Are you seriously going to sit there and claim that your personal experience and intuition trumps basic arithmetic? Seriously, open up a calculator and do the multiplication like I did. Unless you're claiming that his PC is not consuming 400W or is not on all the time or he's not quoted the correct rate or there aren't about 30 days in a month, then there's nothing for you to dispute. The most plausable attack on his claim would be if the power supply did not consume enegy at a constant rate of 400W - I don't know enough about the matter to comment on that part.
Most of the devices you quoted, especially the washer, and dryer, are rarely on.
Because the entire point of digital signatures in encryption is making sure that a particular message is authentic.
Under DNS and plain old TCP traffic, anyone who has access to the network (and whatever other conditions are necessary for spoofing, I'm not sure what they are) can send you a message and pretend to be someone else. Or they can man-in-the-middle you and change the information as it passes through. The system simply doesn't prevent this in general. So in order to be sure the reply hasn't been tampered with, it is digitally signed by the sender using the sender's private key. The corresponding public key, which one would hope is well-known ahead of time and not replaced by the attacker, will decrypt and verify the signature if and only if the message was indeed signed using that private key.
So yes, anyone who could mess with your traffic before can still do that now, but the difference is that they cannot sign the messages without the private key. When you receive a forged DNSSec reply it will be immediately obvious that the signature is lacking or does not check out, and your machine will not trust it. The man in the middle can forward modified replies to you, yes, and perhaps instigate some sort of DoS to prevent you from receiving the proper responses, but at worst your machine will act as if it had not received any reply rather than trust a bad response. In TCP, SSL provides the equivalent protection (well, more, since it also actually encrypts the message rather than just sign it. I don't know enough about DNSSec to make an accurate comparison.)
Wikipedia has some good information about cryptography but it's all pretty dense on first read. You could try some of the links, I'm sure there are plenty of primers out there.
Agreed. I didn't realize how important this is until I had a discussion with some guys in my networking class, and the consensus was conduit carrying cat6 to a patch panel. This has quickly risen to the number one feature I will look at when I reach the point in my life when I'll be buying a house - probably above indoor plumbing and having a roof.
I recently installed Beryl and played around with it for an hour or two, but won't have time to really learn how to use it for a while. One thing I'm wondering: Is it realistic at this stage to expect to be able to configure a 3d desktop environment to be just as responsive as a 2d environment? Obviously you can go nuts with all the plugins, but as fun as that is, latency is a major issue for me, even if it's just a difference of a few tenths of a second.
So what hardware are you running Beryl on, and how is the performance compared to standard KDE or Gnome? I have a sempron and a geforce 6200.
So, you mean the US government might want to take down a terrorist domain, and wouldn't mind nailing all of *.org while they're at it? Something tells me they don't want that kind of attention.
Right, I was amazed they considered Quake to be a violent game compared to GTA. Quake is all flames and gibs; GTA's the one that you might argue has the capacity to desensitize.
Why does requiring open source kill market opportunities? You do realize that open source does not equal free software, so when it says the source code needs to be publically available, that doesn't mean competitors are free to steal code for their own devices.
I don't know if I would classify copyright infringement under contract violation. I think technically speaking, contract violation is less severe. I remember a story where someone violated the GPL and tried to get the charges knocked down because he tried to get it interpretted not as unauthorized redistribution, but authorized redistribution without living up to contractual obligations.
IANAL, but there are two of them in the house right now, and they say there is definitely a distinction. You may have been speaking figuratively.
The legality of the Mickey Mouse Protection Act was challenged in Eldred v. Ashcroft, in which the majority of the justices decided it's okay to allow copyright terms to grow indefinitely and at a faster pace than the passage of time.
If you already have the worm, as far as I'm concerned you've already lost the battle. Yes, I know there's a whole science of security devoted to recovering from breaches rather than just preventing them, but I don't find that part as fun.;)
But the other point you mentioned is exactly the fallacy I mentioned above: If you have the service there because you wanted it there, as opposed to it being there by default or because another user installed it or because your machine has already been compromised, then you do not want to use a firewall to restrict access. If you don't want the service accessible, then you can just disable it on the host and leave the network out of it. It seems that all the firewall does is help centralize administration - of course I'm not denying that that's a benefit, I just don't see it as the panacea people seem to claim it is.
> "Because you were the first incompetent boob to come along."
The "obvious reply" I was referring to was a loaded "M$ is shit, why would you even need to exert effort to own windoze boxes" or some variant thereof, and I was shocked because I'm normally several hours late in coming to these discussions so I figured someone would've made the obligatory two-liner rant by now.
> "There is a HUGE, obvious difference between a zero day exploit spreading from computer to computer and millions of PC's getting an exploit at the same time because they were set to automatically download updates from Windows Update."
Worhol worms anyone? I don't see why a good piece of malware exploiting a common but unknown vulnerability would be much different.
> "Or did you stop to consider the fact that basic security will keep you from being infected by a zero day exploit?"
Basic security? You mean unplugging the system? Yes, that has not escaped me. But when you choose to run a machine without isolating yourself from the rest of the world, there are compromises you must make. If you're going to run a web server, you are accepting the risk that there may be a zero day in that software. Basic security will not protect you, because basic security presumes or prays for the integrity of some necessary services.
> "A firewall will act as a barrier between your PC and a worm. A firewall will do jack to stop a PC from getting an exploit through Windows Update."
How will a firewall protect you from a buffer overrun?
On a sidenote: What good is a firewall when the network administrator and computer user are the same person? It has always been my understanding that a firewall is nothing more than a series of rules for denying connections; please correct me if I'm mistaken. In the case of incoming connections, I have never understood the purpose of the firewall in non-corporate situations. So you don't block port 1234 incoming - how does that suddenly make you vulnerable if you're not running any services on that port? Someone will try to connect and the OS will just refuse it, big whoop. And if you do have a service on 1234, you would presumably like to keep it accessible. Either you have something running that's accessible to the public or you don't, but in neither case does a firewall assist you.
Everytime I ask that question the reply I get is "well it can't hurt to be safe", which is akin to writing the same assignment operation in a programming language over and over again, in case the computer didn't deterministically execute the first one for some reason.
You say a firewall will protect you from worms. So will taking a sledgehammer to your router. In either case you're denying the outside world access to your machine. By the same logic, a firewall can protect your machine from exploits via windows update: simply block the outgoing connection to MS's servers. Why not? We seem to be in the practice of cutting off the nose to spite the face (you may replace this with a more appropriate analogy at will).
I'm sure it is, as well as plenty of other package systems. But you could make the same argument about all of open source. When's the last time you read a thousand-line make file line-by-line and verified that its author wasn't an Underhanded C Contest champion?
I guess the difference is that securing DNS is more fundemental problem than the integrity of individual applications or update systems.
Putting the content of your entire post on multiple short lines makes it kind of read like a poem. Not capitalizing the word "I" makes me think of e.e. cummings.
I am absolutely shocked that no one has given the obvious reply, seeing as how this is slashdot.
You can already take over every microsoft computer in the world. All it takes is a zero day exploit. How exactly is a spam botnet fundementally different from a botnet controlled by the US Government?
The security of encryption keys is only a concern when the security of the rest of the system is not in quesiton.
Under that system, if new ccTLDs are added, it will force an update to all DNSSec users. This may be acceptible though.
The master key is trusted by all and signs every TLD and ccTLD, right? Does this key expire after a set number of years? If so, how is replacement handled, especially for systems that may be offline for long periods of times? Just wondering.
> "you can MitM and actually send forged DNS entries back to the client"
Er, no, that's what DNSSec prevents. Just as SSL stops man in the middle attacks for normal TCP traffic, DNSSec makes sure the domain query responses are authentic. The man in the middle doesn't have the key and cannot sign his forged response; he can only forward legitimate responses.
I don't see how. If the major labels went DRM free, that would essentially blow the market towards unencumbered music. Apple would lose a lot of marketshare if it didn't jump on the bandwagon. So long as the labels keep DRM, iTunes will, and if the labels decided against it, iTunes will follow, regardless of Jobs' preferences.
Gentoo is all about choice. In this case, you choose to overwrite your partitions with/dev/urandom. While that may be fine for newcommers, power-users appreciate the satisfaction that comes from catting/dev/random and manually moving the mouse to generate entropy until every gigabyte is nuked. You already took the time to compile your system from scratch in step 1; when it's time to give up in step 2, you'll want to make sure you demonstrate that same dedication to slowly acheived perfection.
I am now officially disgusted at this thread because every single post in it except for this one and the first one are, at the time of my posting, related to grammar or spelling mistakes in the summary.
I like your analogy, but the problem with it (from my perspective) is that human psychology is incredibly complicated and any attempt to describe it is necessarily a vast simplification, whereas with software and networks it is possible to create models that are unambiguously superior.
But you are correct in that the ideal model isn't a requirement for a productive system. It's just that it seemed like the parent poster was caught in an infinitly incremental, good-enough mindset, which I object to.
> "The only benefit of a DNS trail is to allow rich corporations to audit the queries and optimize them in their favor."
So a secure DNS system does not help protect us from forged DNS responses? What exactly is your reasoning behind that? And what do you mean by optimizing queries in their favor? This is starting to sound like a Net Neutrality debate.
You're worried that if there's a DNS trail to follow, anonymity will vanish? Unless you regularly engage in DNS spoofing to trick people into confusing your identity with someone else's, I think you're already screwed by virtue of the fact that everyone you communicate with has your IP address.
So what in hell does DNS have to do with personal accountability?
Why push solutions no one wants? Because they're good solutions to worthy problems. Because they're better than what we have. Because to not push them would offend technological common sense. If no one wants them then that doesn't mean they are inferior solutions; it could just as easily mean that people do not understand the problem.
I believe there was a quote by a president who commented on the telephone, that went along the lines of, "It's a marvelous invention, but who would ever want one?"
Slashdot Mirror
> "That's what rocks about the cellular service industry. Everybody's mouth-breathing stupid so it's not a competitive disadvantage."
All to true. Although I take offense to the term mouth-breather. We can't all have perfectly uninflamed tonsils.
Are you seriously going to sit there and claim that your personal experience and intuition trumps basic arithmetic? Seriously, open up a calculator and do the multiplication like I did. Unless you're claiming that his PC is not consuming 400W or is not on all the time or he's not quoted the correct rate or there aren't about 30 days in a month, then there's nothing for you to dispute. The most plausable attack on his claim would be if the power supply did not consume enegy at a constant rate of 400W - I don't know enough about the matter to comment on that part.
Most of the devices you quoted, especially the washer, and dryer, are rarely on.
Because the entire point of digital signatures in encryption is making sure that a particular message is authentic.
Under DNS and plain old TCP traffic, anyone who has access to the network (and whatever other conditions are necessary for spoofing, I'm not sure what they are) can send you a message and pretend to be someone else. Or they can man-in-the-middle you and change the information as it passes through. The system simply doesn't prevent this in general. So in order to be sure the reply hasn't been tampered with, it is digitally signed by the sender using the sender's private key. The corresponding public key, which one would hope is well-known ahead of time and not replaced by the attacker, will decrypt and verify the signature if and only if the message was indeed signed using that private key.
So yes, anyone who could mess with your traffic before can still do that now, but the difference is that they cannot sign the messages without the private key. When you receive a forged DNSSec reply it will be immediately obvious that the signature is lacking or does not check out, and your machine will not trust it. The man in the middle can forward modified replies to you, yes, and perhaps instigate some sort of DoS to prevent you from receiving the proper responses, but at worst your machine will act as if it had not received any reply rather than trust a bad response. In TCP, SSL provides the equivalent protection (well, more, since it also actually encrypts the message rather than just sign it. I don't know enough about DNSSec to make an accurate comparison.)
Wikipedia has some good information about cryptography but it's all pretty dense on first read. You could try some of the links, I'm sure there are plenty of primers out there.
Agreed. I didn't realize how important this is until I had a discussion with some guys in my networking class, and the consensus was conduit carrying cat6 to a patch panel. This has quickly risen to the number one feature I will look at when I reach the point in my life when I'll be buying a house - probably above indoor plumbing and having a roof.
I recently installed Beryl and played around with it for an hour or two, but won't have time to really learn how to use it for a while. One thing I'm wondering: Is it realistic at this stage to expect to be able to configure a 3d desktop environment to be just as responsive as a 2d environment? Obviously you can go nuts with all the plugins, but as fun as that is, latency is a major issue for me, even if it's just a difference of a few tenths of a second.
So what hardware are you running Beryl on, and how is the performance compared to standard KDE or Gnome? I have a sempron and a geforce 6200.
So, you mean the US government might want to take down a terrorist domain, and wouldn't mind nailing all of *.org while they're at it? Something tells me they don't want that kind of attention.
Right, I was amazed they considered Quake to be a violent game compared to GTA. Quake is all flames and gibs; GTA's the one that you might argue has the capacity to desensitize.
Why does requiring open source kill market opportunities? You do realize that open source does not equal free software, so when it says the source code needs to be publically available, that doesn't mean competitors are free to steal code for their own devices.
I don't know if I would classify copyright infringement under contract violation. I think technically speaking, contract violation is less severe. I remember a story where someone violated the GPL and tried to get the charges knocked down because he tried to get it interpretted not as unauthorized redistribution, but authorized redistribution without living up to contractual obligations.
IANAL, but there are two of them in the house right now, and they say there is definitely a distinction. You may have been speaking figuratively.
The legality of the Mickey Mouse Protection Act was challenged in Eldred v. Ashcroft, in which the majority of the justices decided it's okay to allow copyright terms to grow indefinitely and at a faster pace than the passage of time.
If you already have the worm, as far as I'm concerned you've already lost the battle. Yes, I know there's a whole science of security devoted to recovering from breaches rather than just preventing them, but I don't find that part as fun. ;)
But the other point you mentioned is exactly the fallacy I mentioned above: If you have the service there because you wanted it there, as opposed to it being there by default or because another user installed it or because your machine has already been compromised, then you do not want to use a firewall to restrict access. If you don't want the service accessible, then you can just disable it on the host and leave the network out of it. It seems that all the firewall does is help centralize administration - of course I'm not denying that that's a benefit, I just don't see it as the panacea people seem to claim it is.
> "Because you were the first incompetent boob to come along."
The "obvious reply" I was referring to was a loaded "M$ is shit, why would you even need to exert effort to own windoze boxes" or some variant thereof, and I was shocked because I'm normally several hours late in coming to these discussions so I figured someone would've made the obligatory two-liner rant by now.
> "There is a HUGE, obvious difference between a zero day exploit spreading from computer to computer and millions of PC's getting an exploit at the same time because they were set to automatically download updates from Windows Update."
Worhol worms anyone? I don't see why a good piece of malware exploiting a common but unknown vulnerability would be much different.
> "Or did you stop to consider the fact that basic security will keep you from being infected by a zero day exploit?"
Basic security? You mean unplugging the system? Yes, that has not escaped me. But when you choose to run a machine without isolating yourself from the rest of the world, there are compromises you must make. If you're going to run a web server, you are accepting the risk that there may be a zero day in that software. Basic security will not protect you, because basic security presumes or prays for the integrity of some necessary services.
> "A firewall will act as a barrier between your PC and a worm. A firewall will do jack to stop a PC from getting an exploit through Windows Update."
How will a firewall protect you from a buffer overrun?
On a sidenote: What good is a firewall when the network administrator and computer user are the same person?
It has always been my understanding that a firewall is nothing more than a series of rules for denying connections; please correct me if I'm mistaken. In the case of incoming connections, I have never understood the purpose of the firewall in non-corporate situations. So you don't block port 1234 incoming - how does that suddenly make you vulnerable if you're not running any services on that port? Someone will try to connect and the OS will just refuse it, big whoop. And if you do have a service on 1234, you would presumably like to keep it accessible. Either you have something running that's accessible to the public or you don't, but in neither case does a firewall assist you.
Everytime I ask that question the reply I get is "well it can't hurt to be safe", which is akin to writing the same assignment operation in a programming language over and over again, in case the computer didn't deterministically execute the first one for some reason.
You say a firewall will protect you from worms. So will taking a sledgehammer to your router. In either case you're denying the outside world access to your machine. By the same logic, a firewall can protect your machine from exploits via windows update: simply block the outgoing connection to MS's servers. Why not? We seem to be in the practice of cutting off the nose to spite the face (you may replace this with a more appropriate analogy at will).
I'm sure it is, as well as plenty of other package systems. But you could make the same argument about all of open source. When's the last time you read a thousand-line make file line-by-line and verified that its author wasn't an Underhanded C Contest champion?
I guess the difference is that securing DNS is more fundemental problem than the integrity of individual applications or update systems.
I thought the root DNS servers only hold TLDs, and individual second-level domains were stored in Verisign and company's servers.
Is that much worse than NYCL describing his own cases in the third person?
;))
(No offense NYCL, if you're reading, although I doubt gaming's your thing
Putting the content of your
entire post on multiple short
lines makes it kind of read
like a poem. Not capitalizing
the word "I" makes me think
of e.e. cummings.
I am absolutely shocked that no one has given the obvious reply, seeing as how this is slashdot.
You can already take over every microsoft computer in the world. All it takes is a zero day exploit. How exactly is a spam botnet fundementally different from a botnet controlled by the US Government?
The security of encryption keys is only a concern when the security of the rest of the system is not in quesiton.
Under that system, if new ccTLDs are added, it will force an update to all DNSSec users. This may be acceptible though.
The master key is trusted by all and signs every TLD and ccTLD, right? Does this key expire after a set number of years? If so, how is replacement handled, especially for systems that may be offline for long periods of times? Just wondering.
> "you can MitM and actually send forged DNS entries back to the client"
Er, no, that's what DNSSec prevents. Just as SSL stops man in the middle attacks for normal TCP traffic, DNSSec makes sure the domain query responses are authentic. The man in the middle doesn't have the key and cannot sign his forged response; he can only forward legitimate responses.
I don't see how. If the major labels went DRM free, that would essentially blow the market towards unencumbered music. Apple would lose a lot of marketshare if it didn't jump on the bandwagon. So long as the labels keep DRM, iTunes will, and if the labels decided against it, iTunes will follow, regardless of Jobs' preferences.
Gentoo is all about choice. In this case, you choose to overwrite your partitions with /dev/urandom. While that may be fine for newcommers, power-users appreciate the satisfaction that comes from catting /dev/random and manually moving the mouse to generate entropy until every gigabyte is nuked. You already took the time to compile your system from scratch in step 1; when it's time to give up in step 2, you'll want to make sure you demonstrate that same dedication to slowly acheived perfection.
Er, guess I shouldn't be a hypocrite. That one and this one are both "related to grammar or spelling mistakes" as well.
I am now officially disgusted at this thread because every single post in it except for this one and the first one are, at the time of my posting, related to grammar or spelling mistakes in the summary.
I like your analogy, but the problem with it (from my perspective) is that human psychology is incredibly complicated and any attempt to describe it is necessarily a vast simplification, whereas with software and networks it is possible to create models that are unambiguously superior.
But you are correct in that the ideal model isn't a requirement for a productive system. It's just that it seemed like the parent poster was caught in an infinitly incremental, good-enough mindset, which I object to.
> "The only benefit of a DNS trail is to allow rich corporations to audit the queries and optimize them in their favor."
So a secure DNS system does not help protect us from forged DNS responses? What exactly is your reasoning behind that? And what do you mean by optimizing queries in their favor? This is starting to sound like a Net Neutrality debate.
You're worried that if there's a DNS trail to follow, anonymity will vanish? Unless you regularly engage in DNS spoofing to trick people into confusing your identity with someone else's, I think you're already screwed by virtue of the fact that everyone you communicate with has your IP address.
So what in hell does DNS have to do with personal accountability?
Why push solutions no one wants? Because they're good solutions to worthy problems. Because they're better than what we have. Because to not push them would offend technological common sense. If no one wants them then that doesn't mean they are inferior solutions; it could just as easily mean that people do not understand the problem.
I believe there was a quote by a president who commented on the telephone, that went along the lines of, "It's a marvelous invention, but who would ever want one?"