Yep, Privoxy is great. For most users, the fact that it supports HTTP/1.1 is enough. What's a real killer, is the ability to to modify the block/rewrite rules via the built-in web interface.
The new configuration file formats are not altogether clear, nor are they concise. For lazy users, getting their blockfiles updated without the need to edit those files by hand is a blessing. Especially getting the blockfile rulesets right takes a good amount of time, because there are so many options to choose from. Not to mention that the default behaviour (so far) has been to accept all cookies by default.
I have also encountered two websites that show an empty page through Privoxy, although the action log doesn't state that anything was blocked. Once I find a third one, I'm going to report that behaviour to the development team so they have a good set to work with. But other than these few glitches, it works absolutely great.
Yes, I do miss the simple "prefix address with tilde to let it through" blockfile format. I also understand that the new features allow for much more and hence require a bit more sophisticated configuration format.
Aside from possible uses for industrial espionage, which somebody else already pointed out... evidence integrity.
When law enforcement records the phonecalls or your activity, they use a media that can be examined for integrity. Audio and video tapes can be examined for signs of manipulation. Digital, text-form messages have no such property. After all, it is not unheard of police tampering with the evidence or even implanting some.
And for what? When they seriously need a scapegoat for a major and much publicized incident, or when they are certain in their collective mind that a certain person has committed the crime but not enough evidence exists. Now, fast forward to a situation, where these same law enforcement officials are in charge of the storage of digital evidence.
In such a situation, forging email content and removing other parts is both easy and plausible. Add that to the fact that you will have hard time to prove that you didn't send such emails. You and the counterparts would all naturally destroy any and all such messages immediately afterwards. Even having something in store that resembles the alleged evidence is not enough. You would have stored that as an alibi and destroyed the others.
So, in the end it's not about intercepting my digital correspondence. It's the possibility of easily tampering with that data, without leaving any evidence that such activity has ever taken place.
[...] we will NEVER be able to send people back in time, for the simple reason that we'd have met them already.
It is fascinating how big some people have managed to grow their egos.
Not taking into account the already mentioned piece of information that you can't travel back to time where the time machine did not already exist, why do we even consider that future time travelers (if there will be such) would actually bother to travel to our time? Hasn't it occurred to you that our time could be considered not only dangerous but also very uninteresting and hence not worth the effort?
I sincerely propose you read Arthur C. Clarke's Childhood's End. It paints a nice view of things that could happen and especially how people react. For some very weird reason, we tend to think ourselves as the centres of the entire Universe. Now it seems we also think ourselves as the centres of the entire space-time continuum.
some would say this tactic is 'cheap' - i think cheap is getting missles and jumping onto the highest building and firing constantly.
Yes, that is definetely cheap. Which is the reason that when I ran a bzflag server, jumping wasn't allowed, unless you got the Jump flag. We wanted to keep the guided missiles in the game, but without the munchkin factor that they, combined with free jumping, give.
Yep, basically just getting the missiles and hopping on top of the highest building allowed you to snipe every single player that came in your field of vision. I tried it once and it's dead boring.
Now I'm feeling the urge to reinstall a bzflag server and get in touch with the game again. As if it wasn't difficult enought to let go the last time:)
At least animation studios are using linux for render farms. And why wouldn't they? Free of charge OS that is used for boxes crunching numbers days in and out. I don't know about Shrek and whether or not it was modelled under Linux. Quick Google didn't help me either, so some willing karma-hungry person can fill in the blank space.
But, that's not the point. This actually brings linux to the world of professional video editing. This is a big step, and definetely one I welcome with joy. Now, if we only had truly good sound studio software to beat the living crap out of SoundForge... I know people who would change this instant to non-windows applications if they offered the same or better functionality and range of capabilities.
In fact, I managed to find the paper in question. See here for yourself. The relevant page is sums and reading from the top, I get the following:
The DES cracker is searching a 2^56 key space (72,058,000,000,000,000 keys) at a speed of 33.333 MHz (ie 33.333 million keys/second). To search the entire key space would therefore take 68.50 years.
The DES cracker is actually searching for up to 16384 keys in parallel. If the whole key space was searched it would find keys at an average rate of one per 68.50/16384 years, which is one every 36.65 hours.
So please, point me where I went wrong. Especially, have I understood the phrase if the whole key space was searched... wrong? And if, how?
We know that the running time of DES is pretty much a constant. The same time is required per block, regardless of whether we are encrypting or decrypting. The function is the same, the subkeyset is just reversed. So if DES cracker manages to find a single key on average of 36.65 hours, it means it MUST have gone through 50% of the key space in that time.
And if I didn't misread the front page, it really says that anyone with access to 1000 $US FPGA and some programming books can do this.
[...] this pretty much settles the question for me that 40-bit, even 64-bit just isn't enough.
Correct. 40-bit keys have no protective value. Remember the article about IBM's crypto chip being broken? (Somebody please provide the link to/. article, I can't at the moment.) In practice, they broke single DES, 56 bits worth of security in a good block cipher. In brute force.
It took at most 2 days with ~1000 $US worth of gear to find the key. Let's assume that they needed the full 48 hours to get that key broken. Simple math follows:
48 hours is 48*3600 seconds. It takes this much time to brute-force a 56-bit key. 40 bits is 1/(2^16) times the size of that, hence the time to break a 40-bit key with similar equipment is 48*3600/(2^16) seconds. This is no more than about 2.6 seconds.
To underline this as clearly as I can: 40-bit keys provide NO security. They may have provided some, at a time - but definetely not for some time now.
The site was down, owing thanks to/. effect. I could only read the leading page so bare with me.
I had my focus on building a silent computer when I did my hardware upgrade plans. It still amazes me, that some people don't bother to check the noise levels of their gear prior to purchase. I spent some two to three weeks browsing through stuff, reviews and user reports.
In the end, I got myself a Q-Technology (sold to new owner now, unfortunately) silent power, NoiseControl processor cooler, and a tube of Arctic Silver thermal compound. The cpu cooler did not have the best of contact surfaces, so additional help was required there.
My case didn't have enough space to fit a Silverado MkII, so I settled for even quieter model. After putting the components together, I was happy to find out that the absolutely noisiest part of all this was the fan on the motherboard chipset. Which I promptly unplugged. Now the loudest sound I get from my computer is the sound of the hard drive spinning.
All this required only some thought and a little effort to try to find out things in advance. Why more users never bother to do this, I can't even imagine. So much post-purchase whining could be averted, if they only did at least some research... Yes, this was far from the cheapest of solutions, but I was prepared to pay some extra for silent quality parts.
As my mom used to say, 'poor people can't afford to buy products that are cheap and lousy in quality.'
Yes, there are people who are clueless or ignorant enough NOT to have up-to-date virus shields. A virus that survives major system upgrades and disk sweeps would not be an impossibility. I shiver at the thought.
At the time that I wrote it, it was science fiction. It now looks like I was way too conservative, and events are already on the way towards overtaking my predictions. Hey ho.
One of my personal mottos has been for quite a while this:
"Humans are by nature optimists. Try to think the absolute worst thing that other human beings could come up with. Wait a few years. Note how optimistic you really are."
Yes, and then you'd need to securely transmit that one-time pad to the person receiving your message. You still haven't solved the Catch 22 here.
Albeit, quantum crypto can solve this. Despite the fancy name, it's nothing more than a secure way to transmit regular encryption keys. It's just not practical at the moment. And large messages with one-time pads? The key would be as big as the original message. Thank you, but for regular use I'd choose good block ciphers any day.
What is everyone's great desire to rip off Apple's look anyway? Make something better if you're the expert.
I chose that quote for the subject, and for a reason. Did you consider the fact that people have looked at Aqua and liked it very much? Apple has a history of making usable UIs, so Aqua may not be an exception.
Yet, quite a few of us are not willing to switch the platform we're currently on. Not to mention buying a completely new set of hardware, should we want to have an Aquaish UI. I think you could call it the freedom of choice. Personally, I think Aqua is a bit too bleak for my taste but I do understand why some folks would want to use it.
As to why ripping off a good design? You pointed out why professional UI design can manage such wonderful results: there are several professionals who get paid to shred the unfinished work to pieces. If they have high enough standards, they won't allow their work to be left unfinished and a half-baked UI to leave the door. Add a good number of designers, working in unison to get results that will withstand such brutal approach and in time, something worthwhile WILL come of all of it.
Such resources are just not available to OS folks. At least, not a good majority. These folks have to rely on user feedback and bug reports. And who do you think writes them? Geek users, not professional usability experts.
So please forgive us for wanting to use our platform of choice, probably with a very attracting UI. Apple has managed to create a UI that draws mimics like a pot of honey would flies. They should be very, very flattered. For all I know, they very well may be - they just have chosen to limit Aqua's availability to only those running their operating system.
You make your own decision whether this is a good or bad choice. I am not competent enough to decide it for someone else.
Smart Tags add additional (and unwanted) information. In effect, they change the content from the original and do this in a way that the user has little or no way of finding out. Adbusters have to be configured to remove information we wish not to see. They change the content in a predefined and user-configurable way.
Would you like to see your web pages mutilated with links that weren't there when you made them?
The fact that Smart Tags are made as opt-out, is close to immoral. Anyone who builds webpages has to specifically disable them on each page. Just how do you think casual users are going to know about this? Not everyone with web pages is a professional.
Re:I'm sticking with IRC thankyouverymuch
on
Secure IRC?
·
· Score: 2, Insightful
Q: How secure SILC really is? A: A good question which I don't have an answer for.
I'm answering this one first. Or more than that - can YOU tell me exactly how secure RSA as an algorithm is? Or AES (Rijndael)? SSL as a protocol? The PGP specification?
None of these have absolute and accurately measurable "amount" of security. The algorithms are open, as are the protocol specifications. We only know that they haven't yet been publicly broken. We use them, and we trust them.
SILC is by no means a silver bullet and it's not meant as such. Personally I think it's one huge step into the right direction. One, it adds to the generally small amount of encrypted traffic which is always good. Two, nobody owns a nick in SILC network so the ever increasing nick wars as seen in IRC are not going to be a problem. Three, people are touting about not using telnet when we have SSH. It didn't happen overnight.
No, I don't think SILC is ever going to replace IRC, in the same way that SSH has not replaced telnet. What we need is more clients, more users and a lot more testing and good ideas as to how SILC should be developed. It's not a ready product but it's definetely quite stable - and because the UI is almost exactly like IRC, those that wish to give it a try should feel quite at home.
The SILC protocol appears quite solid and the person who designed it, has had it brewing for ages. No, he's not an established crypto authority like Zimmerman or Biham. But he works in this field and as such, has a pretty good insight. The protocol is still under developement, as you have noticed. The chat part is quite finished but file transfer is not yet there. What we need is a set of really good ideas and a streamlined protocol for file transfer. You have a very good point about that - but how long did it take for IRC to have DCC capability? I'm pretty confident it didn't have it at the very beginning. Don't bash SILC just because it's still an infant and trying to grow.
You have absolute rights to your opinion, and I respect that. I just used mine.
As has been noted, the effective substance in Red Bull can cause death, if someone was fool enough to consume insane amounts of it. Somehow, I have the hunch that not everything has been told in this case. I wouldn't be that surprised if ecstacy was involved.
But this piece of news did remind me of a science-fiction story I read. The power of statistics should never be underestimated when doing research on reason -> result field:) This is a story any statistician should read:)
My girlfriend and I had to do extensive searches for seminars on chemical engineering devices. This seems to be a subject that really is NOT covered on the Internet. Only some vague ads and promotion websites, but no techical details or such.
On the other hand, what we did find, was a huge collection of all kinds of sex toys and devices to 'aid' sexual functions. You wouldn't believe the kinds of pages altavista (no google back then) brought up with "+gear +pump"... Nowadays, the results are better.
probably infeasible as well. First of all, to make this proposal work, it would require that
Each user was assigned an asymmetric key.
The files would have to be INDIVIDUALLY "watermarked" as a file once decrypted is just plain data, with nothing to identify from whom it has originated.
There would have to be practically unlimited resource of CPU time. The computation required for doing DH/RSA/ECC on a large file is both really slow and very, very heavy.
Especially because of the second point, I don't believe it would work. Please, find some references on asymmetric/symmetric hybrid encryption and you understand why third point is unmeaningful.
As this "challenge" proved, watermarking can be removed. Tagging mp3 frame headers with pseudorandom data would be trivial to circumvent. You just can't earmark music that way.
Slashdot Mirror
Yep, Privoxy is great. For most users, the fact that it supports HTTP/1.1 is enough. What's a real killer, is the ability to to modify the block/rewrite rules via the built-in web interface.
The new configuration file formats are not altogether clear, nor are they concise. For lazy users, getting their blockfiles updated without the need to edit those files by hand is a blessing. Especially getting the blockfile rulesets right takes a good amount of time, because there are so many options to choose from. Not to mention that the default behaviour (so far) has been to accept all cookies by default.
I have also encountered two websites that show an empty page through Privoxy, although the action log doesn't state that anything was blocked. Once I find a third one, I'm going to report that behaviour to the development team so they have a good set to work with. But other than these few glitches, it works absolutely great.
Yes, I do miss the simple "prefix address with tilde to let it through" blockfile format. I also understand that the new features allow for much more and hence require a bit more sophisticated configuration format.
Aside from possible uses for industrial espionage, which somebody else already pointed out... evidence integrity.
When law enforcement records the phonecalls or your activity, they use a media that can be examined for integrity. Audio and video tapes can be examined for signs of manipulation. Digital, text-form messages have no such property. After all, it is not unheard of police tampering with the evidence or even implanting some.
And for what? When they seriously need a scapegoat for a major and much publicized incident, or when they are certain in their collective mind that a certain person has committed the crime but not enough evidence exists. Now, fast forward to a situation, where these same law enforcement officials are in charge of the storage of digital evidence.
In such a situation, forging email content and removing other parts is both easy and plausible. Add that to the fact that you will have hard time to prove that you didn't send such emails. You and the counterparts would all naturally destroy any and all such messages immediately afterwards. Even having something in store that resembles the alleged evidence is not enough. You would have stored that as an alibi and destroyed the others.
So, in the end it's not about intercepting my digital correspondence. It's the possibility of easily tampering with that data, without leaving any evidence that such activity has ever taken place.
[...] we will NEVER be able to send people back in time, for the simple reason that we'd have met them already.
It is fascinating how big some people have managed to grow their egos.
Not taking into account the already mentioned piece of information that you can't travel back to time where the time machine did not already exist, why do we even consider that future time travelers (if there will be such) would actually bother to travel to our time? Hasn't it occurred to you that our time could be considered not only dangerous but also very uninteresting and hence not worth the effort?
I sincerely propose you read Arthur C. Clarke's Childhood's End. It paints a nice view of things that could happen and especially how people react. For some very weird reason, we tend to think ourselves as the centres of the entire Universe. Now it seems we also think ourselves as the centres of the entire space-time continuum.
some would say this tactic is 'cheap' - i think cheap is getting missles and jumping onto the highest building and firing constantly.
Yes, that is definetely cheap. Which is the reason that when I ran a bzflag server, jumping wasn't allowed, unless you got the Jump flag. We wanted to keep the guided missiles in the game, but without the munchkin factor that they, combined with free jumping, give.
Yep, basically just getting the missiles and hopping on top of the highest building allowed you to snipe every single player that came in your field of vision. I tried it once and it's dead boring.
Now I'm feeling the urge to reinstall a bzflag server and get in touch with the game again. As if it wasn't difficult enought to let go the last time :)
At least animation studios are using linux for render farms. And why wouldn't they? Free of charge OS that is used for boxes crunching numbers days in and out. I don't know about Shrek and whether or not it was modelled under Linux. Quick Google didn't help me either, so some willing karma-hungry person can fill in the blank space.
But, that's not the point. This actually brings linux to the world of professional video editing. This is a big step, and definetely one I welcome with joy. Now, if we only had truly good sound studio software to beat the living crap out of SoundForge... I know people who would change this instant to non-windows applications if they offered the same or better functionality and range of capabilities.
In fact, I managed to find the paper in question. See here for yourself. The relevant page is sums and reading from the top, I get the following:
The DES cracker is searching a 2^56 key space (72,058,000,000,000,000 keys) at a speed of 33.333 MHz (ie 33.333 million keys/second). To search the entire key space would therefore take 68.50 years. The DES cracker is actually searching for up to 16384 keys in parallel. If the whole key space was searched it would find keys at an average rate of one per 68.50/16384 years, which is one every 36.65 hours.
So please, point me where I went wrong. Especially, have I understood the phrase if the whole key space was searched... wrong? And if, how?
We know that the running time of DES is pretty much a constant. The same time is required per block, regardless of whether we are encrypting or decrypting. The function is the same, the subkeyset is just reversed. So if DES cracker manages to find a single key on average of 36.65 hours, it means it MUST have gone through 50% of the key space in that time.
And if I didn't misread the front page, it really says that anyone with access to 1000 $US FPGA and some programming books can do this.
Correct. 40-bit keys have no protective value. Remember the article about IBM's crypto chip being broken? (Somebody please provide the link to /. article, I can't at the moment.) In practice, they broke single DES, 56 bits worth of security in a good block cipher. In brute force.
It took at most 2 days with ~1000 $US worth of gear to find the key. Let's assume that they needed the full 48 hours to get that key broken. Simple math follows:
48 hours is 48*3600 seconds. It takes this much time to brute-force a 56-bit key. 40 bits is 1/(2^16) times the size of that, hence the time to break a 40-bit key with similar equipment is 48*3600/(2^16) seconds. This is no more than about 2.6 seconds.
To underline this as clearly as I can: 40-bit keys provide NO security. They may have provided some, at a time - but definetely not for some time now.
Possibly to show that things evolve.
You know, that biology stuff? According to what, the best and most adaptive practices are found to be dominant over time.
The site was down, owing thanks to /. effect. I could only read the leading page so bare with me.
I had my focus on building a silent computer when I did my hardware upgrade plans. It still amazes me, that some people don't bother to check the noise levels of their gear prior to purchase. I spent some two to three weeks browsing through stuff, reviews and user reports.
In the end, I got myself a Q-Technology (sold to new owner now, unfortunately) silent power, NoiseControl processor cooler, and a tube of Arctic Silver thermal compound. The cpu cooler did not have the best of contact surfaces, so additional help was required there.
My case didn't have enough space to fit a Silverado MkII, so I settled for even quieter model. After putting the components together, I was happy to find out that the absolutely noisiest part of all this was the fan on the motherboard chipset. Which I promptly unplugged. Now the loudest sound I get from my computer is the sound of the hard drive spinning.
All this required only some thought and a little effort to try to find out things in advance. Why more users never bother to do this, I can't even imagine. So much post-purchase whining could be averted, if they only did at least some research... Yes, this was far from the cheapest of solutions, but I was prepared to pay some extra for silent quality parts.
As my mom used to say, 'poor people can't afford to buy products that are cheap and lousy in quality.'
It would be useful if they went into more details, eg what a turning machine is.
I believe they call that "a wheel"...
Nice typo :)
Can you say "memory-resident virus"? Thought so.
Yes, there are people who are clueless or ignorant enough NOT to have up-to-date virus shields. A virus that survives major system upgrades and disk sweeps would not be an impossibility. I shiver at the thought.
One of my personal mottos has been for quite a while this:
"Humans are by nature optimists. Try to think the absolute worst thing that other human beings could come up with. Wait a few years. Note how optimistic you really are."
Yes, and then you'd need to securely transmit that one-time pad to the person receiving your message. You still haven't solved the Catch 22 here.
Albeit, quantum crypto can solve this. Despite the fancy name, it's nothing more than a secure way to transmit regular encryption keys. It's just not practical at the moment. And large messages with one-time pads? The key would be as big as the original message. Thank you, but for regular use I'd choose good block ciphers any day.
What is everyone's great desire to rip off Apple's look anyway? Make something better if you're the expert.
I chose that quote for the subject, and for a reason. Did you consider the fact that people have looked at Aqua and liked it very much? Apple has a history of making usable UIs, so Aqua may not be an exception.
Yet, quite a few of us are not willing to switch the platform we're currently on. Not to mention buying a completely new set of hardware, should we want to have an Aquaish UI. I think you could call it the freedom of choice. Personally, I think Aqua is a bit too bleak for my taste but I do understand why some folks would want to use it.
As to why ripping off a good design? You pointed out why professional UI design can manage such wonderful results: there are several professionals who get paid to shred the unfinished work to pieces. If they have high enough standards, they won't allow their work to be left unfinished and a half-baked UI to leave the door. Add a good number of designers, working in unison to get results that will withstand such brutal approach and in time, something worthwhile WILL come of all of it.
Such resources are just not available to OS folks. At least, not a good majority. These folks have to rely on user feedback and bug reports. And who do you think writes them? Geek users, not professional usability experts.
So please forgive us for wanting to use our platform of choice, probably with a very attracting UI. Apple has managed to create a UI that draws mimics like a pot of honey would flies. They should be very, very flattered. For all I know, they very well may be - they just have chosen to limit Aqua's availability to only those running their operating system.
You make your own decision whether this is a good or bad choice. I am not competent enough to decide it for someone else.
Yep, U.S. has the best government money can buy.
Why am I not even surprised?
Smart Tags add additional (and unwanted) information. In effect, they change the content from the original and do this in a way that the user has little or no way of finding out. Adbusters have to be configured to remove information we wish not to see. They change the content in a predefined and user-configurable way.
Would you like to see your web pages mutilated with links that weren't there when you made them?
The fact that Smart Tags are made as opt-out, is close to immoral. Anyone who builds webpages has to specifically disable them on each page. Just how do you think casual users are going to know about this? Not everyone with web pages is a professional.
I know of at least two older eggdrop bots that went broke. There was a nasty bug in older eggdrops that just assumed a 9-character uptime calculator.
This page shows what versions were affected. Yes, there were quite a lot of 1.4.x 'drops still around...
And that reminds me of a quote I heard some months back.
"God created the world in 6 days. Perl gods are not impressed."
The fact that someone comes up with the idea of using religion against DMCA...
Or that it actually makes sense.
Would that stand for Dead On Arrival, 3rd time? - Now, why does this suddenly ring a bell...
And you just had to remedy that?
Q: How secure SILC really is? A: A good question which I don't have an answer for.
I'm answering this one first. Or more than that - can YOU tell me exactly how secure RSA as an algorithm is? Or AES (Rijndael)? SSL as a protocol? The PGP specification?
None of these have absolute and accurately measurable "amount" of security. The algorithms are open, as are the protocol specifications. We only know that they haven't yet been publicly broken. We use them, and we trust them.
SILC is by no means a silver bullet and it's not meant as such. Personally I think it's one huge step into the right direction. One, it adds to the generally small amount of encrypted traffic which is always good. Two, nobody owns a nick in SILC network so the ever increasing nick wars as seen in IRC are not going to be a problem. Three, people are touting about not using telnet when we have SSH. It didn't happen overnight.
No, I don't think SILC is ever going to replace IRC, in the same way that SSH has not replaced telnet. What we need is more clients, more users and a lot more testing and good ideas as to how SILC should be developed. It's not a ready product but it's definetely quite stable - and because the UI is almost exactly like IRC, those that wish to give it a try should feel quite at home.
The SILC protocol appears quite solid and the person who designed it, has had it brewing for ages. No, he's not an established crypto authority like Zimmerman or Biham. But he works in this field and as such, has a pretty good insight. The protocol is still under developement, as you have noticed. The chat part is quite finished but file transfer is not yet there. What we need is a set of really good ideas and a streamlined protocol for file transfer. You have a very good point about that - but how long did it take for IRC to have DCC capability? I'm pretty confident it didn't have it at the very beginning. Don't bash SILC just because it's still an infant and trying to grow.
You have absolute rights to your opinion, and I respect that. I just used mine.
As has been noted, the effective substance in Red Bull can cause death, if someone was fool enough to consume insane amounts of it. Somehow, I have the hunch that not everything has been told in this case. I wouldn't be that surprised if ecstacy was involved.
But this piece of news did remind me of a science-fiction story I read. The power of statistics should never be underestimated when doing research on reason -> result field :) This is a story any statistician should read :)
My girlfriend and I had to do extensive searches for seminars on chemical engineering devices. This seems to be a subject that really is NOT covered on the Internet. Only some vague ads and promotion websites, but no techical details or such.
On the other hand, what we did find, was a huge collection of all kinds of sex toys and devices to 'aid' sexual functions. You wouldn't believe the kinds of pages altavista (no google back then) brought up with "+gear +pump"... Nowadays, the results are better.
probably infeasible as well. First of all, to make this proposal work, it would require that
Especially because of the second point, I don't believe it would work. Please, find some references on asymmetric/symmetric hybrid encryption and you understand why third point is unmeaningful.
As this "challenge" proved, watermarking can be removed. Tagging mp3 frame headers with pseudorandom data would be trivial to circumvent. You just can't earmark music that way.