I know how to get the so-called "cyber jihadists" to halt their DoS attacks on U.S. banks - hold all their Interner pr0n hostage!
Block all Muslim countries' access to Internet smutt and pornography until those behind the DoS campaign cease their script kiddie attacks.
I bet the outcry from followers of al Qaida would be so ferocious that the attacks would halt almost immediately!
A programming language that uses mostly English words and syntax is essentially an environment for self-documentating code: the holy grail of brutal managers everywhere.
How come COBOL hasn't "saved the slaves", if an almost-English programming language/syntax is so great?
Another point of this research was that no human being can, just by looking at a digital certificate, itself, can know whether it is a real certificate or a fake one.
In fact, the researchers did not provide a revocation-checking URL in their original certificate-signing request. This means that most tools (including your web browser) would not have a way of checking whether their bogus certificate had been revoked by the original certificate's CA, even if they ever found out that their legit certificate had been used for other purposes (based solely upon the cert's serial number).
It doesn't matter whether MD5 was used by the root certificates, or not.
The issue is that the attackers injected themselves within your web browser's chain-of-trust, not that they utilized MD5 (or any other algorithm) to achieve this position.
This group was able to anticipate and thereby "control" various CA-generated aspects of a digital certificate that they were eventually able to purchase.
By carefully crafting a particular certificate - presumably for a domain which they have some reasonable responsibility or control - they could cause the CA to sign a new certificate with an MD5 hash that has an advantageous value.
They then copied this hash value (and various other pieces of their new certificate) into a second certificate, forged to look like it's for a website that they presumably DO NOT have any responsibility or control.
Because of their careful pre-planning, they were assured that the copied-over certificate's hash value would exactly match that of the certificate that they were (more or less) legitimately issued by the CA. This has the effect of fooling your browser into believing that their "bogus" certificate was, in fact, legit.
The really nice twist to all this, IMHO, is that they though to make the new certificate ANOTHER, TRUSTED, CERTIFICATE AUTHORITY!!
That was pure genius! Once they did that, they could then turn right around and sign as many certificates as their hearts desired, all of which would be blindly trusted by your web browser.
Nice piece of work!
I worked for one of the big data-analysis/data-provider companies to many of these now-going-bankrupt subprime loan providers. We were specifically tasked with writing software to "match up" automatic housing-price valuations (AVM's) with a specific "target" price that had been previously set by the loan provider. This AVM would not return a value unless it agreed with whatever input the loan company put into it initially, and would keep churning through its algorithm until "the right value" had come out of it.
This so-called "shopping for an AVM" process is illegal (at least in the United States), was programmed into the firm's software, and was made available to the loan providers so that they could (essentially) write a loan for a house at whatever value they decided that it should be -- all under the guise of "that's what the AVM *said* it was worth...".
When I complained to our company's internal ethics committee about the practice, I was told that "our lawyers are looking into it". I guess they liked what they saw, because nothing changed, no Official Company Policies were declared broken, and the company's legal department now was absolutely and totally aware that the practice was embedded into its products, and being provided to its user base.
And, to think - many of those very same loan companies that were using the products are now going bankrupt... GEE! I wonder why????
I guess payback is a b**ch! (Except it's the American Taxpayer who's paying for it, not the scumbags who foisted this mess onto us!)
It is true that the cell phones stop working when the power is cut to the tower, but the same is true for regular phones.
Regular phones do not stop working when the power is cut. The telephone network has been running on 48 volts of power forever, because that is the voltage produced by
4 12-volt batteries wired in series.
All telephone central offices (CO's) are backed up by a huge rack of 12-volt batteries, wired up in groups of four, to provide the DC voltages necessary for the telephone system to survive the loss of commercial power. Many CO's even have an 18-wheeler trailer parked on their grounds that contains one (if not two) diesel electric generators for longer term backup power. Many of these trailers are swapped out every 6 or 12 months with a newly-refurbished unit while the existing one goes off for routine maintenance.
Those of us in the telecommunications industry (pre-deregulation) took our jobs seriously, had established disaster plans, recovery procedures, and loss-of-life prevention measures in place 24x7x365. You could count on the phone company's equipment to withstand the worst that mother nature could throw at it, (including being fully submerged in water!). Our equipment could survive almost everything short of a direct nuclear blast. Post-deregulation, it's becoming less common, but it's still the rule rather than the exception.
Cell phones are not meant to be a prime-time communications device. They were intended to be nothing more than a convenience and a luxury. Unfortunately, risking your life on the ability of such a "convenience" to get your 911 call through is playing russian roulette with your life.
BT can not replace HTTP/FTP because of people's selfish nature (read: high leechers -to- servers ratio).
I know that I will not pay 30 bucks a month (or more) to give OTHER people access to files that I don't care about, so why should I expect you to do that for me?
People are selfish. You're not going to change them. Selfishness will rule, so browsers WITHOUT BT will rule the day. Yes, techno-geeks will appreciate the advantages, and will likely "circle the wagons" to benefit eachother, but there's no way we'll BT-serve up Anna Kournikova's skimpy bikini shots for the whole world to.... (Oh, wait, yes we will!) Sorry.... nevermind!
If you don't want to buy and install software, just add the ad-producing servers to your "/etc/hosts" file with an IP address of 127.0.0.1. (On Windows this file is somewhere like c:/windows/system32/drivers/etc/hosts).
There's nothing that the advertisers can do about your local machine resolving their ad-servers to "localhost". This works on Linux, works on Unix, and most definitely works on Windows.
On some *nix systems you might have to change the resolve.conf setting to prefer files to DNS (and/or NIS/NIS+) but it still works great!
I have a big list of the most offensive advertisers in my hosts file, and even wrote a small Java application to serve up "Ad Removed" messages from my local port 80. What a dream it is to surf the web again without these ads!
Another note - turn Flash off! It's almost exclusively used for advertising, now. If there's any reason to use it (can't think of any...), you can always reenable it later!
Slashdot Mirror
I know how to get the so-called "cyber jihadists" to halt their DoS attacks on U.S. banks - hold all their Interner pr0n hostage! Block all Muslim countries' access to Internet smutt and pornography until those behind the DoS campaign cease their script kiddie attacks. I bet the outcry from followers of al Qaida would be so ferocious that the attacks would halt almost immediately!
A programming language that uses mostly English words and syntax is essentially an environment for self-documentating code: the holy grail of brutal managers everywhere.
How come COBOL hasn't "saved the slaves", if an almost-English programming language/syntax is so great?
In fact, the researchers did not provide a revocation-checking URL in their original certificate-signing request. This means that most tools (including your web browser) would not have a way of checking whether their bogus certificate had been revoked by the original certificate's CA, even if they ever found out that their legit certificate had been used for other purposes (based solely upon the cert's serial number).
It doesn't matter whether MD5 was used by the root certificates, or not. The issue is that the attackers injected themselves within your web browser's chain-of-trust, not that they utilized MD5 (or any other algorithm) to achieve this position. This group was able to anticipate and thereby "control" various CA-generated aspects of a digital certificate that they were eventually able to purchase. By carefully crafting a particular certificate - presumably for a domain which they have some reasonable responsibility or control - they could cause the CA to sign a new certificate with an MD5 hash that has an advantageous value. They then copied this hash value (and various other pieces of their new certificate) into a second certificate, forged to look like it's for a website that they presumably DO NOT have any responsibility or control. Because of their careful pre-planning, they were assured that the copied-over certificate's hash value would exactly match that of the certificate that they were (more or less) legitimately issued by the CA. This has the effect of fooling your browser into believing that their "bogus" certificate was, in fact, legit. The really nice twist to all this, IMHO, is that they though to make the new certificate ANOTHER, TRUSTED, CERTIFICATE AUTHORITY!! That was pure genius! Once they did that, they could then turn right around and sign as many certificates as their hearts desired, all of which would be blindly trusted by your web browser. Nice piece of work!
I worked for one of the big data-analysis/data-provider companies to many of these now-going-bankrupt subprime loan providers. We were specifically tasked with writing software to "match up" automatic housing-price valuations (AVM's) with a specific "target" price that had been previously set by the loan provider. This AVM would not return a value unless it agreed with whatever input the loan company put into it initially, and would keep churning through its algorithm until "the right value" had come out of it. This so-called "shopping for an AVM" process is illegal (at least in the United States), was programmed into the firm's software, and was made available to the loan providers so that they could (essentially) write a loan for a house at whatever value they decided that it should be -- all under the guise of "that's what the AVM *said* it was worth...". When I complained to our company's internal ethics committee about the practice, I was told that "our lawyers are looking into it". I guess they liked what they saw, because nothing changed, no Official Company Policies were declared broken, and the company's legal department now was absolutely and totally aware that the practice was embedded into its products, and being provided to its user base. And, to think - many of those very same loan companies that were using the products are now going bankrupt... GEE! I wonder why???? I guess payback is a b**ch! (Except it's the American Taxpayer who's paying for it, not the scumbags who foisted this mess onto us!)
Regular phones do not stop working when the power is cut. The telephone network has been running on 48 volts of power forever, because that is the voltage produced by 4 12-volt batteries wired in series.
All telephone central offices (CO's) are backed up by a huge rack of 12-volt batteries, wired up in groups of four, to provide the DC voltages necessary for the telephone system to survive the loss of commercial power. Many CO's even have an 18-wheeler trailer parked on their grounds that contains one (if not two) diesel electric generators for longer term backup power. Many of these trailers are swapped out every 6 or 12 months with a newly-refurbished unit while the existing one goes off for routine maintenance.
Those of us in the telecommunications industry (pre-deregulation) took our jobs seriously, had established disaster plans, recovery procedures, and loss-of-life prevention measures in place 24x7x365. You could count on the phone company's equipment to withstand the worst that mother nature could throw at it, (including being fully submerged in water!). Our equipment could survive almost everything short of a direct nuclear blast. Post-deregulation, it's becoming less common, but it's still the rule rather than the exception.
Cell phones are not meant to be a prime-time communications device. They were intended to be nothing more than a convenience and a luxury. Unfortunately, risking your life on the ability of such a "convenience" to get your 911 call through is playing russian roulette with your life.
BT can not replace HTTP/FTP because of people's selfish nature (read: high leechers -to- servers ratio).
I know that I will not pay 30 bucks a month (or more) to give OTHER people access to files that I don't care about, so why should I expect you to do that for me?
People are selfish. You're not going to change them. Selfishness will rule, so browsers WITHOUT BT will rule the day. Yes, techno-geeks will appreciate the advantages, and will likely "circle the wagons" to benefit eachother, but there's no way we'll BT-serve up Anna Kournikova's skimpy bikini shots for the whole world to.... (Oh, wait, yes we will!) Sorry.... nevermind!
If you don't want to buy and install software, just add the ad-producing servers to your "/etc/hosts" file with an IP address of 127.0.0.1. (On Windows this file is somewhere like c:/windows/system32/drivers/etc/hosts).
There's nothing that the advertisers can do about your local machine resolving their ad-servers to "localhost". This works on Linux, works on Unix, and most definitely works on Windows.
On some *nix systems you might have to change the resolve.conf setting to prefer files to DNS (and/or NIS/NIS+) but it still works great!
I have a big list of the most offensive advertisers in my hosts file, and even wrote a small Java application to serve up "Ad Removed" messages from my local port 80. What a dream it is to surf the web again without these ads!
Another note - turn Flash off! It's almost exclusively used for advertising, now. If there's any reason to use it (can't think of any...), you can always reenable it later!