I work for Mozilla on Firefox and I just wanted to respond to some of the claims being made here. We've opened up the bug so that others can take a look (bug 570658), but there is not much to see, here. The bug says that:
1) if you visit a page that uses an iframe 2) and that iframe's src attribute uses a deceptive url (e.g. "http://safe.com@evil.com") 3) then we don't pop up a warning that the url is deceptive
What's odd about the bug is that there is very little value to step 2 - only someone examining the page's source would notice the iframe's src attribute, so it's not clear to me where the deception is supposed to come in. A genuinely malicious page would source their attack iframes directly, unless they thought that this deceptive url might fool our phishing/malware protection. It won't.
If someone thinks we're overlooking an attack vector here, we're really interested to hear it, but as described the attack feels pretty weak.
If you think we're missing something critical, please do comment in the bug or get in touch with our security group ( http://www.mozilla.org/security/ ).
Johnathan
Re:Patent protection?
on
Cracking GSM
·
· Score: 1
I do hate to get bogged down in semantics, especially in such an off-topic thread, but I would argue that you are either being deliberately pedantic or missing the point. This is just the old denotation vs. connotation merry-go-round, but what the heck, eh? For old time's sake.
The argument states "if you make gun ownership a crime, then only criminals will have guns" and of course you are right that this is, prima facie, a logical tautology which is fine except that is not how anyone is intending the argument to be heard. Conversational implicature. The argument, if you prefer, can be stated as "if you make gun ownership illegal, then the only people who will have guns are unsavoury types who do not respect any laws, and who will now use their lack of guilt to advance their other criminal enterprises by way of their now-exclusive ability to possess firearms whereas in the past, though they might intend to use firearms in the commission of murder, robbery, or what-have-you, at least there was the notional deterrent that their (law-abiding) victims may also possess guns for purposes of defense." That is to say, people are expecting you, as a fellow human and english speaker, and as someone with a presumably compatible life experience and social context, to understand the word criminal as having significant, if not primary, meanings ASIDE from that of being someone who commits a crime.
I only mention all this because I have watched many interesting discussions become derailed by arguments like this which are not in any way relevant, but are nonetheless suggestive enough to be distracting. No personal attack is intended, of course.
Heh, I just can't get over the fact that the IDE we've been using internally for the last 6 months is getting so much play on slashdot and in the world-at-large.
One thing that's important to remember about eclipse is that it is a great deal more than your basic IDE. The pluggability really means that anything you can do in Java (or in principle, any language), you can make eclipse do. My department is focused entirely on using eclipse as an *application platform*. Think big. Yes, you can make it into a C/C++/Scheme/ML IDE, think bigger. Yes, you could definitely write a word processor plugin, and maybe plugin-ize an existing product. Think bigger. There's no reason in principle why you couldn't make a set of plugins that, for instance, made eclipse into something like zope or websphere -- your IDE could let you edit your php/jsp/perl, and then act as your development webserver too, for rapid prototyping. I dunno, I'm just pulling random things out of the air:) The point is, calling it modular might not be... emphatic enough.:)
As an IDE, it's pretty solid, I definitely encourage java developers to check it out, and as the C/C++ plugins solidify, I expect I'll move to it for my own C/C++ development too, if for no other reason than that I use it at work all the time.:) One thing that is both a blessing and a curse is that it does not (at least, our internal versions do not) come with a repository system a la Visual Age (IBM's older, less extensible Java IDE) -- instead that's up to you - we have teams using basic file system, cvs, cvs over ssh, and CMVC (a defect tracking and team file management tool that I imagine few outside IBM have ever seen.:) A curse in that out-of-the-box, you don't have team-managed repositories working like in VAJ, but a blessing in that you get to set up whatever fool system you like, maybe even keep whatever system you're already using.:)
Anyhow, just a few thoughts, the previous posts I've seen on eclipse seem to understate its extensibility. It's got the potential to be this decade's emacs - the application that is almost an operating system.:)
You were, of course, correct 10 years ago when you guessed that PGP
would become a tool of the oppressed. But even huge, lumbering
totalitarian governments are not so slow as to miss the fact that
people are avoiding their censors. My guess is that in many of these
oppressive countries, the use of encryption products like PGP has
become, in itself, an offense.
Have you looked into developing steganographic or other concealment
tools so that such users can veil even the existence of a message?
Has NAI?
I understand that with an open, published steganographic method, any
government could still detect messages, but this would at least
massively increase their censorship workloads, forcing them to
process every image, or possibly every text message, looking for a
palimpsest. What's more, if such a method were designed to forego
the usual identification headers, so that only the enciphered message
itself was included, would you not end up with a hidden message
difficult to detect even when 'looking right at it', so to speak?
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use
iQA/AwUBO69zC5Tq1bXoStsJEQI6GgCgnKR4q9qo9gB8Ohte Li NX+WKIYnsAn2Yw
/AlFZz2I0GqIhYkUpFk1XRx/
=fpit
-----END PGP SIGNATURE-----
First off, by way of disclaimer, I'm an IBM employee, but am posting this as an individual and am quite sure my manager neither knows nor cares about the contents of my question.:)
It's great to see that IBM is committing to an open approach, both in their specific funding of Linux development, but also in their more general push to use open, standard technologies like XML and Java, and to participate in the standards process. On the other hand, IBM holds more patents than any other business in the world, by a fair majority, and what's more, are quite proud of this standing. Now I am not at all knocking IBMs desire to produce patentable technology, and I do think it is indicative of their technological leadership that they have acquired them,
but...
I'm wondering how IBM's dedication to openness will interact with their commitment to producing patentable technology. Will IBM's contributions to open source projects include these patentable ideas, and will open source projects in which IBM participates be licensed to employ said ideas, even to freely distribute software based on them? If IBM is willing to do this, how will they ensure that their patented IP is not picked up and incorporated into competing products? If not, could you give us some insight into the decision making process as regards these patents, and why IBM's openness strategy does not extend to them?
Well, if you're at all like me, the phrase "Secure Audio Path" raised a lot more questions than it answered, so I've done a little digging around the msdn site and found some information. My apologies for the blockquote spam, but I think they explain it quite well:
In the current digital rights management model, when protected digital music is played, the encrypted content passes to the digital rights management client component. The DRM client verifies that the application and the DRM component incorporating the Windows Media(TM) Format SDK are valid. If they are valid, the DRM client decrypts the content and sends it to the application, which then sends it to the audio components. At this point, the decrypted music is available to applications and plug-ins that can intercept the music, leaving it susceptible to hacking.
...
In the Secure Audio Path model, the content is not decrypted by the application, but rather is passed in an encrypted state until it reaches system components in the computer kernel. Before decrypting and passing the content on to any other components, a DRM kernel component verifies that all remaining components in the path to the sound card are valid and authenticated.
The best information seems to be in their SDK documentation for windows media:
A quick glance at the latter's diagrams shows that, if nowhere else, they are clearly vulnerable to hardware based attack, but of course, the whole scheme, as has already been pointed out in this forum, is also vulnerable to a $15 tape recorder.:) At any rate, just some extra info for those similarly piqued.
... that securityfocus has just recently started up a new mailing list to handle the Secure Programming questions whose lack of answers lead to a lot of these problems. Of course, site admins should keep up on Bugtraq postings for whatever software they use, but it's the secprog list that is discussing the development of safe programming techniques and identification of dangerous constructs.
To get more information and potentially sign up, click here.
Re:Throw-away accounts won't save you
on
Anonymity
·
· Score: 2
Not if one engages in the 'extra work' the poster alludes to. Consider creating a hushmail account (no IP information attached or logged) from an internet cafe, and using that to sign up for the hypothetical 'offshore account'.
Within a few months there will probably be a more direct way through HavenCo's sealand facility. You just know that within their first month of full-tilt business, someone is going to buy some rackspace and sell anonymous shell access by the barrelfull. You can bet that said privacy activist won't hand over the logs willfully, and it's hard to subpeona sealand - even if international law rejects their sovereign status, it would be a far uglier process than most anonymous flaming would justify, I'm sure.
And of course, while we're at it, the internet cafe is rather superfluous anyhow - anonymizing proxies, bless their souls, exist by the dozen now, and even more numerous are the misconfured wingates and squid proxies of the world that leave no logs and ask no questions.
Perhaps not so much a fundraiser design - but wouldn't an instance of the Street Performer Protocol do well here? Rather than a book, or artistic fait accompli, someone like this guy can put a year of their time on the line and say "When I am paid $55k, I will deliver one year of dedicated services". Let people paypal that sum closer and closer. It's the fundraiser/telethon/charity paradigm of the 21st century!
I agree with the statement that a DNA database is a pretty spooky prospect. I think it is possible for it to be done properly, but the potential catastrophe if it is mishandled (and who here trusts government, even good, democratic, well-intentioned, non-corrupt government, to never make a mistake?) far outweighs the potential advantage of One More Way To Fingerprint.
However, I do think it's a bit optimistic to think that crypto alone holds the answer either. It's like Bruce Schneier has taken to saying more often in his new, more cynical writing: "Using crypto is like sticking a 1 foot stick into the ground and hoping the criminals trip over it" (or something along those lines). Even if we suppose that the crypto is unbreakable, and un-brute-forceable (which with Moore's law being what it is, and with advances in nanotech computing threatening to produce VERY fast stuff) - all that means is that crooks will take another route - alter the database that associates keys with identities, or keystroke log the government terminals where new key pairs and passphrases are created. I caught Schneier's fever for crypto after reading Applied Cryptography as did most people, but he's right when he says that it is no panacea.
It seems to me that Schneier's idea of semantic attacks as a new, third generation attack is a little overstated - what is a semantic attack but a natural progression out of social engineering?
I suppose the distinction, if one is to be made, is that in the past, social engineering was a means to an end - you would use your 'leet SE skillz to get a private dialup number, or access to a machine - whereas semantic attacks tend to be ends in themselves.
Nevertheless, the distinction feels somewhat contrived, and moreover, anyone who's read books like Sterling's The Hacker Crackdown (or anyone who knows their computer history, for that matter) knows that SE has been a big part of these attacks since the beginning: obtaining access to university systems, obtaining AT&T technical docs - SE is what armed people to commit the physical and syntactic attacks he mentions.
His pessimism about their severity is striking too - sure people online don't verify their sources as well as they should - but a) they've for the most part not known how, and moreover b) the media's been doing this for at least the last century without civilization grinding to a halt.
Semantic attacks against humans rely on gullibility or sometimes in the case of the internet, technical ignorance - but with digital signatures coming into fashion, it may not be long before grandma's email program tells her when a signature is invalid, and when grandma herself knows not to trust unsigned mail. And the idea of semantic attacks against computers, through feeding them bad data, is really about spamming search engines, and trying to overflow buffers, which are neither new nor noteworthy.
I know Schneier has gradually become more skeptical about the ability of people, especially online, to take care of themselves - and in many cases, he has good reason to. But having said that, I do feel that the picture he paints is a little too bleak.
This, and the related problem of hacked clients giving back hits for any search that just link back to banner sites, has been a real impediment for me in using gnutella over something more centralized like napster. The problem with anything de-centralized like this is that while you have all the benefits of abandoning centralized control, you have all the headaches of abandoning centralized control too.
The best solution I've come across (in the oh so many hours I've thought about it...:) is to implement, either at the protocol level or the client level, a moderation-style system, or actually, more appropriate still: a web-of-trust setup.
Unfortunately, the protocol as it currently stands, does not have much room for carrying this kind of information, and implementing it in any kind of non-trivial-to-circumvent way would require a fair bit of work. I mean, you can have clients digitally sign their hits, and the hits of people for whom they vouch, but ugh - think about the kind of traffic that goes across one of these clients, and the overhead that would come from signing or otherwise authenticating each one.
Maybe something more akin to the spam blacklists would be more appropriate: have a hook in the client that allows it to grab the current blacklist and filter those people out of the hits. Unfortunately, since a gnutella request doesn't pick and choose it's recipients, you'd have all sorts of traffic moving around that was just being dropped by the recipient, but at least this contamination would be harder to pull off.
Any thoughts on these, or other ways to keep the S:N on something like this up? I think client-side implementation is important, since it allows the protocol to remain unscathed, and choice is of course, essential, just like browsing/. at -1. But if nothing gets implemented, we end up with a great distributed file sharing mechanism that is, much to the pleasure of Lars and his ilk, too contaminated to bother with.
Also, although I'm not aware of it happening currently, how do you think you might react to discovering that some of your various novels were being traded online?
I think the trade in novels online was just waiting for a vessel to carry it, and with palm pilots now shipping with up to 8M of ram, the opening has presented itself. Check out this site:
which for better or for worse, has all five books of the hitchhiker trilogy in iSilo (reader software for palmpilot) and ascii format. I think it would be really great if DA could stick to his "more lenient side" and not take a hard line on things like this, they really are great for reading on the subway - but at very least, the site seems topical.
J.
PS - Without meaning to flame, bitch, or otherwise irritate people, I had expected... I dunno... more, from DA. Am I the only one who felt that the only questions that got more than three words were the ones promoting the movie or his website(s)? No disrespect intended, the man has 7 times the genius in his pinky that I have along my entire left side, but...shrug... I was expecting more.
So let's say that someone intercepts a digital signature on a Non-Disclosure Agreement or somesuch and then types up an agreement saying that they've already given you $X in cash and in exchange you agree to give up your house and then tacks that intercepted sig onto the bottom.
Unless I'm reading you very wrong, it would seem that you are unclear as to how a digital signature system would work. It's not a matter of just attaching some generic signature to the bottom of a file. The signature that is attached is a result of using your private key, which is never transmitted (and hence not intercepted) to encrypt a hash of the document being signed. If you removed the signature and attached it to a different document, if you even correct a spelling error in the document, the hash of the message is thoroughly altered, and thus the signature is no longer valid, since decrypting it does not produce the correct hash. Such a signature can thus not be "cut & pasted" onto any document, each signature has to be produced by a person with the private key and the document being signed.
J.
PS - This is not to say that there aren't problems with such a proposal - the cheif one, to my mind, being that everything rests in the security of the private key. But the argument you provide seems to, unless I am misreading you, be moot, since that is not how digital signatures operate.
I've really got to say that I'm beginning to get a little bored of all the Napster press. Napster is just a silly lame-ass protocol and what it does is no different than a web hosting service. The people that should be sued are the people offering the files. Simple as that.
I totally and without reservation agree with this statement and someone with points left, please give his reply the boost it needs to be read by more people. Naming napster in these lawsuits is the worst case of shooting the messenger we've had lately. You don't charge car-makers for facilitating crime by providing get-away cars. You don't charge kitchenware manufacturers for empowering the Lorena Bobbits of the world. You don't, in general, attack someone for facilitating a crime, you attack the person who commits it.
Having said that though, I find the statement:
Well duh... the bots get arround the policy the same way that the people offering copyrighted material get arround it. The point is that Napster really just doesn't care.
a little incongruous. Napster doesn't care about the way its users may or may not violate copyright any more than it cares about whether they shoplifted as teenagers. Napster is a medium, and doesn't have any reason to care about the crimes that may have been committed by other people, users or not. On the other hand, Napster has every reason to get a little irked when a crime is committed against them, as does any other individual or corporation.
And on the slightly offtopic subject of perl modules, there is also, for everyone's info, a perl module to handle gnutella, which conveniently avoids all these snafus in the first place.:)
Usage policies about bots are bullshit. If a server can dictate how I retrieve and process information, then MPAA can dictate how I watch a DVD. Fuck that.
I don't think so. When Napster places limitations on their system they are saying "We pay for these servers, we pay for this bandwidth, it is our property which we allow you to use under the following conditions." By contrast, the MPAA wants to say "you paid for the dvd, it is your property, however we still wish to dictate the means by which you use it."
I agree that another organization dictating what I can do with my own property is bogus, but they are perfectly entitled to control their OWN property.
More to the point however, even if you do dislike Napster's use of it, even if you could convince me that it was a shitty thing for them to do, there it stands nonetheless, and I still don't understand how NetPD or this new software hope to dodge it.
Perhaps this was already answered in the original discussions about NetPD, but how do programs like this get around Napster's use policy which, iirc, explicitly bans bots like this, or really, bots of any kind?
Are they just counting on the term 'bot' being too vague to hold up in court? Is napster just not entitled to make this restriction on their service? I would think violating the usage policy amounts to unlawful use of computing resources. Can Napster file counter-suit? Or even just have the names thrown out in any court proceedings?
FYI, as a fellow canuck, I've done some digging and found out something crucial for would-be caffeine junkies: 7-11. Seriously, the 7-11's in this area carry more high caffeine beverages than any other store I've found. Among them:
Jolt, Jolt Cherry, Jolt Citrus XTC Water Joe Caffeinated Bottled Water Sobe (not so high-caffeine, but guarana goes down smooth) and Generator (mmm...tastes like cough syrup)
Also, there's a canadian company called Northern Ice that makes caffeinated mints for canadian consumption, and 7-11's got them too. Same 15mg kick as penguins, though I prefer the penguins tin. (Northern Ice is a blue tin with a polar bear on it, fyi).
It strikes me that intel's in a dilly of a pickle if they plan to swap regular pc100 dimms for rdram. What's to stop a person from claiming (maybe even legitimately) that they needed 2G RAM on their new mobo? Go out and spend whatever it'll cost for 2G of pc100, and then let intel swap it up to rdram? You'd make a killing!
Another application would be to buy several of these, as needed. Buy a boatload of ram for one, and when they replace it with rdram, use that to feed the others.
They weren't kidding when they talked about damage into the hundreds of millions. That rambus investment is starting to look more and more painful for intel shareholders.
I imagine Unisys would justify this under something like due diligence. That, for all you can complain that they never should have received the patent in the first place, nevertheless it is their duty to enforce it, and if they didn't, they could be sued by their shareholders.
What I question is whether exercising this patent really does constitute due diligence. Especially exercising it the way they are now, asking $3,000,000 fees. Strikes me that there's more publicity advantage to being The Makers of the Graphic Format That The Whole Internet Uses, (akin to Cisco's "90% of the internet runs on the systems of one company, Cisco Systems" ads) than there is financial advantage gained by charging these fees.
Anyone else remember the rumour that when filming the original starwars trilogy, the producers were so scared about leaks that they changed one word in each person's script, to fingerprint it. That way if a copy leaked out, it would be easier to take the culprit out back and shoot him or her.
I always wonder if software companies try something like this, where of course, it would be much easier to accomplish. And if so, do they tell their employees, in order to dissuade them, or keep it secret, and then descend on them. Anyone got any stories of this kind of thing?
I know that MS's build distribution system must be high traffic, with thousands of developers checking out each new internal build, still they must have to log in somewhere, shouldn't be too hard to fingerprint this stuff on the fly.
:) Actually I agree wholeheartedly, in fact, I've noticed an even more irritating trend (and this is coming from someone who actually *does* moderate, and I'd like to think I do it concientiously) which I've exploited here half-intentionally:
Any time someone bitches about how their post is going to be marked down as flamebait/troll, it (almost instantly) garners two or three additional +1's. I mean, I'm all for being counter culture, but moderators, c'mon. No we shouldn't kill stories that knock linux (for example) just on principle, but we should also not boost up crap for no reason other than to prove the poster wrong.
Moderators: My apologies, I'm not trying to start a flame war, but the fact that I get irate about this might influence my writing style. Try not to damage me too thoroughly.:)
It's charming, it really is, that whenever a story like this comes out, dozens of self-proclaimed realists will fire off these "It happens, grow up people" posts, as though they are the grizzled old men in Heinlein books and CIA Movies that have seen all the corruption of the world and absorbed it all into their overpowering intellect.
My take, and I openly acknowledge that it may be mine alone, is that looking for ethical behaviour in government is not utterly naive. Or moreover, that if it truly is, then our situation is a sad one, because I do not want to be represented by these people. Still, let's say for a moment that this corruption in government is inevitable, and that furthermore, the democratic process as it now stands has so much inertia that it will just plow on ahead, despite transgressions, I have another question:
Why do the companies accept this? Is that what American business is about? Are these companies so hopelessly unoriginal that they need to profit from the spoils of the intelligence war? A corporation is not a human being, I'm not trying to hold it to an ethical standard, I just have no respect for that kind of business. And it saddens me to see how pathetic american industry has become.
My apologies for the rant. It's cathartic for me, I guess.:)
"Just as solid state transistors transformed earlier computers from room-sized behemoths into hand-held marvels, nanotechnology could create a super-intelligent, yet microscopic, devices, according to Eric Drexler, author of "Engines of Creation," a seminal book on nanotechnology."
Is this claim valid? I'd be interested in hearing what people consider to be *the* book of nanotech. Is there an Applied Cryptography style tome, that presumes moderate intelligence, but not much actual background? Hemos, you have an opinion here?:)
And don't tell me "Diamond Age".:) I've read THAT one already. Why do you think I'm asking this question?
Slashdot Mirror
I work for Mozilla on Firefox and I just wanted to respond to some of the claims being made here. We've opened up the bug so that others can take a look (bug 570658), but there is not much to see, here. The bug says that:
1) if you visit a page that uses an iframe
2) and that iframe's src attribute uses a deceptive url (e.g. "http://safe.com@evil.com")
3) then we don't pop up a warning that the url is deceptive
What's odd about the bug is that there is very little value to step 2 - only someone examining the page's source would notice the iframe's src attribute, so it's not clear to me where the deception is supposed to come in. A genuinely malicious page would source their attack iframes directly, unless they thought that this deceptive url might fool our phishing/malware protection. It won't.
If someone thinks we're overlooking an attack vector here, we're really interested to hear it, but as described the attack feels pretty weak.
If you think we're missing something critical, please do comment in the bug or get in touch with our security group ( http://www.mozilla.org/security/ ).
Johnathan
I do hate to get bogged down in semantics, especially in such an off-topic thread, but I would argue that you are either being deliberately pedantic or missing the point. This is just the old denotation vs. connotation merry-go-round, but what the heck, eh? For old time's sake.
The argument states "if you make gun ownership a crime, then only criminals will have guns" and of course you are right that this is, prima facie, a logical tautology which is fine except that is not how anyone is intending the argument to be heard. Conversational implicature. The argument, if you prefer, can be stated as "if you make gun ownership illegal, then the only people who will have guns are unsavoury types who do not respect any laws, and who will now use their lack of guilt to advance their other criminal enterprises by way of their now-exclusive ability to possess firearms whereas in the past, though they might intend to use firearms in the commission of murder, robbery, or what-have-you, at least there was the notional deterrent that their (law-abiding) victims may also possess guns for purposes of defense." That is to say, people are expecting you, as a fellow human and english speaker, and as someone with a presumably compatible life experience and social context, to understand the word criminal as having significant, if not primary, meanings ASIDE from that of being someone who commits a crime.
I only mention all this because I have watched many interesting discussions become derailed by arguments like this which are not in any way relevant, but are nonetheless suggestive enough to be distracting. No personal attack is intended, of course.
Heh, I just can't get over the fact that the IDE we've been using internally for the last 6 months is getting so much play on slashdot and in the world-at-large.
One thing that's important to remember about eclipse is that it is a great deal more than your basic IDE. The pluggability really means that anything you can do in Java (or in principle, any language), you can make eclipse do. My department is focused entirely on using eclipse as an *application platform*. Think big. Yes, you can make it into a C/C++/Scheme/ML IDE, think bigger. Yes, you could definitely write a word processor plugin, and maybe plugin-ize an existing product. Think bigger. There's no reason in principle why you couldn't make a set of plugins that, for instance, made eclipse into something like zope or websphere -- your IDE could let you edit your php/jsp/perl, and then act as your development webserver too, for rapid prototyping. I dunno, I'm just pulling random things out of the air :) The point is, calling it modular might not be... emphatic enough. :)
As an IDE, it's pretty solid, I definitely encourage java developers to check it out, and as the C/C++ plugins solidify, I expect I'll move to it for my own C/C++ development too, if for no other reason than that I use it at work all the time. :) One thing that is both a blessing and a curse is that it does not (at least, our internal versions do not) come with a repository system a la Visual Age (IBM's older, less extensible Java IDE) -- instead that's up to you - we have teams using basic file system, cvs, cvs over ssh, and CMVC (a defect tracking and team file management tool that I imagine few outside IBM have ever seen. :) A curse in that out-of-the-box, you don't have team-managed repositories working like in VAJ, but a blessing in that you get to set up whatever fool system you like, maybe even keep whatever system you're already using. :)
Anyhow, just a few thoughts, the previous posts I've seen on eclipse seem to understate its extensibility. It's got the potential to be this decade's emacs - the application that is almost an operating system. :)
-----BEGIN PGP SIGNED MESSAGE-----
e Li NX+WKIYnsAn2Yw
Hash: SHA1
You were, of course, correct 10 years ago when you guessed that PGP
would become a tool of the oppressed. But even huge, lumbering
totalitarian governments are not so slow as to miss the fact that
people are avoiding their censors. My guess is that in many of these
oppressive countries, the use of encryption products like PGP has
become, in itself, an offense.
Have you looked into developing steganographic or other concealment
tools so that such users can veil even the existence of a message?
Has NAI?
I understand that with an open, published steganographic method, any
government could still detect messages, but this would at least
massively increase their censorship workloads, forcing them to
process every image, or possibly every text message, looking for a
palimpsest. What's more, if such a method were designed to forego
the usual identification headers, so that only the enciphered message
itself was included, would you not end up with a hidden message
difficult to detect even when 'looking right at it', so to speak?
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use
iQA/AwUBO69zC5Tq1bXoStsJEQI6GgCgnKR4q9qo9gB8Oht
/AlFZz2I0GqIhYkUpFk1XRx/
=fpit
-----END PGP SIGNATURE-----
First off, by way of disclaimer, I'm an IBM employee, but am posting this as an individual and am quite sure my manager neither knows nor cares about the contents of my question. :)
It's great to see that IBM is committing to an open approach, both in their specific funding of Linux development, but also in their more general push to use open, standard technologies like XML and Java, and to participate in the standards process. On the other hand, IBM holds more patents than any other business in the world, by a fair majority, and what's more, are quite proud of this standing. Now I am not at all knocking IBMs desire to produce patentable technology, and I do think it is indicative of their technological leadership that they have acquired them,
but...
I'm wondering how IBM's dedication to openness will interact with their commitment to producing patentable technology. Will IBM's contributions to open source projects include these patentable ideas, and will open source projects in which IBM participates be licensed to employ said ideas, even to freely distribute software based on them? If IBM is willing to do this, how will they ensure that their patented IP is not picked up and incorporated into competing products? If not, could you give us some insight into the decision making process as regards these patents, and why IBM's openness strategy does not extend to them?
Johnath
Yeah, that site kinda blows, but you can get the information and screenshots of the company's site:
Go here.
Note, requires Shockwave. For the unshocked version,
Go here instead.
Well, if you're at all like me, the phrase "Secure Audio Path" raised a lot more questions than it answered, so I've done a little digging around the msdn site and found some information. My apologies for the blockquote spam, but I think they explain it quite well:
The best information seems to be in their SDK documentation for windows media:
A quick glance at the latter's diagrams shows that, if nowhere else, they are clearly vulnerable to hardware based attack, but of course, the whole scheme, as has already been pointed out in this forum, is also vulnerable to a $15 tape recorder. :) At any rate, just some extra info for those similarly piqued.
... that securityfocus has just recently started up a new mailing list to handle the Secure Programming questions whose lack of answers lead to a lot of these problems. Of course, site admins should keep up on Bugtraq postings for whatever software they use, but it's the secprog list that is discussing the development of safe programming techniques and identification of dangerous constructs.
To get more information and potentially sign up, click here.
Not if one engages in the 'extra work' the poster alludes to. Consider creating a hushmail account (no IP information attached or logged) from an internet cafe, and using that to sign up for the hypothetical 'offshore account'.
Within a few months there will probably be a more direct way through HavenCo's sealand facility. You just know that within their first month of full-tilt business, someone is going to buy some rackspace and sell anonymous shell access by the barrelfull. You can bet that said privacy activist won't hand over the logs willfully, and it's hard to subpeona sealand - even if international law rejects their sovereign status, it would be a far uglier process than most anonymous flaming would justify, I'm sure.
And of course, while we're at it, the internet cafe is rather superfluous anyhow - anonymizing proxies, bless their souls, exist by the dozen now, and even more numerous are the misconfured wingates and squid proxies of the world that leave no logs and ask no questions.
Regards,
Johnath
Perhaps not so much a fundraiser design - but wouldn't an instance of the Street Performer Protocol do well here? Rather than a book, or artistic fait accompli, someone like this guy can put a year of their time on the line and say "When I am paid $55k, I will deliver one year of dedicated services". Let people paypal that sum closer and closer. It's the fundraiser/telethon/charity paradigm of the 21st century!
Cheers,
Johnath
I agree with the statement that a DNA database is a pretty spooky prospect. I think it is possible for it to be done properly, but the potential catastrophe if it is mishandled (and who here trusts government, even good, democratic, well-intentioned, non-corrupt government, to never make a mistake?) far outweighs the potential advantage of One More Way To Fingerprint.
However, I do think it's a bit optimistic to think that crypto alone holds the answer either. It's like Bruce Schneier has taken to saying more often in his new, more cynical writing: "Using crypto is like sticking a 1 foot stick into the ground and hoping the criminals trip over it" (or something along those lines). Even if we suppose that the crypto is unbreakable, and un-brute-forceable (which with Moore's law being what it is, and with advances in nanotech computing threatening to produce VERY fast stuff) - all that means is that crooks will take another route - alter the database that associates keys with identities, or keystroke log the government terminals where new key pairs and passphrases are created. I caught Schneier's fever for crypto after reading Applied Cryptography as did most people, but he's right when he says that it is no panacea.
Cheers,
Johnath
It seems to me that Schneier's idea of semantic attacks as a new, third generation attack is a little overstated - what is a semantic attack but a natural progression out of social engineering?
I suppose the distinction, if one is to be made, is that in the past, social engineering was a means to an end - you would use your 'leet SE skillz to get a private dialup number, or access to a machine - whereas semantic attacks tend to be ends in themselves.
Nevertheless, the distinction feels somewhat contrived, and moreover, anyone who's read books like Sterling's The Hacker Crackdown (or anyone who knows their computer history, for that matter) knows that SE has been a big part of these attacks since the beginning: obtaining access to university systems, obtaining AT&T technical docs - SE is what armed people to commit the physical and syntactic attacks he mentions.
His pessimism about their severity is striking too - sure people online don't verify their sources as well as they should - but a) they've for the most part not known how, and moreover b) the media's been doing this for at least the last century without civilization grinding to a halt.
Semantic attacks against humans rely on gullibility or sometimes in the case of the internet, technical ignorance - but with digital signatures coming into fashion, it may not be long before grandma's email program tells her when a signature is invalid, and when grandma herself knows not to trust unsigned mail. And the idea of semantic attacks against computers, through feeding them bad data, is really about spamming search engines, and trying to overflow buffers, which are neither new nor noteworthy.
I know Schneier has gradually become more skeptical about the ability of people, especially online, to take care of themselves - and in many cases, he has good reason to. But having said that, I do feel that the picture he paints is a little too bleak.
This, and the related problem of hacked clients giving back hits for any search that just link back to banner sites, has been a real impediment for me in using gnutella over something more centralized like napster. The problem with anything de-centralized like this is that while you have all the benefits of abandoning centralized control, you have all the headaches of abandoning centralized control too.
:) is to implement, either at the protocol level or the client level, a moderation-style system, or actually, more appropriate still: a web-of-trust setup.
/. at -1. But if nothing gets implemented, we end up with a great distributed file sharing mechanism that is, much to the pleasure of Lars and his ilk, too contaminated to bother with.
The best solution I've come across (in the oh so many hours I've thought about it...
Unfortunately, the protocol as it currently stands, does not have much room for carrying this kind of information, and implementing it in any kind of non-trivial-to-circumvent way would require a fair bit of work. I mean, you can have clients digitally sign their hits, and the hits of people for whom they vouch, but ugh - think about the kind of traffic that goes across one of these clients, and the overhead that would come from signing or otherwise authenticating each one.
Maybe something more akin to the spam blacklists would be more appropriate: have a hook in the client that allows it to grab the current blacklist and filter those people out of the hits. Unfortunately, since a gnutella request doesn't pick and choose it's recipients, you'd have all sorts of traffic moving around that was just being dropped by the recipient, but at least this contamination would be harder to pull off.
Any thoughts on these, or other ways to keep the S:N on something like this up? I think client-side implementation is important, since it allows the protocol to remain unscathed, and choice is of course, essential, just like browsing
Johnath.
Also, although I'm not aware of it happening currently, how do you think you might react to discovering that some of your various novels were being traded online?
I think the trade in novels online was just waiting for a vessel to carry it, and with palm pilots now shipping with up to 8M of ram, the opening has presented itself. Check out this site:
http://chroot.ath.cx/fade/pro jects/palm/palmtext.html
which for better or for worse, has all five books of the hitchhiker trilogy in iSilo (reader software for palmpilot) and ascii format. I think it would be really great if DA could stick to his "more lenient side" and not take a hard line on things like this, they really are great for reading on the subway - but at very least, the site seems topical.
J.
PS - Without meaning to flame, bitch, or otherwise irritate people, I had expected... I dunno... more, from DA. Am I the only one who felt that the only questions that got more than three words were the ones promoting the movie or his website(s)? No disrespect intended, the man has 7 times the genius in his pinky that I have along my entire left side, but...shrug... I was expecting more.
So let's say that someone intercepts a digital signature on a Non-Disclosure Agreement or somesuch and then types up an agreement saying that they've already given you $X in cash and in exchange you agree to give up your house and then tacks that intercepted sig onto the bottom.
Unless I'm reading you very wrong, it would seem that you are unclear as to how a digital signature system would work. It's not a matter of just attaching some generic signature to the bottom of a file. The signature that is attached is a result of using your private key, which is never transmitted (and hence not intercepted) to encrypt a hash of the document being signed. If you removed the signature and attached it to a different document, if you even correct a spelling error in the document, the hash of the message is thoroughly altered, and thus the signature is no longer valid, since decrypting it does not produce the correct hash. Such a signature can thus not be "cut & pasted" onto any document, each signature has to be produced by a person with the private key and the document being signed.
J.
PS - This is not to say that there aren't problems with such a proposal - the cheif one, to my mind, being that everything rests in the security of the private key. But the argument you provide seems to, unless I am misreading you, be moot, since that is not how digital signatures operate.
First of all:
:)
I've really got to say that I'm beginning to get a little bored of all the Napster press. Napster is just a silly lame-ass protocol and what it does is no different than a web hosting service. The people that should be sued are the people offering the files. Simple as that.
I totally and without reservation agree with this statement and someone with points left, please give his reply the boost it needs to be read by more people. Naming napster in these lawsuits is the worst case of shooting the messenger we've had lately. You don't charge car-makers for facilitating crime by providing get-away cars. You don't charge kitchenware manufacturers for empowering the Lorena Bobbits of the world. You don't, in general, attack someone for facilitating a crime, you attack the person who commits it.
Having said that though, I find the statement:
Well duh... the bots get arround the policy the same way that the people offering copyrighted material get arround it. The point is that Napster really just doesn't care.
a little incongruous. Napster doesn't care about the way its users may or may not violate copyright any more than it cares about whether they shoplifted as teenagers. Napster is a medium, and doesn't have any reason to care about the crimes that may have been committed by other people, users or not. On the other hand, Napster has every reason to get a little irked when a crime is committed against them, as does any other individual or corporation.
And on the slightly offtopic subject of perl modules, there is also, for everyone's info, a perl module to handle gnutella, which conveniently avoids all these snafus in the first place.
Johnath
Usage policies about bots are bullshit. If a server can dictate how I retrieve and process information, then MPAA can dictate how I watch a DVD. Fuck that.
I don't think so. When Napster places limitations on their system they are saying "We pay for these servers, we pay for this bandwidth, it is our property which we allow you to use under the following conditions." By contrast, the MPAA wants to say "you paid for the dvd, it is your property, however we still wish to dictate the means by which you use it."
I agree that another organization dictating what I can do with my own property is bogus, but they are perfectly entitled to control their OWN property.
More to the point however, even if you do dislike Napster's use of it, even if you could convince me that it was a shitty thing for them to do, there it stands nonetheless, and I still don't understand how NetPD or this new software hope to dodge it.
Johnath
Perhaps this was already answered in the original discussions about NetPD, but how do programs like this get around Napster's use policy which, iirc, explicitly bans bots like this, or really, bots of any kind?
Are they just counting on the term 'bot' being too vague to hold up in court? Is napster just not entitled to make this restriction on their service? I would think violating the usage policy amounts to unlawful use of computing resources. Can Napster file counter-suit? Or even just have the names thrown out in any court proceedings?
FYI, as a fellow canuck, I've done some digging and found out something crucial for would-be caffeine junkies: 7-11. Seriously, the 7-11's in this area carry more high caffeine beverages than any other store I've found. Among them:
:)
Jolt, Jolt Cherry, Jolt Citrus
XTC
Water Joe Caffeinated Bottled Water
Sobe (not so high-caffeine, but guarana goes down smooth)
and Generator (mmm...tastes like cough syrup)
Also, there's a canadian company called Northern Ice that makes caffeinated mints for canadian consumption, and 7-11's got them too. Same 15mg kick as penguins, though I prefer the penguins tin. (Northern Ice is a blue tin with a polar bear on it, fyi).
Love 7-11, cherish 7-11.
Johnath
It strikes me that intel's in a dilly of a pickle if they plan to swap regular pc100 dimms for rdram. What's to stop a person from claiming (maybe even legitimately) that they needed 2G RAM on their new mobo? Go out and spend whatever it'll cost for 2G of pc100, and then let intel swap it up to rdram? You'd make a killing!
Another application would be to buy several of these, as needed. Buy a boatload of ram for one, and when they replace it with rdram, use that to feed the others.
They weren't kidding when they talked about damage into the hundreds of millions. That rambus investment is starting to look more and more painful for intel shareholders.
I imagine Unisys would justify this under something like due diligence. That, for all you can complain that they never should have received the patent in the first place, nevertheless it is their duty to enforce it, and if they didn't, they could be sued by their shareholders.
What I question is whether exercising this patent really does constitute due diligence. Especially exercising it the way they are now, asking $3,000,000 fees. Strikes me that there's more publicity advantage to being The Makers of the Graphic Format That The Whole Internet Uses, (akin to Cisco's "90% of the internet runs on the systems of one company, Cisco Systems" ads) than there is financial advantage gained by charging these fees.
Just my random $0.02CDN.
Johnath
Anyone else remember the rumour that when filming the original starwars trilogy, the producers were so scared about leaks that they changed one word in each person's script, to fingerprint it. That way if a copy leaked out, it would be easier to take the culprit out back and shoot him or her.
I always wonder if software companies try something like this, where of course, it would be much easier to accomplish. And if so, do they tell their employees, in order to dissuade them, or keep it secret, and then descend on them. Anyone got any stories of this kind of thing?
I know that MS's build distribution system must be high traffic, with thousands of developers checking out each new internal build, still they must have to log in somewhere, shouldn't be too hard to fingerprint this stuff on the fly.
Johnath
:) Actually I agree wholeheartedly, in fact, I've noticed an even more irritating trend (and this is coming from someone who actually *does* moderate, and I'd like to think I do it concientiously) which I've exploited here half-intentionally:
Any time someone bitches about how their post is going to be marked down as flamebait/troll, it (almost instantly) garners two or three additional +1's. I mean, I'm all for being counter culture, but moderators, c'mon. No we shouldn't kill stories that knock linux (for example) just on principle, but we should also not boost up crap for no reason other than to prove the poster wrong.
Moderators: My apologies, I'm not trying to start a flame war, but the fact that I get irate about this might influence my writing style. Try not to damage me too thoroughly. :)
:)
It's charming, it really is, that whenever a story like this comes out, dozens of self-proclaimed realists will fire off these "It happens, grow up people" posts, as though they are the grizzled old men in Heinlein books and CIA Movies that have seen all the corruption of the world and absorbed it all into their overpowering intellect.
My take, and I openly acknowledge that it may be mine alone, is that looking for ethical behaviour in government is not utterly naive. Or moreover, that if it truly is, then our situation is a sad one, because I do not want to be represented by these people. Still, let's say for a moment that this corruption in government is inevitable, and that furthermore, the democratic process as it now stands has so much inertia that it will just plow on ahead, despite transgressions, I have another question:
Why do the companies accept this? Is that what American business is about? Are these companies so hopelessly unoriginal that they need to profit from the spoils of the intelligence war? A corporation is not a human being, I'm not trying to hold it to an ethical standard, I just have no respect for that kind of business. And it saddens me to see how pathetic american industry has become.
My apologies for the rant. It's cathartic for me, I guess.
Johnath
From the article:
:)
:) I've read THAT one already. Why do you think I'm asking this question?
"Just as solid state transistors transformed earlier computers from room-sized behemoths into hand-held marvels, nanotechnology could create a super-intelligent, yet microscopic, devices, according to Eric Drexler, author of "Engines of Creation," a seminal book on nanotechnology."
Is this claim valid? I'd be interested in hearing what people consider to be *the* book of nanotech. Is there an Applied Cryptography style tome, that presumes moderate intelligence, but not much actual background? Hemos, you have an opinion here?
And don't tell me "Diamond Age".
Johnathan