Refusing to accept mail that is not encrypted with your personal public key is a very effective anti-spam mechanism. It works out much like the various 'micropayment' systems touted recently, where you cause the sender to do a non-trivial calculation before they can send you mail.
The drawback is that requiring encrypted email also blocks all mailing lists, and your clueless aunt in Nebraska who only uses AOL.
Value of 'Privacy' or value of 'Secrecy'?
on
Carnivore Update
·
· Score: 1
There's a difference between 'privacy' and 'secrecy'. In a corporate environment, the corporate entity doesn't have much concern for privacy (beyond what the laws require), but often has a very strong need for 'secrecy'.
A corporate executives credit card info: $50
Complete docs on the same C-level executive, including SSN and enough other data to commit identity theft: $500
Access to CEO's e-mail box, containing detailed information at the earliest stages of a planned merger between two Fortune 500 companies: Priceless.
I have very few Unix systems with an uptime approaching 650 days. Perhaps 5% of the total systems under my control routinely run for as long as two years. Usually an OpenBSD system, not having any critical kernel security patches required in that period:-)
Short uptimes in my environment are more related to the poor quality (unreliable, frequent brownouts) of the electric power supplied to some of the towns in which my systems are located than anything inherent in one OS or another.
I consider myself lucky when I can count the uptime of a MS-Windows machine in weeks, where uptime of Solaris (in the same power-and-environment controlled datacenter) is calculated in months, and usually only that short due to the occasional security patches that require a reboot to complete.
No, one-time pad is mathematically proven as unbreakable. It's the _ONLY_ proven unbreakable envryption method.
A one-time pad is only 'unbreakable' with the assumptions that your source of random data is truly random, and that the mechanism used to distribute the one-time pad to the parties is not compromised. The Prescient system may be flawed due to the latter: "This is number is exchanged with the server through a secure process known only to Prescient...". Without a secure mechanism to distribute the pad, one-time pad crypto cannot be considered secure.
Things ARE random. The noise made by compressed gas escaping from it's container is an example. So is stellar background radiation.
This is generally true. You can determine the '
random' output of any process by knowing the algorithm and all of the seed values. In the case of stellar background radiation, the initial values are assumed to be incalcuable.
One must assume that 'God' (Commonly defined as an all-knowing being) is capable of breaking one-time pad encryption systems.
I am not aware of any research into the creation of cryptosystems designed to resist compromise by supernatural forces, much less any system that can resist an attack by an omniscient, omnipresent, omnipowerful opponent.
"Mary, Alice and Bob wish to conceal their communications from Yahweh..."
I am very tempted to configure my primary address to refuse any message that is not:
GPG/PGP signed.
Signer's public key is in a trusted keyserver (MIT, etc)
The key listed on the server has been signed.
The person who signed the key is somebody I know/trust.
This is a drastic solution, but is slightly more scalable than a 'white list'. The first two rules alone should eliminate spam, the 'trust relationship' eliminates the remaining 'noise'.
The big advantage is that it allows me to receive email not only from my friends, but also from friends-of-friends. If I expand the 'meta-trust' relationship further (friends of friends of friends, etc) then the pool eventually includes everybody, assuming you believe the 'six degrees of separation' theory:-)
Has anybody experience with any PCMCIA testing hardware, devices that provide a card extender with voltage test points, and perhaps a fuse or breaker to avoid damage to the card/laptop when testing a defective card?
The only thing I can think of was that there were railroad tracks running behind the place. Its
possible that the railroad were sending radio communications and interfering that way.
A friend of mine has the same problem, and he also has 'light rail' (Metra tracks) about fifty feet away.
The 'screen shake' is a constant problem, there is also wide-spectrum 2.4Ghz interference at regular intervals, coincident with the passing of passenger trains.
sane person would point out that the bouncer "could" record the information by photocopying, yes, but he couldn't do so without
being detected.
Some of the clubs I go to, the bouncer will put your ID on a shelf under a little halogen lamp so he can read the front... at least one place, I noticed that just to one side of the lamp was a little CCD camera focused on the shelf.
This only reads the front, but rigging a similar shelf arrangement to scan the backside would not be difficult.
..By law, you have the right to not put your Social Security Number on your driver's license.
I wonder if the SSN gets encoded on the magnetic stripe if you request it not be on the face of the license?
I checked out the 2-D barcode on the back of the Illinois license, and on mine, which does not have the SSN on the front, there is no SSN in the barcode.
There does not appear to be any magstripe on the new Illinois licenses.
They can find your ISP if they discover the IP adddress and time that the offending information was sent from. If you're the only user of your ISP, then finding the ISP means finding you. You have to say that your ISP has a bunch of users and it deletes enough log information to make it impossible to figure out who did what after the fact.
We are BOFH. We have taken all of these issues into account. It also helps that two of the six original founding members were lawyers:-)
We do not quite have a/19 allocation yet, but we are getting there.
When I first got my new Illinois driver's license with the 2-D barcode, I scanned in the image and dug out some free software to extract the barcoded data.
I didn't see anything obvious in the barcode that did not already appear on the front. I asked that my SSN not appear on the front, and I also did not see it in the barcoded data.
There were around 20 bytes of extra binary data which I didn't put much effort into further decoding. I compared the data on my license with the data from the license of friends and family, some bytes matched, some did not.
No special equipment is needed, any good scanner will work, you do need to make sure that the ID card is aligned at right angles to the scanner, and turn off any anti-speckle features in your software.
Most of the barcode data extraction software for Windows will accept a TIFF file, I haven't found any good free software that directly supports a TWAIN or other scanner plug-in.
The free demo software I found will also generate 2-D barcodes as TIFF files...
It has been my experience that most companies steal; it is very difficult for a company to make money ethically, and very few even try. While they may talk a good ethical game you will discover that the employment contract puts lots of constraints on you, and almost none on them.
I agree to an extent...
The sole purpose of any corporation, unless explicitly stated otherwise in the charter, is to maximize shareholder value.
The corporate officers are to always use this to decide any act, ethical or otherwise (and in some cases, legal or otherwise), as their prime consideration.
For example, just about every big corporation I have dealt with has a unwritten policy to delay paying off on invoices until the last possible moment before interest charges accrue, to maximize the 'float'.
A 'good' (ethical) company will use this policy with care, and actually pay off invoices from small suppliers and individual contractors on a timely basis. Anywhere they can get away with 'slow pay' without actually having contractors stop work or suppliers hold shipments, a company will -- and under the tenet of 'maximize shareholder value', ethical or unethical, right or wrong, this 'slow pay' is the correct course of action.
OT: This is where the executives of Enron screwed up -- they put their own personal profits before the shareholder.
You need to be careful when your 'work' and your 'hobby' and your 'recreation' all tend to have a lot of overlap.
There are some nasty pitfalls ahead.
Yes, everything might be rosy now, you are on good terms with your boss and upper management, but just wait until your hobby project shows some commercial promise, you upset somebody higher up the food chain, or any other event or change upsets the delicate balance...
A lot of very bright people have been caught in this trap, the most common outcome is that your 'personal, hobby project' becomes the intellectual property of your employer.
When I applied at Motorola, part of the application asked that you detail every potentially valuable idea you had ever had on your personal time, with the understanding that any other idea you came up with from that point on
would be the property of Motorola.
Umm they can subpoena the IP logs from Slashdot and your ISP and get you that way.
I own my ISP.
The real issue is, if your employer suspects that you are posting from home to Slashdot (say, you leaked business secrets) you are already screwed.
The point of using an alias for your Slashdot behavior is that when your company goes on a fishing expedition (google'ing your real name), they will not turn up your slashdot posts immediately.
If they already have some reason to target you by going after your ISP and slashdot for your connection records, they game is mostly over.
_I_ own my ISP.
I _own_ my ISP.
I own _my_ ISP. ...
There are 16 valid touch tones, not 12. You just never get to see the rest of the system.
Yes, there is one additional column of buttons on a military phone, commonly labeled A-D.
I am curious how they maintained this after the AT&T breakup, but I imagine that law that prevents majority foreign ownership of a US LEC has something to do with it.
The extra four buttons have no effect on PSTN, they are only effective on the DoD non-secure switched network.
This is not some ultra-secret network, it is a set of features that is only implemented on military phone switches. It's not widely known, but the frequencies are published, and you can buy surplus phones with the extra keys for cheap:
Have a standard color for patch cables(i prefer blue) and make sure that your cross over cables are a different color(i prefer yellow).
It's a tough call whether to pick one standard color for patch cables, to try to color-code cables by some scheme (black for power, red for serial, etc), or just try to use lots of different colors so you can more easily decide which cable in the giant jumble is the one you need to replace!
I do agree that one hard-and-fast rule is that crossover cables should be a unique color, not used for any other cable -- I also prefer yellow, but at a previous job the color was pink (because that was one of the few colors the colorblind CIO could differentiate).
One advantage to the 'yellow is crossover' rule is that IT employees get a legal, free supply of brand new cables, as you have to dispose of all of the brand new non-crossover yellow-jacketed cables vendors tend to include with new hardware.
I'm working in a job i like (computer programmer), and its something that i will even do at home after hours on a different level (i write commercial apps at work, and i fiddle with games/graphics programming at home)
You need to be careful when your 'work' and your 'hobby' and your 'recreation' all tend to have a lot of overlap. There are some nasty pitfalls ahead.
.. and on the flipside, if i think of something outside of work - when im not *GASP* actually getting paid for it - that is useful or may relate to my work, i may still actually spend a bit or a lot of time (whatever may be required) working it over or writing it down or something
Yes, everything might be rosy now, you are on good terms with your boss and upper management, but just wait until your hobby project shows some commercial promise, you upset somebody higher up the food chain, or any other event or change upsets the delicate balance...
A lot of very bright people have been caught in this trap, the most common outcome is that your 'personal, hobby project' becomes the intellectual property of your employer.
When I applied at Motorola, part of the application asked that you detail every potentially valuable idea you had ever had on your personal time, with the understanding that any other idea you came up with from that point on would be the property of Motorola.
People need to grow up. When you are at work, you should work. If your company is NICE enough to let you use resources for personal use then fine but you do NOT have a right to do anything with something that isn't yours.
I agree. My employer has the right to forbid me to web browse at the office, and I have the right to quit and find a job at a less draconian company.
As it happens, the company I work for takes a rather extreme stance in favor of the first amendment, such that enterprise-wide web filter cannot happen. (Yes, we are hiring)
The other side of the coin is 'Quality of life' issues. As your employer expects you to spend more and more of your day in the office or carrying an electronic leash making you available to support work problems when you are at home, a reasonable company will realize that as 'work issues' bleed into your personal life, 'home issues' are going to bleed into work hours.
I am required to be at the office during the same hours that most other businesses, schools, etc are open. That makes it unavoidable that I will have to take care of some personal business during work hours. A good employer realizes this, and tolerates a certain level of non-business use of the Internet and telephone.
Yes, your employer has the right to forbid this, just as your employer has the right to require that you wear a suit and tie every day. And I consider both to be unreasonable limitations.
OTOH, my employer requires 'business casual' attire, and bars accessing porn from the office Internet connection. I have no problem with abiding by those policies, and have no sympathy for anybody who is fired for violation.
This article alone is a pretty good justification for blocking Yahoo! at work... if only to keep the executives from getting any funny ideas about new filtering policies!
Hypponen added some Fortune 100 companies are looking to step up security measures beyond firewalls, which bar access to sites with racy or inflammatory content. They are looking to ban Internet usage for all but select, authorized personnel.
Firewalls do not inherently bar access to objectionable sites. My firewalls permit access to 'racy or inflammatory content', they just log who did what, when. Only 'Filters' bar access -- some firewalls may include filters.
Most of the article deals with filtering attachments in email:
Among the nearly 100 email attachments outlawed by the company are: screen savers, digital greeting cards, and the ubiquitous ".exe," or executable file, a standard format needed to run most computer applications and a common target for virus authors.
I cannot think of any legitimate reason to email somebody a screen saver at work, but unfortunately there is a lot of legitimate exe files been sent as attachments, and a lot of viruses and worms that propagate via formats other than those listed above...
At every place I have worked, I have been one of the guys in charge of the technical implementatio of what is blocked and how. I've always been able to successfully lobby for Slashdot and my other top sites to be included on the short list of 'good' sites, so I don't have to feel guilty about violating my own policies:-)
And every good BOFH knows how to whip up a quick SSL/proxy/tunnel hosted off some cheap broadband service, if only to have a way to check out those URLs in a the bofh.l-w post that just can't wait until you get home...
We have heavy-duty antivirus checking on incoming email, but the extra latency involved is unacceptable for web access, so we have been unable to implement the same for web access.
Employee access to external POP3 services is prohibited, both by policy and firewall rules.
Where viruses and worms (Nimda, Code Red, etc) have made it into the company, we've almost universally tracked the vector down to a 'Free Email' service, primarily Hotmail and Yahoo! mail.
We are considering blocking all such services, or at least forcing all traffic to and from these services through the antivirus system, and suffer the latency and associated user complaints.
Again, we cannot force all web traffic through a scanner, as there is strong opposition from various divisions to any change that would slow down web access.
Trust me, in the situation, the police did turn up quite a lot for reasons more friendly than confiscating your hardware (which is probably about the worst thing that can happen to a geek).
Same here. Sometimes they would show up to drop off a case of beer, or just to hang out, share some pizza, and watch COPS on cable.
The one time the Feds did show up to confiscate the hardware was long before I started hanging out there...
A former employer of mine (WRQ Seattle) used to have a semi regular employee sale where you'd "buy" items for basically what it cost them to pay someone to write the reciepts and make entries in the inventory system.
It sounds like a good idea, but only seems to work for items of a very small value (books, for example).
For larger items, somebody always takes advantage of the program, or something else happens to queer the deal or give some beancounter the impression that the program is not doing enough to "enhance shareholder value".
At many major corporations, the company routinely gives away old office furniture, but refuses to give away (or even sell) old computer equipment to employees. Most of it goes to the trash compators.
With this program, it is easy to keep track of a separate password for each web site, and there is a unlimited?) notes field for keeping track of extra account details or any extra challenge+response (You don't give every site your real mother's real maiden name, do you? Insanity!)
PSafe will generate random 'strong' passwords. For the really important systems, I use the 'strong' 8-character random password generated, but when I go to log in, paste the 8-characters from PSafe, and append a four-to-six letter string I keep in my head.
Slashdot Mirror
The drawback is that requiring encrypted email also blocks all mailing lists, and your clueless aunt in Nebraska who only uses AOL.
I didn't wait to see what happens when you hit redline...
Short uptimes in my environment are more related to the poor quality (unreliable, frequent brownouts) of the electric power supplied to some of the towns in which my systems are located than anything inherent in one OS or another.
I consider myself lucky when I can count the uptime of a MS-Windows machine in weeks, where uptime of Solaris (in the same power-and-environment controlled datacenter) is calculated in months, and usually only that short due to the occasional security patches that require a reboot to complete.
Does any such command exist for standard EIDE controllers/drives? Or even in any standard Unix (preferably FreeBSD) SCSI drivers for non-FCAL drives?
Without a spin-down and disconnect, hot-swap seems like it must pose some risk, however slight.
One must assume that 'God' (Commonly defined as an all-knowing being) is capable of breaking one-time pad encryption systems.
I am not aware of any research into the creation of cryptosystems designed to resist compromise by supernatural forces, much less any system that can resist an attack by an omniscient, omnipresent, omnipowerful opponent.
This is a drastic solution, but is slightly more scalable than a 'white list'. The first two rules alone should eliminate spam, the 'trust relationship' eliminates the remaining 'noise'.
The big advantage is that it allows me to receive email not only from my friends, but also from friends-of-friends. If I expand the 'meta-trust' relationship further (friends of friends of friends, etc) then the pool eventually includes everybody, assuming you believe the 'six degrees of separation' theory :-)
(BTW, nice troll there, PhysicsGenius.)
Has anybody experience with any PCMCIA testing hardware, devices that provide a card extender with voltage test points, and perhaps a fuse or breaker to avoid damage to the card/laptop when testing a defective card?
A friend of mine has the same problem, and he also has 'light rail' (Metra tracks) about fifty feet away.
The 'screen shake' is a constant problem, there is also wide-spectrum 2.4Ghz interference at regular intervals, coincident with the passing of passenger trains.
This only reads the front, but rigging a similar shelf arrangement to scan the backside would not be difficult.
I checked out the 2-D barcode on the back of the Illinois license, and on mine, which does not have the SSN on the front, there is no SSN in the barcode.There does not appear to be any magstripe on the new Illinois licenses.
We are BOFH. We have taken all of these issues into account. It also helps that two of the six original founding members were lawyers :-)
We do not quite have a /19 allocation yet, but we are getting there.
I didn't see anything obvious in the barcode that did not already appear on the front. I asked that my SSN not appear on the front, and I also did not see it in the barcoded data.
There were around 20 bytes of extra binary data which I didn't put much effort into further decoding. I compared the data on my license with the data from the license of friends and family, some bytes matched, some did not.
No special equipment is needed, any good scanner will work, you do need to make sure that the ID card is aligned at right angles to the scanner, and turn off any anti-speckle features in your software.
Most of the barcode data extraction software for Windows will accept a TIFF file, I haven't found any good free software that directly supports a TWAIN or other scanner plug-in.
The free demo software I found will also generate 2-D barcodes as TIFF files...
The sole purpose of any corporation, unless explicitly stated otherwise in the charter, is to maximize shareholder value. The corporate officers are to always use this to decide any act, ethical or otherwise (and in some cases, legal or otherwise), as their prime consideration.
For example, just about every big corporation I have dealt with has a unwritten policy to delay paying off on invoices until the last possible moment before interest charges accrue, to maximize the 'float'.
A 'good' (ethical) company will use this policy with care, and actually pay off invoices from small suppliers and individual contractors on a timely basis. Anywhere they can get away with 'slow pay' without actually having contractors stop work or suppliers hold shipments, a company will -- and under the tenet of 'maximize shareholder value', ethical or unethical, right or wrong, this 'slow pay' is the correct course of action.
OT: This is where the executives of Enron screwed up -- they put their own personal profits before the shareholder.
You need to be careful when your 'work' and your 'hobby' and your 'recreation' all tend to have a lot of overlap.
There are some nasty pitfalls ahead.
Yes, everything might be rosy now, you are on good terms with your boss and upper management, but just wait until your hobby project shows some commercial promise, you upset somebody higher up the food chain, or any other event or change upsets the delicate balance...
A lot of very bright people have been caught in this trap, the most common outcome is that your 'personal, hobby project' becomes the intellectual property of your employer.
When I applied at Motorola, part of the application asked that you detail every potentially valuable idea you had ever had on your personal time, with the understanding that any other idea you came up with from that point on would be the property of Motorola.
(No, I didn't accept the job.)
The real issue is, if your employer suspects that you are posting from home to Slashdot (say, you leaked business secrets) you are already screwed.
The point of using an alias for your Slashdot behavior is that when your company goes on a fishing expedition (google'ing your real name), they will not turn up your slashdot posts immediately.
If they already have some reason to target you by going after your ISP and slashdot for your connection records, they game is mostly over.
_I_ own my ISP.
...
I _own_ my ISP.
I own _my_ ISP.
This is not some ultra-secret network, it is a set of features that is only implemented on military phone switches. It's not widely known, but the frequencies are published, and you can buy surplus phones with the extra keys for cheap:
The 1963 Autovon system uses the four extra keys for priority, as follows: Autovon legends:
FO = Flash Override
F = Flash
I = Immediate
P = Priority
I do agree that one hard-and-fast rule is that crossover cables should be a unique color, not used for any other cable -- I also prefer yellow, but at a previous job the color was pink (because that was one of the few colors the colorblind CIO could differentiate).
One advantage to the 'yellow is crossover' rule is that IT employees get a legal, free supply of brand new cables, as you have to dispose of all of the brand new non-crossover yellow-jacketed cables vendors tend to include with new hardware.
A lot of very bright people have been caught in this trap, the most common outcome is that your 'personal, hobby project' becomes the intellectual property of your employer.
When I applied at Motorola, part of the application asked that you detail every potentially valuable idea you had ever had on your personal time, with the understanding that any other idea you came up with from that point on would be the property of Motorola.
(No, I didn't accept the job.)
As it happens, the company I work for takes a rather extreme stance in favor of the first amendment, such that enterprise-wide web filter cannot happen. (Yes, we are hiring)
The other side of the coin is 'Quality of life' issues. As your employer expects you to spend more and more of your day in the office or carrying an electronic leash making you available to support work problems when you are at home, a reasonable company will realize that as 'work issues' bleed into your personal life, 'home issues' are going to bleed into work hours.
I am required to be at the office during the same hours that most other businesses, schools, etc are open. That makes it unavoidable that I will have to take care of some personal business during work hours. A good employer realizes this, and tolerates a certain level of non-business use of the Internet and telephone.
Yes, your employer has the right to forbid this, just as your employer has the right to require that you wear a suit and tie every day. And I consider both to be unreasonable limitations.
OTOH, my employer requires 'business casual' attire, and bars accessing porn from the office Internet connection. I have no problem with abiding by those policies, and have no sympathy for anybody who is fired for violation.
Most of the article deals with filtering attachments in email:
I cannot think of any legitimate reason to email somebody a screen saver at work, but unfortunately there is a lot of legitimate exe files been sent as attachments, and a lot of viruses and worms that propagate via formats other than those listed above...At every place I have worked, I have been one of the guys in charge of the technical implementatio of what is blocked and how. I've always been able to successfully lobby for Slashdot and my other top sites to be included on the short list of 'good' sites, so I don't have to feel guilty about violating my own policies :-)
And every good BOFH knows how to whip up a quick SSL/proxy/tunnel hosted off some cheap broadband service, if only to have a way to check out those URLs in a the bofh.l-w post that just can't wait until you get home...
Employee access to external POP3 services is prohibited, both by policy and firewall rules.
Where viruses and worms (Nimda, Code Red, etc) have made it into the company, we've almost universally tracked the vector down to a 'Free Email' service, primarily Hotmail and Yahoo! mail.
We are considering blocking all such services, or at least forcing all traffic to and from these services through the antivirus system, and suffer the latency and associated user complaints.
Again, we cannot force all web traffic through a scanner, as there is strong opposition from various divisions to any change that would slow down web access.
The one time the Feds did show up to confiscate the hardware was long before I started hanging out there...
It sounds like a good idea, but only seems to work for items of a very small value (books, for example).
For larger items, somebody always takes advantage of the program, or something else happens to queer the deal or give some beancounter the impression that the program is not doing enough to "enhance shareholder value".
At many major corporations, the company routinely gives away old office furniture, but refuses to give away (or even sell) old computer equipment to employees. Most of it goes to the trash compators.
With this program, it is easy to keep track of a separate password for each web site, and there is a unlimited?) notes field for keeping track of extra account details or any extra challenge+response (You don't give every site your real mother's real maiden name, do you? Insanity!)
PSafe will generate random 'strong' passwords. For the really important systems, I use the 'strong' 8-character random password generated, but when I go to log in, paste the 8-characters from PSafe, and append a four-to-six letter string I keep in my head.
Voila --- Poor man's two-factor authentication!