>>>I should be justified to spew vitriol at the coders, artists and others working in the industry.
Why "coders, artists and others" are representing your company? Almost-always deserved abuse is targeted at the specific company (e.g. EA Sports). Vitriol falling on regular folks is direct result of these regular folks attention-seeking diva behavior that is so prevalent in the gaming industry.
For example, you don't see "regular folk" speaking for Microsoft, and no-surprise they don't get abused for Microsoft's transgressions. Now, Ballmer, on other hand is known to throw chairs around...
>>> blatant abuse from immature children masquerading as adults who have no mental capacity for filtering their insane behavior.
When you frame criticism and your customers in this light, it is clear that your industry has a huge problem. Imagine, for example, Microsoft or Apple, referring to their customer base as "immature children who have no mental capacity for filtering". Do you think they get any less or more polite criticism (esp. Microsoft) ?
Gaming Industry doesn't get that they are part of the service industry. Customer is always right, and all that. Instead they act like divas and treat customers as nuisance.
What other IT industry behaves as badly and treats their customers with such contempt?
Yes, because Blizzard is such a shiny beacon of understanding and communicating player base needs, right? Well, you do not need to look hard to see this is clearly not the case. RealID fiasco anyone?
Fear = our secrets going to get hacked
Uncertainty = we just don't know how to quantify risks, because Step 3: Entropy!
Doubt = everything we know about cryptography is wrong, because Flawed Example!
I stand on my point that this paper, as far as practical cryptography goes, is FUD. I am willing to consider that it might be viewed differently through the lens of theoretical science.
Couldn't have happened to nicer set of people... right? Wrong! Gaming industry is rotten inside-out, infamous for sweatshop-like working conditions (look up "EA widow"), end-of-project layoffs, and large studios buying and gutting creative studios on one side and 'designers' squeezing all kinds of shady profits (zero-day DLC, "free"-to-play micro-transaction games targeted at minors) while constantly failing to innovate (e.g. any sports game franchise).
Gaming industry deserves all the abuse it gets. Extreme cases of abuse aside, all criticism is they get is deserved.
So you think describing in incomprehensible math what boils down to a type of vocabulary attack, and then somehow concluding that our RNG isn't good enough (never mind the elephant in the room that your implementation+policy is vulnerable to such attack) is not FUD?
I am not. This is being made a huge deal out of right now by people who matter (but shouldn't) since about three years ago. This paper isn't even the first time academics parade this flavor of red herring, this why I find this specific instance so annoying. Insufficient entropy for random seeding my foot. We know how to seed, have done it for decades without any issues. Now they want to see formal analysis of this (and nothing else). How is that going to result in better cryptography?
This isn't dismissive hand wave. What they discovered is a marginal concern, especially when dealing with on-the-way-out algorithms (e.g. 3DES). Authors are FUDsters not because what they discovered is false, but because they are making huge deal out of it, and some illiterate CIOs within government circles listened and redirected resources to mitigate this non-issue.
>>>This also confirms that full-drive encryption of an OS drive is barely better than an empty admin password when it comes to security.
This is an absurd claim.
There is no such thing as "plaintext matching", you probably thinking about CPA (chosen plain text attack). Things like nonce, CBC and random IV make sure that such matching impossible.
Without getting into boring details, as poster above mentioned, it is ensuring correct implementation of known secure algorithms that is important. Not entropy or some other pseudo-scientific attempt to get a shortcut to tenure.
Short of breakthrough in quantum computing modern crypto is secure. If you are using AES-256 or anything else FIPS certified - you are still going to be OK.
This has to do with theoretical vs. practical attacks against algorithms. Crypto algorithms evaluated based on concept of existential forgery, meaning that adversary can establish some correlation between encrypted message and truly random message. We are talking q2^128 for most cases. This does not mean that practical attack is available, or that it can be effectively computed.
This is well-known FUD that is making life difficult in government-facing Information Assurance circles. We are still talking ^n where to bruteforce N >>> heat death of universe. This is such unlikely cause of concern that effort currently spent on mitigating and testing is much better spent on ensuring proper implementation and validation of modern cryptographic algorithms. Instead all they care about is entropy assessment and don't care that it is for the implementation of ROT13.
I disagree. How would we otherwise establish a protocol for fully automated cars to flip each other for cutting off? There is no way around Turing Test for Strong AI, and this is key aspect of human behavior.
Standardized toll pass would allow cash-strapped counties to collect tolls from out of county residents. Just like "speeding" tickets, only there is no such thing as driving slowly to get around it.
I am curious if you are aware that others can and will try to connect to your elevator diagnostics or HVAC system? You are compromising your security by opening your infrastructure tot he Internet.
If not, then you shouldn't care about MACs, as long as they are static. Your isolated infrastructure network won't ever collide with Joe Shmoe smartphone, because there won't be any way to come into contact.
This is problematic on many levels. Just like with "desktop Linux", expecting technical competency for average user is unrealistic assumption. Masses will not spoof MACs, because they don't even know what it is or care to find out.
MAC is not used for security, but rather identification. It is your device's static identity where it can be easily mapped to owner's identity. The underlying issue isn't that some marketing scumbags collecting MACs, it is that once these MACs collected it is trivial to aggregate this information.
a. MAC addresses being broadcast without any regard to who is listening. Even when not negotiating/partaking in a connection.
b. MAC address is static.
Compare above situation to banking. You have a bank account number, it uniquely identifies you but it is not transmitted unless you initiate transaction (and even then only on need-to-know basis) plus it can be changed at any time. Now imagine that instead of MAC these bins were skimming banking information (without intend to defraud), would you still be as relaxed about this?
>>>Why no criminal investigation, or at least massive fine?
Likely because phone is actively broadcasting information in the public space. If I go out shouting my Social Security number, others are not liable for overhearing it or even writing it down.
Removing bins will not fix underlying protocol implementation problem. This has to be treated as any other vulnerability and patched, so it is not possible.
Yes, I love PGP and frequently use it, but Entrust has much better system simply because they solved "send me your public key" problem. Unfortunately they solved it by assuming that you belong to a trusted organization, so individual senders are largely out of luck.
1. Reasonable, you are on/. instead of working and you know they are logging it (unless you are sysadmin with direct access to logs)
2. It will inevitably go up as you age.
3. Very likely, but if this affects you so much you are ether driving decades-old car (and realize savings from not buying a newcar) or you over-spent on something and now living paycheck-to-paycheck with no margin or savings for raising costs
4. There is very little reason to suspect that on-going decline of Detroit will reverse. Things will keep getting worse (and your taxes will keep going up).
This thread burned down my house, killed all my family, and kicked my dog. This is the worst thread ever, please don't read it or you can end up like me!
Alternatively, they can chain remaining admins to the server racks and periodically whip them when productivity goes down. This might be slightly illegal, but it isn't like breaking the law stopped them before.
Great, now NSA will have mismanaged IT systems prone to failures and easier to compromise. As a result thier snooping will be available not only to US government, but to any other entity that would bother to hack their way into under-managed IT system run by remaining 10% of overworked sysadmins.
Slashdot Mirror
>>>I should be justified to spew vitriol at the coders, artists and others working in the industry.
Why "coders, artists and others" are representing your company? Almost-always deserved abuse is targeted at the specific company (e.g. EA Sports). Vitriol falling on regular folks is direct result of these regular folks attention-seeking diva behavior that is so prevalent in the gaming industry.
For example, you don't see "regular folk" speaking for Microsoft, and no-surprise they don't get abused for Microsoft's transgressions. Now, Ballmer, on other hand is known to throw chairs around...
>>> blatant abuse from immature children masquerading as adults who have no mental capacity for filtering their insane behavior.
When you frame criticism and your customers in this light, it is clear that your industry has a huge problem. Imagine, for example, Microsoft or Apple, referring to their customer base as "immature children who have no mental capacity for filtering". Do you think they get any less or more polite criticism (esp. Microsoft) ?
Gaming Industry doesn't get that they are part of the service industry. Customer is always right, and all that. Instead they act like divas and treat customers as nuisance.
What other IT industry behaves as badly and treats their customers with such contempt?
Yes, because Blizzard is such a shiny beacon of understanding and communicating player base needs, right? Well, you do not need to look hard to see this is clearly not the case. RealID fiasco anyone?
Fear = our secrets going to get hacked
Uncertainty = we just don't know how to quantify risks, because Step 3: Entropy!
Doubt = everything we know about cryptography is wrong, because Flawed Example!
I stand on my point that this paper, as far as practical cryptography goes, is FUD. I am willing to consider that it might be viewed differently through the lens of theoretical science.
Couldn't have happened to nicer set of people... right? Wrong! Gaming industry is rotten inside-out, infamous for sweatshop-like working conditions (look up "EA widow"), end-of-project layoffs, and large studios buying and gutting creative studios on one side and 'designers' squeezing all kinds of shady profits (zero-day DLC, "free"-to-play micro-transaction games targeted at minors) while constantly failing to innovate (e.g. any sports game franchise).
Gaming industry deserves all the abuse it gets. Extreme cases of abuse aside, all criticism is they get is deserved.
So you think describing in incomprehensible math what boils down to a type of vocabulary attack, and then somehow concluding that our RNG isn't good enough (never mind the elephant in the room that your implementation+policy is vulnerable to such attack) is not FUD?
I am not. This is being made a huge deal out of right now by people who matter (but shouldn't) since about three years ago. This paper isn't even the first time academics parade this flavor of red herring, this why I find this specific instance so annoying. Insufficient entropy for random seeding my foot. We know how to seed, have done it for decades without any issues. Now they want to see formal analysis of this (and nothing else). How is that going to result in better cryptography?
This isn't dismissive hand wave. What they discovered is a marginal concern, especially when dealing with on-the-way-out algorithms (e.g. 3DES). Authors are FUDsters not because what they discovered is false, but because they are making huge deal out of it, and some illiterate CIOs within government circles listened and redirected resources to mitigate this non-issue.
>>>This also confirms that full-drive encryption of an OS drive is barely better than an empty admin password when it comes to security.
This is an absurd claim.
There is no such thing as "plaintext matching", you probably thinking about CPA (chosen plain text attack). Things like nonce, CBC and random IV make sure that such matching impossible.
It must be your birthday!
Without getting into boring details, as poster above mentioned, it is ensuring correct implementation of known secure algorithms that is important. Not entropy or some other pseudo-scientific attempt to get a shortcut to tenure.
Short of breakthrough in quantum computing modern crypto is secure. If you are using AES-256 or anything else FIPS certified - you are still going to be OK.
This has to do with theoretical vs. practical attacks against algorithms. Crypto algorithms evaluated based on concept of existential forgery, meaning that adversary can establish some correlation between encrypted message and truly random message. We are talking q2^128 for most cases. This does not mean that practical attack is available, or that it can be effectively computed.
This is well-known FUD that is making life difficult in government-facing Information Assurance circles. We are still talking ^n where to bruteforce N >>> heat death of universe. This is such unlikely cause of concern that effort currently spent on mitigating and testing is much better spent on ensuring proper implementation and validation of modern cryptographic algorithms. Instead all they care about is entropy assessment and don't care that it is for the implementation of ROT13.
>>> This is probably not needed
I disagree. How would we otherwise establish a protocol for fully automated cars to flip each other for cutting off? There is no way around Turing Test for Strong AI, and this is key aspect of human behavior.
Standardized toll pass would allow cash-strapped counties to collect tolls from out of county residents. Just like "speeding" tickets, only there is no such thing as driving slowly to get around it.
I am curious if you are aware that others can and will try to connect to your elevator diagnostics or HVAC system? You are compromising your security by opening your infrastructure tot he Internet.
If not, then you shouldn't care about MACs, as long as they are static. Your isolated infrastructure network won't ever collide with Joe Shmoe smartphone, because there won't be any way to come into contact.
This is problematic on many levels. Just like with "desktop Linux", expecting technical competency for average user is unrealistic assumption. Masses will not spoof MACs, because they don't even know what it is or care to find out.
MAC is not used for security, but rather identification. It is your device's static identity where it can be easily mapped to owner's identity. The underlying issue isn't that some marketing scumbags collecting MACs, it is that once these MACs collected it is trivial to aggregate this information.
There are multiple issues here:
a. MAC addresses being broadcast without any regard to who is listening. Even when not negotiating/partaking in a connection.
b. MAC address is static.
Compare above situation to banking. You have a bank account number, it uniquely identifies you but it is not transmitted unless you initiate transaction (and even then only on need-to-know basis) plus it can be changed at any time. Now imagine that instead of MAC these bins were skimming banking information (without intend to defraud), would you still be as relaxed about this?
>>>Why no criminal investigation, or at least massive fine?
Likely because phone is actively broadcasting information in the public space. If I go out shouting my Social Security number, others are not liable for overhearing it or even writing it down.
Removing bins will not fix underlying protocol implementation problem. This has to be treated as any other vulnerability and patched, so it is not possible.
Yes, I love PGP and frequently use it, but Entrust has much better system simply because they solved "send me your public key" problem. Unfortunately they solved it by assuming that you belong to a trusted organization, so individual senders are largely out of luck.
1. Reasonable, you are on /. instead of working and you know they are logging it (unless you are sysadmin with direct access to logs)
2. It will inevitably go up as you age.
3. Very likely, but if this affects you so much you are ether driving decades-old car (and realize savings from not buying a newcar) or you over-spent on something and now living paycheck-to-paycheck with no margin or savings for raising costs
4. There is very little reason to suspect that on-going decline of Detroit will reverse. Things will keep getting worse (and your taxes will keep going up).
Now get back to worrying about methane bombs!
This thread burned down my house, killed all my family, and kicked my dog. This is the worst thread ever, please don't read it or you can end up like me!
Alternatively, they can chain remaining admins to the server racks and periodically whip them when productivity goes down. This might be slightly illegal, but it isn't like breaking the law stopped them before.
Great, now NSA will have mismanaged IT systems prone to failures and easier to compromise. As a result thier snooping will be available not only to US government, but to any other entity that would bother to hack their way into under-managed IT system run by remaining 10% of overworked sysadmins.