Snyder mentioned a concept called "open-source economic development." He said the state is going to look at every region and see which area is the best at a certain practice and ask if the community is willing to share it with the rest of the state.
Applying best practices around the state is not about getting credit but rather uplifting the state for all, Snyder said.
I like what's already posted. But here's another one:
I want to pick the lock on your car. It's one of those fancy code entry locks and I only have to press 3 buttons, but that's not really important.
Everyone has been saying that it's very, very hard (NP) to crack the code by trying combinations. Now there's a guy saying it's not quite as hard (P) and he wants everyone on the internet to check his work.
Re:Tell them your next call will be to the bombsqu
on
DSL Installation Fail
·
· Score: 2
Mr. Hotz manages to open his welded-shut hood using the secret knock he heard about from fail0verflow.
Inside he finds detailed instructions for starting the car printed on an instruction sheet. Like all good instruction sheets, it has an ISBN.
Mr. Hotz writes the ISBN on a poster and puts it up in his yard. Other people start ordering copies using the ISBN.
Sony drives by, screeches to a halt, and fires a cruise missile from their car (full of lawyers) at Mr. Hotz's front door.
The judge in a far-away place called "Northern District" asks them if they were authorized to fire cruise missiles in the name of the Northern District.
I still think a software solution is possible, but it would have to be done in the browser.
If a DNS server is so broken that the presence of an IPv6 in the cache prevents it from looking up an IPv4 address, then the web site will be inaccessible -- if they don't care to fix it, they'll simply lose viewers.
How about a software solution instead of a hardware solution?
Why doesn't glibc patch their DNS resolver to cache the "working/not working" state of IPv6? Or even better, run the IPv6 and IPv4 DNS queries in parallel and use whichever answer is returned first -- not to discard the slower of the two but to wait for it to succeed and cache the state ("working/not working").
If you would disprove what I am saying, you'll need to cite sources.
Since I am only referring to an example, you'll need to either disprove the example or engage in a technical discussion of what I am proposing. Otherwise, your ignorance of the principles of RF design are boring me.
Yes, everyone knows the military use encrypted GPS. The techniques they use will not be helpful in this situation for proximity detection of a key to a car.
You need to back that up with either sources or something equivalent, since it is the central thesis of my statement and the core of a secure triangulation system.
I've said it multiple times: GPS techniques, especially triangulation, and encrypted phase modulation, are what I'm proposing. If you have a better proposal, by all means, state it. You obviously don't understand GPS.
The original blog has details on the mitigations in such an attack. They don't discuss the military applications of GPS. When the DoD deployed GPS, they designed it to be secure enough that the military receivers are not susceptible to either (1) relay attacks or (2) spoofing attacks.
It is those military techniques that you must use to correctly implement what I'm suggesting in the first place.
Most makes are designed to gradually upsell you. So they degrade their lowest-end cars, which makes them more "affordable" but eats the quality out of them, over a period of about 10 years. They trade customer loyalty & brand recognition for margin:
Toyota -> Lexus
Ford upsells you to their larger vehicles
VW -> any of the German makes (Audi if they can hook you)
But Honda? I really don't know what they're trying to do. Their Acura line seems to be all of its luxury as they refocus downward. What that means for their Accord / Civic / Odyssey / CR-V, can't be good. Maybe they're gradually becoming the new Toyota? (Now that Toyota is becoming so focused on Electrics.) I feel like they lost their way when they let VW take a big chunk out of their marketshare.
Your argument is invalid. All you will be doing by relaying is throwing the phase off. The speed of light dictates that the triangulation will be accurate; further, if your relay doesn't impedance-match air, the encoding of the phase using the private key will be changed and the car will detect the attack.
Timing under 50 ns is easy using this approach; GPS receivers do it this way.
Sorry, increment1, in your rush to hit submit you've completely missed the boat. Here, I'll for you what I already said: But I don't think that's the best idea for this use case.
OK? PKI = bad when the attacker is performing MITM to relay the signal.
If you really wanted a system for auto-unlock & auto-start using the fact that the user is holding the key (a.k.a. proximity), do it this way:
Signal triangulation with encrypted modulation: the signal is triangulated by measuring phase differences modulated by the private key of the key fob. See GPS for an example of phase modulation. Basically the car is a GPS receiver for the key's broadcast and can pinpoint the key's location.
If you have the wrong type of keyless entry, you can't disable it.
Example: several brands of cars made in Germany. It's a good design. The dash wirelessly authenticates the key, in addition to the physical ignition lock.
You can't disable it (very easily). It's designed to be tamper-resistant, from the factory.
Kind of like the "security bypass" - it talks about a completely unrelated hack on the TPMS... unless it disappeared before I read it. (I'm talking about the "companion article").
Why didn't they just use a standard passive RFID setup? They're not making money selling batteries to customers... I'm confused.
If on the other hand the key has enough power to transmit its signal 100 meters (passive RFID can't do that) then it has enough power to have a real PKI. But I don't think that's the best idea for this use case.
I'm a little uncertain what you're asking at the end of your comment, but the key they obtained was the Isolation-mode SPU AES key.
They say at the end of their talk they do not have the LV1 OS keys, and they aren't going to work on them -- those are used to sign & verify games.
The Isolation-mode SPU AES key is used to verify loaders, and it was broken because the encrypted block is stored at a lower address than the decryption code -- and the size parameter is not verified. So the encrypted block can be overflowed to overwrite the current instruction and then the isolated SPU is under user control.
Good highways were recognized as a good idea long, long before the internal combustion engine changed things.
Personally I think the US highway system (state highways and interstates) are a clear example of a natural monopoly, which implies some sort of government involvement. I like it that most highways are managed by each state.
Slashdot Mirror
Two other posts above asked the same question. I'm typing the answer from memory so you should find the one above and double-check me:
http://slashdot.org/index2.pl?startdate=YYYYMMDD
I've posted below - there are several greasemonkey scripts there. Can you post yours?
Ok, I've been hacking on it for a while now. This is much, much better: http://pastie.org/1500543
Let me know if you try it. I think I'll have more cleanups to add once I've had a few days to "feel" around the new design.
That's a great start. This is what I came up with: http://pastie.org/1500543.
Much larger, but does a little more.
Maybe that works for you, but for the rest of us it doesn't do anything.
I just installed Stylish.
I know editors don't actually Read the Fine Article, but this one is about Kalamazoo. Only later does he mention "Open Source".
I should add: mathematicians have been saying that NP is much, much harder than P, and it has always seemed logical to say that.
But if this guy can "crack the code" (that is, solve the 3-SAT problem), he has proven that NP is not harder than P.
The debate about whether NP is harder than P has been going for a long time.
I like what's already posted. But here's another one:
I want to pick the lock on your car. It's one of those fancy code entry locks and I only have to press 3 buttons, but that's not really important.
Everyone has been saying that it's very, very hard (NP) to crack the code by trying combinations. Now there's a guy saying it's not quite as hard (P) and he wants everyone on the internet to check his work.
You can report it too, the location is the same as for his other albums.
Car analogy:
Mr. Hotz manages to open his welded-shut hood using the secret knock he heard about from fail0verflow.
Inside he finds detailed instructions for starting the car printed on an instruction sheet. Like all good instruction sheets, it has an ISBN.
Mr. Hotz writes the ISBN on a poster and puts it up in his yard. Other people start ordering copies using the ISBN.
Sony drives by, screeches to a halt, and fires a cruise missile from their car (full of lawyers) at Mr. Hotz's front door.
The judge in a far-away place called "Northern District" asks them if they were authorized to fire cruise missiles in the name of the Northern District.
Sony hems and haws.
Ok you make some good points.
I still think a software solution is possible, but it would have to be done in the browser.
If a DNS server is so broken that the presence of an IPv6 in the cache prevents it from looking up an IPv4 address, then the web site will be inaccessible -- if they don't care to fix it, they'll simply lose viewers.
How about a software solution instead of a hardware solution?
Why doesn't glibc patch their DNS resolver to cache the "working/not working" state of IPv6? Or even better, run the IPv6 and IPv4 DNS queries in parallel and use whichever answer is returned first -- not to discard the slower of the two but to wait for it to succeed and cache the state ("working/not working").
If you would disprove what I am saying, you'll need to cite sources.
Since I am only referring to an example, you'll need to either disprove the example or engage in a technical discussion of what I am proposing. Otherwise, your ignorance of the principles of RF design are boring me.
You need to back that up with either sources or something equivalent, since it is the central thesis of my statement and the core of a secure triangulation system.
I've said it multiple times: GPS techniques, especially triangulation, and encrypted phase modulation, are what I'm proposing. If you have a better proposal, by all means, state it. You obviously don't understand GPS.
The original blog has details on the mitigations in such an attack. They don't discuss the military applications of GPS. When the DoD deployed GPS, they designed it to be secure enough that the military receivers are not susceptible to either (1) relay attacks or (2) spoofing attacks.
It is those military techniques that you must use to correctly implement what I'm suggesting in the first place.
Show me how you plan on spoofing (not jamming) GPS.
GPS relies on precise timing, around 1-2 ns accuracy for a good fix. GPS has everything to do with triangulation.
Most makes are designed to gradually upsell you. So they degrade their lowest-end cars, which makes them more "affordable" but eats the quality out of them, over a period of about 10 years. They trade customer loyalty & brand recognition for margin:
Toyota -> Lexus
Ford upsells you to their larger vehicles
VW -> any of the German makes (Audi if they can hook you)
But Honda? I really don't know what they're trying to do. Their Acura line seems to be all of its luxury as they refocus downward. What that means for their Accord / Civic / Odyssey / CR-V, can't be good. Maybe they're gradually becoming the new Toyota? (Now that Toyota is becoming so focused on Electrics.) I feel like they lost their way when they let VW take a big chunk out of their marketshare.
Your argument is invalid. All you will be doing by relaying is throwing the phase off. The speed of light dictates that the triangulation will be accurate; further, if your relay doesn't impedance-match air, the encoding of the phase using the private key will be changed and the car will detect the attack.
Timing under 50 ns is easy using this approach; GPS receivers do it this way.
Sorry, increment1, in your rush to hit submit you've completely missed the boat. Here, I'll for you what I already said: But I don't think that's the best idea for this use case.
OK? PKI = bad when the attacker is performing MITM to relay the signal.
If you really wanted a system for auto-unlock & auto-start using the fact that the user is holding the key (a.k.a. proximity), do it this way:
Signal triangulation with encrypted modulation: the signal is triangulated by measuring phase differences modulated by the private key of the key fob. See GPS for an example of phase modulation. Basically the car is a GPS receiver for the key's broadcast and can pinpoint the key's location.
If you have the wrong type of keyless entry, you can't disable it.
Example: several brands of cars made in Germany. It's a good design. The dash wirelessly authenticates the key, in addition to the physical ignition lock.
You can't disable it (very easily). It's designed to be tamper-resistant, from the factory.
Kind of like the "security bypass" - it talks about a completely unrelated hack on the TPMS... unless it disappeared before I read it. (I'm talking about the "companion article").
Why didn't they just use a standard passive RFID setup? They're not making money selling batteries to customers... I'm confused.
If on the other hand the key has enough power to transmit its signal 100 meters (passive RFID can't do that) then it has enough power to have a real PKI. But I don't think that's the best idea for this use case.
What plurgid said.
And maybe, just maybe, Clinton was a good statesman, so his international relations went well?
Clinton had good economic times? He served from 1993-2001. Yeah, that 2001. He did pretty well, even in the hard times.
I'm a little uncertain what you're asking at the end of your comment, but the key they obtained was the Isolation-mode SPU AES key.
They say at the end of their talk they do not have the LV1 OS keys, and they aren't going to work on them -- those are used to sign & verify games.
The Isolation-mode SPU AES key is used to verify loaders, and it was broken because the encrypted block is stored at a lower address than the decryption code -- and the size parameter is not verified. So the encrypted block can be overflowed to overwrite the current instruction and then the isolated SPU is under user control.
This.
Good highways were recognized as a good idea long, long before the internal combustion engine changed things.
Personally I think the US highway system (state highways and interstates) are a clear example of a natural monopoly, which implies some sort of government involvement. I like it that most highways are managed by each state.