They deserve to be called astronauts, even if that dilutes the brand.
The definition of astronaut is anyone who travels into space. Space is defined as as certain altitude above the earth.
Ah. So you are one of those spacey-space-tourists who paid a couple of million USD to brag with "I'm an astronaut" to get laid and now you cry because you are being taken away your brag rights. My sympathies.
No. It's about fighting *Microsoft*, not *Micorsoft*. Your reasoning below started from an unmet precondition, and thus the argumentation is void. Better luck next time.
This is NOT "security through obscurity". It is a form of what's called "Better-Than-Nothing" security.
This topic is even worked on in the IETF for IPSec. (btns working group).
The idea is that, with a gnashing of teeth, you should admit that the deployment barrier for proper security, which solves all your problems, is too high for general adoption. Then, after having made up your mind in that respect, try to figure a method that only solves a subset of problems, but for a significantly lower price.
Obfuscated TCP seems to provide the property of confidentiality, but not endpoint authentication. You are right that you can still do MITM, but still it is better than nothing.
I proposed something similar for wireless LANs to some vendor some time ago, which I called WPA-NoAuth, where the traffic between STA and AP gets encrypted, but none of the two endpoints authenticates to each other. This would typically cater for "web-portal" authentication, where the authentication happens after associating with the AP, and no proper security schemes like IEEE 802.1X or WPA-sharedkey can be used.
Wasn't picked up with great enthusiasm though. Let's see if obfuscated TCP does.
(Disclaimer: I have nothing at all to do with the obfuscated TCP proposal, nor do I work for Google)
imagine that there is some primitive tribe of humans with no knowledge of climatology, currently living in tropical or desert climes who, unbeknown to anyone, have a mutation which allows them to survive in hibernation in freezing cold temperatures, and then reawaken when it warms up again. [...] And then eventually the ice age ends and the world gets nice and warm, these people thaw out and start living their lives again. Wow. I would never have imagined Jamaicans to be so... cool.
Copyrights are forever, or as close to forever as can matter to anyone still breathing. If I stop breathing, copyrights don't matter any more? *holds breath*
"WPA can be cracked if someone uses a simple passphrase, and even random passphrases can be cracked without a whole lot of effort simply by renting part of a botnet, or running your own."
You are assuming that WPA needs a human-configured passphrase here. Your calculations are all nice, but they refer to WPA-PSK (pre-shared key). If you use WPA with IEEE 802.1x (sometimes called WPA-"Enterprise"), a PMK (Pairwise Master Key) is generated by a AAA server *anew for every session*. I.e. as soon as someone logs off and on again, your calculations got to start from scratch. I'm assuming people don't stay connected 37 days continuously on a WiFi connection, so your botnet attack is rendered useless. To be on the safe side, you can set your APs to negotiate new keys at your personal paranoia level time interval even when connections persist.
Even with WPA-PSK, your reasoning is only correct if you really want the PMK of WPA-PSK. Your botnet could be faster if you just want the current session key: it is 128 Bits in length (both with TKIP encryption and AES), so you only need to try 2^128 numbers to get in. The amount of randomness for the PMK is irrelevant if you just want to get into a session quick-and-dirty. Another reason for WPA users to rekey every so often.
WPA-Enterprise is used worldwide in educational institutions in a free (as in spirit and in beer) manner right now, including worldwide roaming: check http://www.eduroam.org./. Even in Queensland numerous universities are participating and thus have something at their disposal that is way less suscepible than static session keys. http://www.aarnet.edu.au./Content.aspx?p=133/ suggests that University of Queensland is in, so I guess they are just doing the research to show people how unsecure WLAN networking is if you *don't* use IEEE 802.1x:-) Yes, that was a shameless sales pitch. This is slashdot, I'm *supposed* to promote my pet projects here, right?
Anything reasonably current doesn't route IPv6 in software. Yes, there's legacy stuff out there that will have to be dealt with, but there are solutions to those legacy hardware deployments that aren't terribly arduous. But it does mean people need to get started dealing with this *NOW* rather than later.
Cisco 4500 Series Multilayer switches. IPv4 in hardware, IPv6 in software. They certainly suck. Cisco is promising a new supervisor that can do IPv6 in hardware for ages, they just don't deliver. We have money. We need IPv6. Cisco currently ignores hardware IPv6 on anything less than a 6500, 7600 or CRS-1.
They pretty much said into our face: if you need IPv6, buy a 6500 - just that costs a tenfold of 4500 and except for IPv6, even the 4500 is oversized for us. Great deal. Even though we do have the money, we are not stupid enough to buy at _any_ price.
Cisco just wants to rip loads of money from the early adopters.
We are investigating switching to a new vendor. Its cases are blue.
The government is just made up of, get this, people and they do fuck up from time to time, even on important shit. Well, for many of these conspiracies, you are talking about a whole shitload of people that would have to be involved. I mean think about the whole 9/11 thing. Think about the number of people it would take to quickly, covertly, plant explosives in the towers, direct a missile (no idea why they think it is a missile) at the Pentagon and then do all the subsequent coverup necessary is staggering. So you have all these people that need to be involved, and you have a very small pool that you can draw from. These people need to be ones that you can trust absolutely, and they also need to have essentially no morals at all. So it isn't like you get to be choosy and select only the very best in the world. Well no, actually it takes just two men: Bush meeting his old friend Osama, saying "You know, I really wouldn't mind if, say, the WTC was blown up by an 'accident' of yours." Job done, and looks perfectly real - because it is. Not that I believe in any of this shit, but it's kinda nice to stir up new conspiracy theories:-)
That's really just not true. With IPv6, you can get a lot more anonymity than you have now with IPv4. v6 has all sorts of special provisions for randomly assigning addresses, letting you reset them when you want, so that you can appear to be a new user in the middle of a browsing session. That's tough to do with IPv4; even if you try a DHCP release-and-renew from your ISP, generally they won't issue you a new address until the other one has expired.
IPv6 doesn't force you to give up any privacy, and there's no 'user serialization' unless you buy into it voluntarily. Sorry, but that is just not true. There's some fuss in the air about IPv6 privacy extensions, which is basically bullshit. As an IPv6 customer, you'll typically get a/64 prefix of the address space for your broadband connection. The entire address length is 128 bits, so you might *think* that you can play a lot with different, random, "anonymous" addresses.
BUT: The whole/64 is assigned to YOU, the contractor of this specific broadband account. So however you variate behind your/64 prefix, it will always be accountable to the same block. If your ISP does it's job right, your customer details will be delivered to RIPE, so that every content provider can conveniently look it up - no need to bug the ISP with such stuff, your cease-and-desist letter goes directly to your letterbox.
To illustrate my example, there's a IPv6 ISP in Germany that gives out even a/48 prefix - you could almost literally give an IP address to all the atoms in your house, and still have random space left for variations. Still, a RIPE query on the prefix 2001:4b88:107d:: shows that whatever happens with this/48 block gets this specific customer's credit.
If we're not counting accountability, but just usage tracking on websites etc, easy: just don't treat every Ip address as unique (like in IPv4), but instead every/64. There you go, almost as accurate as before in IPv4.
by Anonymous Coward Please insert real name to try again.
My post was referring to "prompt follows you when you click on a folder". THAT's what I never found on Windows. The method you reference opens a single-shot cmd prompt, which is afterwards independent from the instance of Explorer.
And, on a sidenote: pre-Vista you either needed a seperate download (Power Toys) or some strange self-made scripting? How 90s.
How about you try to do the same thing in Konqueror and get back to me with your results?
Easy. Open Konqueror, click on "Window", "Terminal Emulator" and have your fun in the embedded command-line.
BTW, the command-line's current directory follows you when you click your way through folders in the GUI part. Now do *that* in IE:-)
> Login authentication does not prevent a man in the middle > attack of the breakin sort.
It can, if you use a mutual authentication method, like EAP-TTLS, EAP-TLS or PEAP for your RADIUS login.
> You need end to end encryption, including encrypted login > and certificate verification with secure exchange made > pre-connection to provide security over a wireless link.
Correct, but all of this can be delivered with RADIUS and 802.1x authentication. MITM can be prevented. Just be sure to not use non-mutual authentication schemes like EAP-MD5. Those are susceptible to MITM attacks.
BTW, check www.eduroam.org for a secure WLAN auth system that scales to a world-wide scale.
The training for entire words could be quite effective if the subject you want to think/type about has a controlled, small vocabulary to keep the training base small. Obvious application: coding - the number of reserved words in programming languages is small enough. Plus, using a good IDE that proposes you words, a simple thinking of "3" to select the third choice in the combo seems quite an attractive coding model to me
> Personally, I'll happily pay to go to an official service, with high quality mp3 downloads, > where I can quickly search by artist, song-title, album, etc. and find the exact track I'm > looking for, know that what I'm getting is what is actually labeled, know what the quality > of the file is, etc. As long as the files aren't DRM'd and the price is reasonable.
Like allofmp3.com? Luckily, it's perfectly legal in Russia and not all legislations in the world have been bribed to forbidding it. Living in Luxembourg, anyone?;-)
to include them in a new anti-search engine that just zaps you through the internet, untargeted:http://www.webjumping.com/. Right now, it's based on a crawler that so far has only seen a tiny fraction. I'd love to have the complete, real thing in my database!
Slashdot Mirror
They deserve to be called astronauts, even if that dilutes the brand.
The definition of astronaut is anyone who travels into space. Space is defined as as certain altitude above the earth.
Ah. So you are one of those spacey-space-tourists who paid a couple of million USD to brag with "I'm an astronaut" to get laid and now you cry because you are being taken away your brag rights. My sympathies.
approach to fighting Micorsoft.
No. It's about fighting *Microsoft*, not *Micorsoft*. Your reasoning below started from an unmet precondition, and thus the argumentation is void. Better luck next time.
> True, buy most people will use a alphanum pass with 10 characters or less.
Most halfways sane enterprise deployment will not use passwords at all, but WPA2-*Enterprise* with 128-Bit random seeds per user session.
This is NOT "security through obscurity". It is a form of what's called "Better-Than-Nothing" security. This topic is even worked on in the IETF for IPSec. (btns working group). The idea is that, with a gnashing of teeth, you should admit that the deployment barrier for proper security, which solves all your problems, is too high for general adoption. Then, after having made up your mind in that respect, try to figure a method that only solves a subset of problems, but for a significantly lower price. Obfuscated TCP seems to provide the property of confidentiality, but not endpoint authentication. You are right that you can still do MITM, but still it is better than nothing. I proposed something similar for wireless LANs to some vendor some time ago, which I called WPA-NoAuth, where the traffic between STA and AP gets encrypted, but none of the two endpoints authenticates to each other. This would typically cater for "web-portal" authentication, where the authentication happens after associating with the AP, and no proper security schemes like IEEE 802.1X or WPA-sharedkey can be used. Wasn't picked up with great enthusiasm though. Let's see if obfuscated TCP does. (Disclaimer: I have nothing at all to do with the obfuscated TCP proposal, nor do I work for Google)
there is a lot of solitaire and web surfing going on in many offices.
Or even slashdot reading and posting! Oh, wait...
> and raped my mother!
;-)
So that is how you came to be?
> Mathematics is my light and salvation: whom shall I fear?
Zero. And infinity. Especially on the denominator side of equations.
We just need TWO of those Ion Engines.
"WPA can be cracked if someone uses a simple passphrase, and even random passphrases can be cracked without a whole lot of effort simply by renting part of a botnet, or running your own."
:-) Yes, that was a shameless sales pitch. This is slashdot, I'm *supposed* to promote my pet projects here, right?
You are assuming that WPA needs a human-configured passphrase here. Your calculations are all nice, but they refer to WPA-PSK (pre-shared key). If you use WPA with IEEE 802.1x (sometimes called WPA-"Enterprise"), a PMK (Pairwise Master Key) is generated by a AAA server *anew for every session*. I.e. as soon as someone logs off and on again, your calculations got to start from scratch. I'm assuming people don't stay connected 37 days continuously on a WiFi connection, so your botnet attack is rendered useless. To be on the safe side, you can set your APs to negotiate new keys at your personal paranoia level time interval even when connections persist.
Even with WPA-PSK, your reasoning is only correct if you really want the PMK of WPA-PSK. Your botnet could be faster if you just want the current session key: it is 128 Bits in length (both with TKIP encryption and AES), so you only need to try 2^128 numbers to get in. The amount of randomness for the PMK is irrelevant if you just want to get into a session quick-and-dirty. Another reason for WPA users to rekey every so often.
WPA-Enterprise is used worldwide in educational institutions in a free (as in spirit and in beer) manner right now, including worldwide roaming: check http://www.eduroam.org./. Even in Queensland numerous universities are participating and thus have something at their disposal that is way less suscepible than static session keys. http://www.aarnet.edu.au./Content.aspx?p=133/ suggests that University of Queensland is in, so I guess they are just doing the research to show people how unsecure WLAN networking is if you *don't* use IEEE 802.1x
Wow! That's approx. 17 jumps through the space-time continuum, when each takes 1.21 Gigawatts. Which is the case, as we all know.
Mod parent down! He blinded me!
1. Cisco routers suck at IPv6.
Anything reasonably current doesn't route IPv6 in software. Yes, there's legacy stuff out there that will have to be dealt with, but there are solutions to those legacy hardware deployments that aren't terribly arduous. But it does mean people need to get started dealing with this *NOW* rather than later.
Cisco 4500 Series Multilayer switches. IPv4 in hardware, IPv6 in software. They certainly suck. Cisco is promising a new supervisor that can do IPv6 in hardware for ages, they just don't deliver. We have money. We need IPv6. Cisco currently ignores hardware IPv6 on anything less than a 6500, 7600 or CRS-1.
They pretty much said into our face: if you need IPv6, buy a 6500 - just that costs a tenfold of 4500 and except for IPv6, even the 4500 is oversized for us. Great deal. Even though we do have the money, we are not stupid enough to buy at _any_ price.
Cisco just wants to rip loads of money from the early adopters.
We are investigating switching to a new vendor. Its cases are blue.
IPv6 doesn't force you to give up any privacy, and there's no 'user serialization' unless you buy into it voluntarily. Sorry, but that is just not true. There's some fuss in the air about IPv6 privacy extensions, which is basically bullshit. As an IPv6 customer, you'll typically get a
BUT: The whole
To illustrate my example, there's a IPv6 ISP in Germany that gives out even a
If we're not counting accountability, but just usage tracking on websites etc, easy: just don't treat every Ip address as unique (like in IPv4), but instead every
Please insert real name to try again.
My post was referring to "prompt follows you when you click on a folder". THAT's what I never found on Windows. The method you reference opens a single-shot cmd prompt, which is afterwards independent from the instance of Explorer.
And, on a sidenote: pre-Vista you either needed a seperate download (Power Toys) or some strange self-made scripting? How 90s.
Easy. Open Konqueror, click on "Window", "Terminal Emulator" and have your fun in the embedded command-line.
BTW, the command-line's current directory follows you when you click your way through folders in the GUI part. Now do *that* in IE
> Login authentication does not prevent a man in the middle
> attack of the breakin sort.
It can, if you use a mutual authentication method, like EAP-TTLS,
EAP-TLS or PEAP for your RADIUS login.
> You need end to end encryption, including encrypted login
> and certificate verification with secure exchange made
> pre-connection to provide security over a wireless link.
Correct, but all of this can be delivered with RADIUS and 802.1x
authentication. MITM can be prevented. Just be sure to not use
non-mutual authentication schemes like EAP-MD5. Those are
susceptible to MITM attacks.
BTW, check www.eduroam.org for a secure WLAN auth system that
scales to a world-wide scale.
Cya.
The training for entire words could be quite effective if the subject you want to think/type about has a controlled, small vocabulary to keep the training base small.
Obvious application: coding - the number of reserved words in programming languages is small enough. Plus, using a good IDE that proposes you words, a simple thinking of "3" to select the third choice in the combo seems quite an attractive coding model to me
> Personally, I'll happily pay to go to an official service, with high quality mp3 downloads,
;-)
> where I can quickly search by artist, song-title, album, etc. and find the exact track I'm
> looking for, know that what I'm getting is what is actually labeled, know what the quality
> of the file is, etc. As long as the files aren't DRM'd and the price is reasonable.
Like allofmp3.com? Luckily, it's perfectly legal in Russia and not all legislations in the world
have been bribed to forbidding it. Living in Luxembourg, anyone?
two words: RW media.
to include them in a new anti-search engine that just zaps you through the internet, untargeted:http://www.webjumping.com/. Right now, it's based on a crawler that so far has only seen a tiny fraction. I'd love to have the complete, real thing in my database!