Banks are not relying on their ability to audit all transactions. They are relying on _your_ ability to audit your transactions.
Big difference. Balance your checkbook.
No, not really. Tell me what the PearPC group (or whoever) is going to do about it -- that's news. It might even be worthy of the front page. But this is beating a deadhorse.
Theoretically, he said, if someone searches for "Bay Area cooking class," the system should know that "Berkeley courses: vegetarian cooking" is a good match even though it contains none of the query words.
One word: cooking.
I'm sure the principle is sound. I just think the example is a leetle bit flawed.
This article doesn't name names. It doens't analyze anything. It just reports hearsay. Until I see an anlysis of WAPI that someone actually takes responsibility for, and uses actual facts about the standard rather than anonymous sources, I won't accept the notion that of course it's a stupid idea. After all, they had the great example of WEP to see what not to do.
ISO rubber stamps the 802 documents because 802 has a long history of succesful open standards development. Whining 'it's not fair! They won't take our spec but they will take the IEEE specs' is disingenuous bullshit and they know it. There is a basic quality threshold you have to pass first.
Like the one WEP passed? If that's what rubber-stamping the IEEE gets us, then maybe China is right to whine about fairness. WEP wasn't just bad, it was moronic.
China does have good cryptographers. They beat SHA-1. IEEE has screwed up cryptography multiple times. Maybe WAPI is worse than 802.11i, maybe it's not. Is there a decent analysis that backs up this assertion?
Annual, imnsho, isn't often enough. Further, the reports you get DO NOT SHOW ALL THE INFORMATION CREDITORS SEE. Yes I'm shouting. You could still be a victim of ID theft and not know until you tried to make a major purchase, because even though the report you see shows your history is perfect, it's a squeaky-clean version. Creditors can ask for all the data. You can't. Bob Sullivan is right.
I disagree. The problem isn't online commerce; it's commerce in general. "Online" is a scapegoat. The industry has already lost your information. It's been gone for years. Commerce in general doesn't work, because it depends on information that everyone ought to know by now is not secret.
I don't worry about online banking or shopping per se. I worry that someone can walk into a bank, say they're me, and buy a house with my credit rating. I worry that someone can order a plasma TV over the phone with my credit card to launder money. And yes, I worry that someone can apply for a new credit card in my name over the Internet -- but that's a subset of the problem. How can you make online commerce safe when commerce itself isn't safe?
We need to prevent compromises, but that won't solve the problem. We need to make it harder for people to steal money armed with only a name and an SSN. Except without instant credit, the American economy would collapse, then the world, and then where would we be?
Actually, I'm not sure their method isn't sufficient for what they are. If all they do is send occasional alerts that say "there's a patch, go fetch," then they don't actually need major security or encryption. They are not a bank; they do not have personal information on you. It's a freaking mailing list. The main question is whether they will put links in their emails, and how they handle customer education on phishing/spoofing. But even so, a personalized subject line seems to me to be sufficient, provided they don't start collecting information and make that clear to users.
I'm sorry, I'm in the middle of moving and don't have the time to look up my sources.
But: 70% of id theft is from insider data theft. The studies that say "most id theft is from stealing wallets/dumpster diving/etc" are talking about cases where people know how they lost the data. It's easy to know if your wallet's gone walkabout. Most people simply don't know where their data went or how. Search for "University of Michigan" and id theft to find the study. There is nothing that anyone can do about insider data theft. Look up Teledata.
As for you not being liable for fraud in your name -- sure, yeah. But how are you going to prove it wasn't you? This is increasingly difficult and the systems are set up to put the burden on you to prove it wasn't you, not the creditor to prove it was. Just read the advice at the FTC on how to clear your name, and look between the lines -- you can't even reliably get a police report, which many false creditors require.
You may notice problems with your accounts, but do you check your credit report often enough to notice new fake accounts? And even if you do, Bob Sullivan at MSNBC reported that it doesn't necessarily help -- you get a cleaned-up version, not what your banker or car loan place might see.
There was a bank president (or someone of similar financial heft) who became a victim of ID theft, and he worked on clearing it as a normal person would, without his position to help him. Even he -- who even if he wasn't pulling strings knew the industry inside and out -- had trouble with it. That's from Bob Sullivan again; I'm not sure if it was his book or MSNBC.
When I say that there is nothing that people can do about identity theft, I really mean it. People have been sued five years after they "finally" cleared their names for not paying the fake mortgage taken out on their homes. I have a coworker who was never able to clear his credit, despite working for infosec at a freaking bank. As for insurance -- "id theft insurance" is offered by the very people who set up the system that enables the problem. Anyone who thinks that you can prevent identity theft or easily recover money lost due to it has no idea how banking works. And that's just how the financial industry wants it.
The problem is that there's no point [for Americans; there may be for people in other countries]. What, exactly, is getting a new cell phone provider going to do for you? It will punish T-mobile for not being careful with your data, which is deserved. But will it protect your data? Not really. Oh, if you use their data services you might prevent some eavesdropping or picture-stealing...or might not. T-Mobile got caught, but that doesn't mean the other services aren't having problems.
But it won't protect your personal data. That is out of your hands and has been for the last thirty years or so. Your personal information has already been given away or sold by ChoicePoint, the government, the credit bureaus, and everyone else. Your only option is to assume it's gone, check your credit report regularly, and hope someone isn't using your social security number. Identity theft isn't something you can do anything to prevent. You can only catch it in time, and then hope you can fix it. Despite all the rosy stories about how after 300 hours of work people managed to clear their names, there are real stories of people who don't get their money and credit ratings back. There simply haven't been any solid studies one way or the other -- it's all anecdotal.
Neither article defined "days of risk" to my satisfaction. Is it "days since the vulnerability was published" or "days since the vendor was informed of the vulnerability"? I suspect that Microsoft is more likely to hear things privately early. ASN.1 library anyone? It was discovered in July 2003, and announced and patched in February 2004. Was that six months of risk or one day?
Secondly, there's no discussion of how the criticality of a vulnerability was weighed. If every "day of risk" for Windows was "critical," and every "day of risk" for RedHat was "moderate," then I'd differ with their conclusions. Further, there was no mention of whether they considered actual exploits in the wild.
The IEEE 802.16-2004 (256 OFDM PHY) and ETSI HiperMAN standards share the same PHY and MAC specifications. The WiMAX Forum is active in both standards organizations to ensure that a single global standard for Wireless MAN is adopted.
What this actually means is that the WiMax Forum is working to make sure that WiMax and HIPERMAN products interoperate (not that WiMax eats HIPERMAN or vice versa). US and EU must always make their own standards. It's more fun that way.
Kerberos is an authentication protocol. You have a client, a server, and a kerberos server. The kerberos server itself has three parts, the key distribution center, the authentication server and the ticket granting server. This is a symmetric encryption system: no public or private keys, just private keys.
Before anything happens, both Client and Server share their cryptographic keys with the Key Distribution Center. This setup is required for kerberos to work. Kerberos doesn't work if you can't set things up beforehand.
When it's authentication time, Client goes to Ticket Grantor and says, "I want to talk to Server, and here's my key." Ticket Grantor asks Server, "Client wants to talk to you. Is that okay?" Server says it's okay, so the Ticket Grantor sends a ticket-granding ticket (encrypted with Ticket Grantor's key, so only TG can read it) and a session key (encrypted with the Client's key, so only Client can read it) to Client. Note that at this point we haven't authenticated Client -- we've just checked that Client is authorized to talk to Server.
Client unencrypts the session key using its own key. If Client really is who it says it is, the unencrypted key will be correct. Client goes to Ticket Grantor with the ticket-granting ticket and the session key and says, "Look, I can do it! It's me! Gimme a real ticket already so I can talk to the server." Ticket Grantor says "Ok" and does gives the Client a ticket encrypted with the Server's key and a new session key encrypted with the Client's key.
The Client decrypts the session key: now it knows how to handle talking to the Server. Then it sends the Server the ticket. If the Server is who the kerberos server thinks it is, it will be able to decrypt the ticket and establish a session with the client.
It's more complicated than that, but I think this covers it. Does that help? I expect if I have erred I will be corrected forthwith, as nothing gets the right answer faster than posting the wrong one.
Slashdot Mirror
It's an externality. The invisible hand of the market isn't going to fix things for you
Banks are not relying on their ability to audit all transactions. They are relying on _your_ ability to audit your transactions. Big difference. Balance your checkbook.
No, not really. Tell me what the PearPC group (or whoever) is going to do about it -- that's news. It might even be worthy of the front page. But this is beating a dead horse.
It's much less messy than reading entrails, though.
Hmm. It must have been corrected; I did a direct copy/paste for my quote.
Theoretically, he said, if someone searches for "Bay Area cooking class," the system should know that "Berkeley courses: vegetarian cooking" is a good match even though it contains none of the query words.
One word: cooking.
I'm sure the principle is sound. I just think the example is a leetle bit flawed.
This article doesn't name names. It doens't analyze anything. It just reports hearsay. Until I see an anlysis of WAPI that someone actually takes responsibility for, and uses actual facts about the standard rather than anonymous sources, I won't accept the notion that of course it's a stupid idea. After all, they had the great example of WEP to see what not to do.
Like the one WEP passed? If that's what rubber-stamping the IEEE gets us, then maybe China is right to whine about fairness. WEP wasn't just bad, it was moronic.
China does have good cryptographers. They beat SHA-1. IEEE has screwed up cryptography multiple times. Maybe WAPI is worse than 802.11i, maybe it's not. Is there a decent analysis that backs up this assertion?
Here is a paper that describes the WAPI standard. As a cryptodilettante, damned if I know if it's any good.
Annual, imnsho, isn't often enough. Further, the reports you get DO NOT SHOW ALL THE INFORMATION CREDITORS SEE. Yes I'm shouting. You could still be a victim of ID theft and not know until you tried to make a major purchase, because even though the report you see shows your history is perfect, it's a squeaky-clean version. Creditors can ask for all the data. You can't. Bob Sullivan is right.
Instead, they sell you identity theft insurance and "PrivacyGuard" and stuff. I have never done this before, but I can't resist:
1. Design system to make money
2. Sell insurance against the flaws in the system
3. Profit!
I don't worry about online banking or shopping per se. I worry that someone can walk into a bank, say they're me, and buy a house with my credit rating. I worry that someone can order a plasma TV over the phone with my credit card to launder money. And yes, I worry that someone can apply for a new credit card in my name over the Internet -- but that's a subset of the problem. How can you make online commerce safe when commerce itself isn't safe?
We need to prevent compromises, but that won't solve the problem. We need to make it harder for people to steal money armed with only a name and an SSN. Except without instant credit, the American economy would collapse, then the world, and then where would we be?
Actually, I'm not sure their method isn't sufficient for what they are. If all they do is send occasional alerts that say "there's a patch, go fetch," then they don't actually need major security or encryption. They are not a bank; they do not have personal information on you. It's a freaking mailing list. The main question is whether they will put links in their emails, and how they handle customer education on phishing/spoofing. But even so, a personalized subject line seems to me to be sufficient, provided they don't start collecting information and make that clear to users.
For 2, it's still cheaper to buy an insider.
I'm sorry, I'm in the middle of moving and don't have the time to look up my sources.
But: 70% of id theft is from insider data theft. The studies that say "most id theft is from stealing wallets/dumpster diving/etc" are talking about cases where people know how they lost the data. It's easy to know if your wallet's gone walkabout. Most people simply don't know where their data went or how. Search for "University of Michigan" and id theft to find the study. There is nothing that anyone can do about insider data theft. Look up Teledata.
As for you not being liable for fraud in your name -- sure, yeah. But how are you going to prove it wasn't you? This is increasingly difficult and the systems are set up to put the burden on you to prove it wasn't you, not the creditor to prove it was. Just read the advice at the FTC on how to clear your name, and look between the lines -- you can't even reliably get a police report, which many false creditors require.
You may notice problems with your accounts, but do you check your credit report often enough to notice new fake accounts? And even if you do, Bob Sullivan at MSNBC reported that it doesn't necessarily help -- you get a cleaned-up version, not what your banker or car loan place might see.
There was a bank president (or someone of similar financial heft) who became a victim of ID theft, and he worked on clearing it as a normal person would, without his position to help him. Even he -- who even if he wasn't pulling strings knew the industry inside and out -- had trouble with it. That's from Bob Sullivan again; I'm not sure if it was his book or MSNBC.
When I say that there is nothing that people can do about identity theft, I really mean it. People have been sued five years after they "finally" cleared their names for not paying the fake mortgage taken out on their homes. I have a coworker who was never able to clear his credit, despite working for infosec at a freaking bank. As for insurance -- "id theft insurance" is offered by the very people who set up the system that enables the problem. Anyone who thinks that you can prevent identity theft or easily recover money lost due to it has no idea how banking works. And that's just how the financial industry wants it.
Almost -- this still doesn't protect you from immigrants borrowing your SSN to get a job, and criminals using it to avoid the consequences of crime.
The problem is that there's no point [for Americans; there may be for people in other countries]. What, exactly, is getting a new cell phone provider going to do for you? It will punish T-mobile for not being careful with your data, which is deserved. But will it protect your data? Not really. Oh, if you use their data services you might prevent some eavesdropping or picture-stealing...or might not. T-Mobile got caught, but that doesn't mean the other services aren't having problems.
But it won't protect your personal data. That is out of your hands and has been for the last thirty years or so. Your personal information has already been given away or sold by ChoicePoint, the government, the credit bureaus, and everyone else. Your only option is to assume it's gone, check your credit report regularly, and hope someone isn't using your social security number. Identity theft isn't something you can do anything to prevent. You can only catch it in time, and then hope you can fix it. Despite all the rosy stories about how after 300 hours of work people managed to clear their names, there are real stories of people who don't get their money and credit ratings back. There simply haven't been any solid studies one way or the other -- it's all anecdotal.
No, I'm not fucking bitter at all.
I am not hypothetical!
Oh, wait, I'm female, and I'm on slashdot. I take that back. I am hypothetical.
Neither article defined "days of risk" to my satisfaction. Is it "days since the vulnerability was published" or "days since the vendor was informed of the vulnerability"? I suspect that Microsoft is more likely to hear things privately early. ASN.1 library anyone? It was discovered in July 2003, and announced and patched in February 2004. Was that six months of risk or one day?
Secondly, there's no discussion of how the criticality of a vulnerability was weighed. If every "day of risk" for Windows was "critical," and every "day of risk" for RedHat was "moderate," then I'd differ with their conclusions. Further, there was no mention of whether they considered actual exploits in the wild.
There are, in fact, deployments of WiMax (or at least pre-WiMax) according to the IEEE. Sites include Owensboro, KY and Seattle, WA.
What you need is an antenna.
The EU standard is HIPERMAN. The WiMax Forum FAQ says
What this actually means is that the WiMax Forum is working to make sure that WiMax and HIPERMAN products interoperate (not that WiMax eats HIPERMAN or vice versa). US and EU must always make their own standards. It's more fun that way.
Perhaps the cheaper RAID would enable him to afford a good tape backup system and offsite storage.
Yeah, but that's Hesiod. Who believes Hesiod over Virgil?
Actual answer:
Kerberos is an authentication protocol. You have a client, a server, and a kerberos server. The kerberos server itself has three parts, the key distribution center, the authentication server and the ticket granting server. This is a symmetric encryption system: no public or private keys, just private keys.
Before anything happens, both Client and Server share their cryptographic keys with the Key Distribution Center. This setup is required for kerberos to work. Kerberos doesn't work if you can't set things up beforehand.
When it's authentication time, Client goes to Ticket Grantor and says, "I want to talk to Server, and here's my key." Ticket Grantor asks Server, "Client wants to talk to you. Is that okay?" Server says it's okay, so the Ticket Grantor sends a ticket-granding ticket (encrypted with Ticket Grantor's key, so only TG can read it) and a session key (encrypted with the Client's key, so only Client can read it) to Client. Note that at this point we haven't authenticated Client -- we've just checked that Client is authorized to talk to Server.
Client unencrypts the session key using its own key. If Client really is who it says it is, the unencrypted key will be correct. Client goes to Ticket Grantor with the ticket-granting ticket and the session key and says, "Look, I can do it! It's me! Gimme a real ticket already so I can talk to the server." Ticket Grantor says "Ok" and does gives the Client a ticket encrypted with the Server's key and a new session key encrypted with the Client's key.
The Client decrypts the session key: now it knows how to handle talking to the Server. Then it sends the Server the ticket. If the Server is who the kerberos server thinks it is, it will be able to decrypt the ticket and establish a session with the client.
It's more complicated than that, but I think this covers it. Does that help? I expect if I have erred I will be corrected forthwith, as nothing gets the right answer faster than posting the wrong one.