Governments can indeed ask for some data, using subpoena or in the case of the US "National Security Network." But for that, they have to actually ask, and the request has to be targeted, naming for example a specific individual. The NSA and the GCHQ were not content with that, they wanted to grab "everything," so instead of the legal channels they used a hack. The hack was to spy on the internal network of Google, and of other services as well, because these internal exchanges were not encrypted.
According to Eric Schmidt, now they are. This is absolutely good news. It is also exactly what the Electronic Frontier Foundation is asking web services to do. You can check the relative state of Google and other services according to the EFF at: https://www.eff.org/deeplinks/....
End to end encryption is the only answer here. Maybe instead of relying on server certificates, which could be compromised, do the reverse -- the client certificate is used to secure the connection. That way everyone can use a CA (or even issue their own) that they trust....
Have you looked at the work going on in the IETF and other places to deploy "perfect forward secrecy?" The idea is to use a Diffie-Hellman exchange to negotiate a random key, and then only use the server certificate to prove the server's identity and knowledge of the key. Pretty much the same result as client certificates, easier to deploy, and with the added advantage that even if the server's key is compromised, the sessions' keys remain secret.
Actually, no. There is proof that Dual_EC_DRBG is much weaker than advertised. But the story is about the other elliptic curves that NIST standardized based on "contributions" from the NSA.
Not so long ago, when we heard a reference to "the IAB," what came to mind was the "Internet Architecture Board" (http://www.iab.org/). That was the place were Postel or Cerf contributed... Times have changed.
Great idea. I can see that, a "cookie exchange bank." You donate a cookie to it, and in return it provides you with a cookie donated by some random user. There are a few precautions to take, e.g., do not donate your bank's password, but it could definitely be fun.
He could not in fact patent something as broad as 'a mechanism for generating electrical energy from human input' because such mechanisms have been around for maybe 100 years. The old bicycles, for example, had a little dynamo that powered the head light and back light. It got its power from friction on the wheel, which was powered by the human cyclist...
What this story really exposes is the hubris of the inventor. Say you work a couple of months on an invention, and file a patent. Do you really expect years and years of revenue? Really?
Everybody thinks that if an "https" connection is securely established, if the browser displays a green light, then they are good. But it only proves that the other end of the connection showed a "valid" certificate, where "valid" is defined a "signed by one of the hundreds of authorities allowed to do so, or by any entity who somehow obtained a certificate with signing rights from one of these authorities."
We have seen attacks like that before, e.g. the "Comodo" hacker (http://arstechnica.com/security/2011/09/comodo-hacker-i-hacked-diginotar-too-other-cas-breached/). My bet is that we will continue to see more of these, because the attack surface is just too large.
VOIP will protect the data if the content is properly encrypted, but headers and locations are still exposed. The phone can still be identified and located, which is already great information for the police. The IP addresses can be tracked in the header and voila, pen-register services without a warrant. And if VOIP is not encrypted, or if the encryption is weak, even the content can be accessed.
Another requirement is to pass physical and medical tests. The Legion won't take you if you have poor eyesight, weight too much, or are otherwise unfit. The mythical slashdot readers who spend their days snacking in front of the computer might have a hard time getting accepted.
On the other hand, if you are accepted in the Legion, you will have a fun time in places like Afghanistan, Djibouti or the Ivory Coast, to name a few. If you goal was to escape being shot at, you may want to reconsider.
ICANN was supposed to managed the legacy of Jon Postel. Instead, it is managing the interests of a coterie of Internet parasites. As the parent said, "the new top-level domains (and some of the existing top-level domains) are basically a money grab," effectively allowing the new registrars to levy taxes on trademark owners. Good old fashion blackmail, as in "nice trademark you have here, you would not want something bad to happen, like having it managed by a porn site or a competitor, what about getting some protection?"
Randomness will produce everything indeed. But this experiment is not random. The monkeys are not *producing* the work of Shakespeare. They are *reproducing* it. The master program already know the work, and has it programmed in its tests. There is a big filter here: take this random bit, and decide whether it is "part of Shakespeare's work." Not quite the same as letting the monkeys type a full page, and then have readers decided whether this is "as good as Shakespeare." Prior knowledge killed Schrödinger's Cat!
This is a vexing problem because not all patent holders participate in the standard making. If a company participates in the standard making, the standard organization has leverage: guarantee that others can use your patents under reasonable conditions, preferably free, or we will not consider your contributions. But if a company does not participate, the standard making organization has no leverage at all.
Consider for example what happen to Wi-Fi. The IEEE has a fairly detailed patent policy, and the Wi-Fi standards have been very successful. But after millions of cards were sold, CSIRO came out of the blue and asserted a patent on indoor OFDM that they said covered Wi-Fi. The resulting lawsuits have costed millions.
The list of password that the worm tries is interesting. Apart from the obvious abc123 and the like, the worm tries "RavMonD" and "zhudongfangyu". Is that a clue? Some Chinese hommage to the bazar?
The problem with NTLM has been known for some time, but it is not just NTLM. It is in fact any challenge response protocol. Check this slide deck presented at the IETF in 2005: http://www.huitema.net/talks/ietf63-security.ppt. The punch line is simple: don't rely on challenge response protocols! If the attacker can see both the challenge and the hash, and if the password can be remembered by the user, it will probably be cracked.
The latin and greek questions are actually pretty simple. Latin and Greek were still fairly common options in French high school in the 60's, and I studied all that. The Latin reference text here being Caesar's "De Bello Gallico," which we were studying in the 7th or 8th grade. The Greek reference text is Xenopho's Anabasis, which we were studying in the 9th or 10th grade. Both Caesar and Xenopho are considered "easy" - they use fairly direct language and constructions. Similarly, the grammar questions correspond more or less to your first or second year of language study. The references to roman and greek history, e.g. Actium, Pharsalis, Jugurtha may feel fairly obscure now, but are in fact part of the basic curriculum of "Ancient History." Bottom line, the test was not very hard for a high school who paid attention in class.
I was surprised to see that they would provide the translations of the words as part of the question. We did not have that available when passing exams.
I was not so much think of getting the bits from fellow users as getting the bits from several Akamai servers -- or similar. Instead of blindly following some dumb "closest IP" rule, the download could test a couple of candidate servers and get the bits from those with the best bandwidth -- much like torrents do.
Load balancing based on the DNS resolver is so 1999! Even when it works, it works by chance, and does not test the actual speed between your PC and the potential servers. Compare that to Bit Torrent, which actually tests the speed of the downloads. You really wonder why Apple, and Akamai, would not use some kind of torrent technology!
Quoting an AC to start the conversation, penning a lead with bold statements that are not much supported in fact... Slow news day, probably.
Pretty much every PC, server or even smart phone OS ships with dual stack. Enable IPv6 on your home gateway and poof, IPv6 in your PC lights up. AT the same time, your PC can keep using IPv4 for non IPv6 web sites, or for that old Ethernet enabled printer in the basement. It works pretty much as expected. Not having unique IPv4 addresses does not change anything to the question -- IPv4 goes through NAT, IPv6 goes direct.
Ethanol is a big [problem for boats that often have fuel tanks made of plastic or fiberglass. Some of the plastic gets dissolved by the ethanol, and then ends up clogging various engine parts. The Boat US association has done extensive tests of that: http://www.boatus.com/seaworthy/fueltest.asp#results. The real worse case comes if ethanol is mixed with diesel, transforming a basically safe fuel into one that can explode. Really not a good idea.
It is not so much "the UN" as "a group of authoritarian governments." The Internet enables freedom of speech. The Saudis kingdom and the Chinese communist party, to give two examples, don't like that. They have tried very hard to build their own nation wide firewalls, in the name of protecting religion or political harmony. But firewalls cannot control what happens outside of their borders.
They would go under the name of "internet governance" and argue against "US domination", but he dream of dictatures is clear. In addition to control what can be written within the borders of their countries, they would very much like to extend censorship world-wide.
And if it can creates a few more cosy positions for international bureaucrats, the UN will love it!
There are so many ways this suggestion is wrong, it is not even funny.
TFA says WPA2 negotiates unique encryption keys with every computer that connects to it. This means you and I cannot spy on one another's traffic even when sharing access on the same access point. That's true, but anyone who can listen to the exchange and know the shared key will be able to learn the key. Plus, there is a very neat man in the middle attack.
Suppose that I am an evil sheep herder near a Starbuck cafe. Nothing prevents me from broadcasting a Wi-Fi beacon that announces that I am running a Starbuck access point. Here comes the sheep, who is really happyto see that the connection is secure. Hey, he used WPA2 and the "free" password, his packets are encrypted. Except they are all coming to my laptop. Oops!
Encrypted files have maximum entropy, just like absolutely random files. Basically, you can't tell which one is which. However, absolute random noise on a disk isn't all that usual, so any encrypted file (or pure random file) will stand like a sore thumb: it will be highly visible. But, again, you can't tell the difference.
Absolutely correct. Any "investigator" who finds a pure random file will immediately suppose that it contains encrypted data. I mean, what else? Compressed files are not random, and there is no real good reason to store gobs of random data on a disk. OK, maybe you can come with a good reason, such as doing research on random numbers, but that will be highly suspicious.
On the other hand, it is possible to systematically add entropy to a file. One very simple way may be to consider the random bits as codes in a variable length alphabet, much like a Huffman code. You can then "decompress" the random file using the variable length code. Voila, a larger file with the desired entropy/redundancy. It will look like binary data, not encrypted data.
The Army just suffered one of the largest leaks in military history, thanks to Pfc Bradley Manning and Wikileaks. You would think that the priority would be to investigate the incident, check how recruits working on army intelligence are selected, trained and supervised, and perhaps review procedures so a lowly private does not have access to 100,000 secret documents that are only remotely linked to his mission.
Instead, we get this implausible thumb drive scenario. And guess what, instead dof applying $0.02 of common sense, we will see a proposal to spend $2B on intelligence system upgrades and military contracts. Of course, senator, we have earmarked 20% of that for your state...
Slashdot Mirror
According to Eric Schmidt, now they are. This is absolutely good news. It is also exactly what the Electronic Frontier Foundation is asking web services to do. You can check the relative state of Google and other services according to the EFF at: https://www.eff.org/deeplinks/....
I really love the Model S. Beats the BMW every day, and actually not more expensive than a series 7...
End to end encryption is the only answer here. Maybe instead of relying on server certificates, which could be compromised, do the reverse -- the client certificate is used to secure the connection. That way everyone can use a CA (or even issue their own) that they trust. ...
Have you looked at the work going on in the IETF and other places to deploy "perfect forward secrecy?" The idea is to use a Diffie-Hellman exchange to negotiate a random key, and then only use the server certificate to prove the server's identity and knowledge of the key. Pretty much the same result as client certificates, easier to deploy, and with the added advantage that even if the server's key is compromised, the sessions' keys remain secret.
Actually, no. There is proof that Dual_EC_DRBG is much weaker than advertised. But the story is about the other elliptic curves that NIST standardized based on "contributions" from the NSA.
Not so long ago, when we heard a reference to "the IAB," what came to mind was the "Internet Architecture Board" (http://www.iab.org/). That was the place were Postel or Cerf contributed... Times have changed.
Great idea. I can see that, a "cookie exchange bank." You donate a cookie to it, and in return it provides you with a cookie donated by some random user. There are a few precautions to take, e.g., do not donate your bank's password, but it could definitely be fun.
What this story really exposes is the hubris of the inventor. Say you work a couple of months on an invention, and file a patent. Do you really expect years and years of revenue? Really?
We have seen attacks like that before, e.g. the "Comodo" hacker (http://arstechnica.com/security/2011/09/comodo-hacker-i-hacked-diginotar-too-other-cas-breached/). My bet is that we will continue to see more of these, because the attack surface is just too large.
VOIP will protect the data if the content is properly encrypted, but headers and locations are still exposed. The phone can still be identified and located, which is already great information for the police. The IP addresses can be tracked in the header and voila, pen-register services without a warrant. And if VOIP is not encrypted, or if the encryption is weak, even the content can be accessed.
On the other hand, if you are accepted in the Legion, you will have a fun time in places like Afghanistan, Djibouti or the Ivory Coast, to name a few. If you goal was to escape being shot at, you may want to reconsider.
ICANN was supposed to managed the legacy of Jon Postel. Instead, it is managing the interests of a coterie of Internet parasites. As the parent said, "the new top-level domains (and some of the existing top-level domains) are basically a money grab," effectively allowing the new registrars to levy taxes on trademark owners. Good old fashion blackmail, as in "nice trademark you have here, you would not want something bad to happen, like having it managed by a porn site or a competitor, what about getting some protection?"
Randomness will produce everything indeed. But this experiment is not random. The monkeys are not *producing* the work of Shakespeare. They are *reproducing* it. The master program already know the work, and has it programmed in its tests. There is a big filter here: take this random bit, and decide whether it is "part of Shakespeare's work." Not quite the same as letting the monkeys type a full page, and then have readers decided whether this is "as good as Shakespeare." Prior knowledge killed Schrödinger's Cat!
Consider for example what happen to Wi-Fi. The IEEE has a fairly detailed patent policy, and the Wi-Fi standards have been very successful. But after millions of cards were sold, CSIRO came out of the blue and asserted a patent on indoor OFDM that they said covered Wi-Fi. The resulting lawsuits have costed millions.
The list of password that the worm tries is interesting. Apart from the obvious abc123 and the like, the worm tries "RavMonD" and "zhudongfangyu". Is that a clue? Some Chinese hommage to the bazar?
The problem with NTLM has been known for some time, but it is not just NTLM. It is in fact any challenge response protocol. Check this slide deck presented at the IETF in 2005: http://www.huitema.net/talks/ietf63-security.ppt. The punch line is simple: don't rely on challenge response protocols! If the attacker can see both the challenge and the hash, and if the password can be remembered by the user, it will probably be cracked.
The latin and greek questions are actually pretty simple. Latin and Greek were still fairly common options in French high school in the 60's, and I studied all that. The Latin reference text here being Caesar's "De Bello Gallico," which we were studying in the 7th or 8th grade. The Greek reference text is Xenopho's Anabasis, which we were studying in the 9th or 10th grade. Both Caesar and Xenopho are considered "easy" - they use fairly direct language and constructions. Similarly, the grammar questions correspond more or less to your first or second year of language study. The references to roman and greek history, e.g. Actium, Pharsalis, Jugurtha may feel fairly obscure now, but are in fact part of the basic curriculum of "Ancient History." Bottom line, the test was not very hard for a high school who paid attention in class. I was surprised to see that they would provide the translations of the words as part of the question. We did not have that available when passing exams.
I was not so much think of getting the bits from fellow users as getting the bits from several Akamai servers -- or similar. Instead of blindly following some dumb "closest IP" rule, the download could test a couple of candidate servers and get the bits from those with the best bandwidth -- much like torrents do.
Load balancing based on the DNS resolver is so 1999! Even when it works, it works by chance, and does not test the actual speed between your PC and the potential servers. Compare that to Bit Torrent, which actually tests the speed of the downloads. You really wonder why Apple, and Akamai, would not use some kind of torrent technology!
Pretty much every PC, server or even smart phone OS ships with dual stack. Enable IPv6 on your home gateway and poof, IPv6 in your PC lights up. AT the same time, your PC can keep using IPv4 for non IPv6 web sites, or for that old Ethernet enabled printer in the basement. It works pretty much as expected. Not having unique IPv4 addresses does not change anything to the question -- IPv4 goes through NAT, IPv6 goes direct.
Ethanol is a big [problem for boats that often have fuel tanks made of plastic or fiberglass. Some of the plastic gets dissolved by the ethanol, and then ends up clogging various engine parts. The Boat US association has done extensive tests of that: http://www.boatus.com/seaworthy/fueltest.asp#results. The real worse case comes if ethanol is mixed with diesel, transforming a basically safe fuel into one that can explode. Really not a good idea.
They would go under the name of "internet governance" and argue against "US domination", but he dream of dictatures is clear. In addition to control what can be written within the borders of their countries, they would very much like to extend censorship world-wide.
And if it can creates a few more cosy positions for international bureaucrats, the UN will love it!
I am sure children could relate to the guy who invented pasteurized milk, discovered germs, found the vaccine for rabies, etc...
There are so many ways this suggestion is wrong, it is not even funny.
TFA says WPA2 negotiates unique encryption keys with every computer that connects to it. This means you and I cannot spy on one another's traffic even when sharing access on the same access point. That's true, but anyone who can listen to the exchange and know the shared key will be able to learn the key. Plus, there is a very neat man in the middle attack.
Suppose that I am an evil sheep herder near a Starbuck cafe. Nothing prevents me from broadcasting a Wi-Fi beacon that announces that I am running a Starbuck access point. Here comes the sheep, who is really happyto see that the connection is secure. Hey, he used WPA2 and the "free" password, his packets are encrypted. Except they are all coming to my laptop. Oops!
Encrypted files have maximum entropy, just like absolutely random files. Basically, you can't tell which one is which. However, absolute random noise on a disk isn't all that usual, so any encrypted file (or pure random file) will stand like a sore thumb: it will be highly visible. But, again, you can't tell the difference.
Absolutely correct. Any "investigator" who finds a pure random file will immediately suppose that it contains encrypted data. I mean, what else? Compressed files are not random, and there is no real good reason to store gobs of random data on a disk. OK, maybe you can come with a good reason, such as doing research on random numbers, but that will be highly suspicious.
On the other hand, it is possible to systematically add entropy to a file. One very simple way may be to consider the random bits as codes in a variable length alphabet, much like a Huffman code. You can then "decompress" the random file using the variable length code. Voila, a larger file with the desired entropy/redundancy. It will look like binary data, not encrypted data.
Instead, we get this implausible thumb drive scenario. And guess what, instead dof applying $0.02 of common sense, we will see a proposal to spend $2B on intelligence system upgrades and military contracts. Of course, senator, we have earmarked 20% of that for your state...
-- Loaurnkoz