit, possibly tiers ("Silver" for check-list compliance, "Gold" for annual audits, "Platinum" for monthly audits by a certified third-party). My password was one of the many leaked over on Lifehacker, but that's okay, because compartmentalization is a basic security premise I live by. Compromised in one area? That's okay. The 200+ other places I connect are still secure. But, seriously, how would one know when creating an account for the first time on a service that the place is secure or not?
Take that a step further, and more germane to this discussion, any of these informants could be tracked down and killed. Granted, if someone were to gain access to my "I Can Haz Cheeseburger?" profile, they could wreak some serious havoc. But if local criminals had access to an indexed database of informants, I would consider that a slightly more serious compromise.
The government needs to have some sort of oversight department (Homeland Security, perhaps?) that has the authority and responsibility to randomly audit every agency in the US that stores sensitive information. The data owners need to be held accountable for their fiduciary responsibility for this information, and heads would need to roll if there's a compromise of this nature and depth. In the case of an audited system, why wasn't this caught? What was that, six or seven months? It's a bit scary that it took someone performing an Internet search to fix this leak. An easy way to fix this problem would be to pepper all databases with normal-looking but fake information. Set-up a Google Alert for each piece of information and if that info is seen anywhere by Google, trace the leak. I'll bet Google could have found the leak much sooner, and a large company like that could easily be asked to purge the data and assist with forensics.