Yeah, I thought it was talking about a dongle when I read the title. Luckily my/. bias reflex took control as adrenaline surged through my body, and I summoned the required sentiment of nausea mixed with loathing. I've been trained well.
Yep, Tremulous is pretty good once you get used to it.
Actually, the balance is god awful. The game feels like it's slanted against you regardless of the team you choose; matches regularly go to sudden death before they can even begin to be decided, making the first half hour of the game moot; and development is virtually invisible to most of the community and may have stagnated for all I know. So it's more like once you go through this initiation and begin to accept these facts, you may want to leave and save your soul, but you just can't abandon all the time you spent learning how to play.
It's not too late for you to save yourselves, Slashdotters. The world is burning. Run.
Ah, but you're forgetting that fragmenting into different formats reduces competition between manufacturers for each format individually. If half the companies choose HDDVD and half choose Blu-ray, that's less competition and less choice over what device you can play your movie on, if your movie is only offered in one format or the other.
I don't understand why the player would have to take any active action on its part to revoke a key. My understanding is that once a disc like Serenity is cracked, there is no reason to recall existing copies, as the digital data is already out there on the P2P nets. If you're trying to prevent the same discs from being ripped again by the same player, that's futile because the player is presumably not connected to the Internet (what kind of hacker would allow his success to be overwritten by firmware updates?) and it's not like you can plant homing devices on commercial media and arrest people who refuse to comply with a mandatory recall. All you can do is not allow that player key to decrypt all future title keys on all future discs, and thanks to the broadcast encryption system that AACS uses, they shouldn't even have to update anyone else's player key to allow them continued legitimate access.
Question: Assuming that certs and domain registration were tied together, what damage could DNS spoofing do to the integrity of this system? It would seem to be immune to that problem, but I don't know enough about this to be sure.
Good point. I was assuming that it would be a reasonable expense, but if banks don't lose too much from fraud then it may not be. I suppose one could start to imagine various centralized systems for distributing multi-purpose crypto tokens - for example, turning your driver's license into a smartcard. That way, the cost is one-time and it can be useful in many different private systems.
(US citizen here.) I was going to make a sarcastic response in your favor, but you used my closer - the fact that Americans like to forget the origins of the Statue of Liberty, and that we would not have won the Revolutionary War without French aid.
So instead I'll poorly imitate your accent and mock you for not having a word in your language for "Renaissance".
Seriously, I get pissed off when I read French bashing, or other egotistic crap from within the US. I also don't like the fact that I as a citizen am implicitly included in retorts directed at this country as a whole, but there's not much I can do about that unless I want to buy Sealand.
I've gathered bits and pieces about this kind of thing from various sources over a long period of time, but is there anyone who can just lay it all out at once for me?
The Internet, unless it is a series of tubes (I got that out joke out of the way, so you can just save it for another thread), is a network of fiber optic cable and a few other physical and link layer mediums, that are all accessible via IP. But the backbones, and the networks they provide service to, are all privatized, aren't they? So who mandates that a particular network obeys the rules of the internet? That is, how do you stop some ISP from usurping globally addressable IPs that are designated as belonging to someone else? And add any other protocol requirements you can think of to the problem - In a global network, how do you stop one rogue from damaging the integrity of the system? Is it enforced via the contract each ISP has with its ISP, all the way up to the backbone? How do different backbones cooperate?
I guess the IP interoperability part is the difficult part. DNS isn't anywhere near as important by comparison, but I assume that a similar set of rules govern that system as well?
Essentially, its the details of how this unregulated network survives that confuses me.
> "But if the client's only point of interaction with the bank is through a single computer, that computer must be trusted. I don't see how you could have a secure system if that only point of interaction is compromised."
Simple: don't trust that computer. Home computers are general-purpose machines and very few of them are highly secured. A specialized, embedded device with a private key sounds much more trustworthy, and you could still use the untrusted home computer to transmit the resulting encrypted+signed message over the Internet.
> "I watch the video and it sounds like a lot of PR talk and buzzwords to me."
I couldn't watch the video because I'm on a crappy hotel connection. (Although I will say that this chain (Courtyard Marriott) is the only one I know of that doesn't charge you for said crappy connection. Being billed several dollars a day for crappy DSL speeds ranks high on my Grand List of Suck, since it undermines the idea of Internet as a ubiquitous utility.)
> "At the end of the day, assuming the computers and networks between you and the credit union are secure (they're not, but let's forget that), the only problem they have is to make sure you're Mr. John Doe, legitimate holder of the account you're trying to access ("who you are"). Period. All that matrix and multi-identification stuff is just a variation on the same theme."
First of all, you never need to assume that the connection between you and the credit union is secure - that's what SSL is for, correct? The much bigger problem is that the host machine itself is often insecure, and if that's the case then protecting the connection doesn't help you. Second, it's not enough to make sure that you're John Doe; they should make sure that the transaction they're processing is the one that you requested. There are probably other concerns as well that I can't think of. You are right in that the multi-identification they use is all essentially the same thing.
I am glad that they described this system in one of TFAs as merely adding an additional layer of security, rather than as a panacea. But they still seemed a bit too proud of themselves for such a simple "solution". And they are downright incorrect to call the matrix system "Something you have" instead of "Something you know". If it were the case that the matrix could not be reproduced by someone else, then they could argue that they've added a significant additional layer. But as it is, they just added another hoop for the malware writers to jump through.
> "Up to now, "what you know" (a password) was assumed to be representative of "who you are", with the single point of failure that someone else might be able to know what you know as well (being your password that's too simple, or someone looking over your shoulder while you type in the password). This was a reasonable assumption because you can't separate someone with this someone's knowledge."
I feel obligated to say it and pretend that I'm clever, so I will. "A fool, and his password are soon parted..."
> "If they want to do better than that, they'll have to use biometrics (DNA analysis, fingerprinting, iris scanning, etc...) or some sort of permanent electronic tagging (RFID implant). That's plain as day. So if your credit union isn't providing you a fingerprint scanner or telling you to go to your local vet to get a RFID implanted, you can safely assume that their new ultra-super-duper solutions are a variation of what's already been implemented before, perhaps a little better, perhaps not, but definitely a lot of PR fluff."
Woah, hold on there. Adding "Something you are" to the system, via biometrics, RFID, or whatever, won't address the issue. First of all, it might be forgeable all the same - the attacker would just have to physically meet the person at some point. Second, these systems would require physical presence to verify (how else would you be able to check someone's DNA?), so if you want to bring people the convenience of home-banking, then the bank is necessarily trusting whatever the (to them remote) verifier device is. Third, that would only address authentication, not authenticity. That is, even if we assume that we have some method of securely sending my fingerprint image to the server without it being copied, that doesn't stop malware from changing the transaction, or my password, once the session has been authenticated.
For proving the customer's identity, instead of embedding RFID chips under the skin, you could just give them a tamper-resistant secure token that held a private key, o
Yes, but that's easily circumvented by taking a screenshot when the mouse is clicked. The bottom line is that if you're using a compromised machine to do your banking, security is a depressing exercise in futility, where you can only stall by finding more and more complicated and obscure solutions.
A sequence of security codes would help a bit if they were not all stored on the compromised host, i.e. your paper statement suggestion. But the malware could also modify your session after you authenticate, so you could log in to transfer $50 and end up closing all your accounts without realizing it. The same problem is true of hardware tokens unless there's a display device on there and the commands are signed - that is, the token can't just be for authentication.
I would deeply like to read the testimony of the so-called expert, Mark Lounsbury, so I could see his exact wording, because that does indeed sound like an extraordinarily dumb thing for an expert to say. But then I have to keep in mind that, to most people, an expert is any man who can tell them that they should use one or more security features on their wireless router.
I tried googling Lounsbury for anything interesting, hoping to find other instances of dumb technical advice, but all I got was him drinking and driving while undercover, while his coworker photographed nude drunk women. (http://www.wtnh.com/Global/story.asp?S=594152) Of course, neither of these is as damaging to the public interest as allowing minors and nipples in the same room.
True. Now it might be interesting if we see a case where someone tried to argue "I thought it was legal because the RIAA encourages it," or alternatively, "The RIAA is sending mixed messages as to whether they consider file sharing to be a violation of their IP." Obligatory IANAL.
Does this mean we'll have a choice of boxes with better UIs? I hate having to go through several button presses in the menu to access the one and only feature I ever use (listings, sometimes filtering movies only). Worse, the remote has a rather slow repeat rate and a very cheap feel to the button presses. That alone makes me feel like I have to fight the box to watch TV.
Those commercials are indeed disgusting, as they represent the very worst in advertising (or at least, television advertising). Most advertisers seem to be willing to play by the rules of the game, taking care to not actively piss off the viewer while communicating the message, image, or implication that they are being paid to. But these sleazy bastards decided to take the low road and squeeze as much name recognition as possible for the lowest buck, viewer sanity be damned.
Now it is possible that the Fuck Off commercials (I prefer to not contribute virally to their brand recognition) are highly effective on the typical potential customer. I would not know, as I am not a typical viewer. Low-budget commercials rank high on my list of pet peeves, but commercials that go out of their way to insult my intelligence or grate on my nerves are in a category of their own.
I tend to take this kind of abuse very seriously. Those cell-phone SMS service ads ("Want the hottest shit on your cell phone? Text 'shit' to 66666 for the crappiest, most-overstated and worthless content you've ever paid for!") were so bad that I used to race for the remote and change the channel as fast as humanly possible. The same applied to one particularly bad night when all of the trade school ads repeated within the same commercial break, every commercial break. And this is no different.
Well actually, since the Fuck Off ad is so short, I don't have time to flip to another station, but that's not the point. I am specifically repelled from their product by their advertising campaign, and as a result I use sheer conscious willpower to prevent myself from ever even considering buying it - not that I can imagine having a need for it anyway. I only wish the rest of their customer base was that principled.
Also, am I the only one who thinks that the best smartass retort is, in a good Kurtwood Smith voice, "In a minute, my Foot will be applied directly up your ass!"?
Well, if the system can pass a rigorous Turing Test and functionally replace you in all your roles, that may mean that you never even died. Either that or your life was so predictable and monotonous that a machine could live it for you.
You know what's really, really sad. I took you seriously and was in the middle of posting a response before I saw that you were modded Funny and smacked myself.
I don't agree about the centralization part, but I certainly think DNS could be vastly improved in other important ways. If we could redesign DNS from the start, I would like to add more hierarchical levels, along with support for choosing/merging different namespaces. Since I'm not an expert at this, I'm probably being a bit imprecise in my terminology, but I'll try to clarify.
A while ago, I got curious as to how DNS worked, and was mildly interested in adding a.local TLD specific to my LAN. I could have just added all my host names on my network to each machine's/etc/hosts file, but that's an inelegant solution and the point of this was to be moderately elegant. I could have just turned one machine on the network into a nameserver, have it handle.local requests, and forward all others up the chain to a real DNS server, but that carried with it the problem that it was a single point of failure (where failure is "Oops, I forgot to turn the server on") for normal, real DNS requests, and that was unacceptable.
Ideally, I wanted the resolver on the clients to work by trying the first nameserver in its list and seeing if that one supported.local. If not, it would go on to the next, and so on. In that way, I could make the first nameserver in the list my own and modify the listings on that one server to control DNS over my whole LAN, while defaulting to the real nameservers for everything else. But the resolver doesn't work that way. It only goes on to the next nameserver in the list if the one it tries is actually not responding.
It's really the same problem as trying to use one of those alternative root nameservers (which I briefly investigated, until I realized they were all crappy networks that were abandoned years ago). DNS does not lend itself to merging namespaces, or giving control to the end systems over that kind of thing. (Hmm, I guess that really is a matter of "centralization" then. I take back what I said at the beginning.)
Anyway, more relevant to this conversation: I would like to see a much more structured namespace than the crap that is today's TLDs. The problem is that things like.com,.net, and.xxx are global entities when they really shouldn't be, since it fails to categorize them according to jurisdiction and can cause them to conflict with totally unrelated and geographically displaced entities. I think it would be preferable to eliminate all TLDs and use nothing but country codes (Of course I realize this is unrealistic, I'm not an idiot.). Then you could make the first subdomain of the country code indicate its purpose, subject to the jurisdiction and interpretation of the people of that country. Suddenly, what qualifies as obscene, or non-commercial, or personal, is no longer an international political crisis.
The price would be slightly longer domain names, but I think some sort of aliasing system that could be set to one country code by default might help. I dunno, I think that should be an after-thought.
I apologize if my thoughts are a bit jumbled, I'm rushing to get to bed at a reasonable hour tonight.
> Why should I need to have random packets going out and back when I'm not doing anything on the net? > See, the problem is that for our "convenience" the internet world has become infinitely obfuscated [...]
The internet is no longer a tool for limited, discrete, and specialized purposes. It is an integral part of the computing experience, and will continue to grow more so for quite some time. The problem is that you are assuming that all connections on the lowest levels that are not a direct result of an action on your part are mallicious or dubious at best. But however much you want to make that assumption, however much you would like to be able to group all the bad traffic under the category of Things I Don't Remember Authorizing, it just cannot work that way. Advertising, spyware, and other cooperate interests do add bloat to your system and your network usage, but do not make the mistake of blaming them for the pervasiveness of the Internet. Honestly, I don't even understand why you consider a pervasive Internet to be a bad thing, so long as the intent of the traffic is in your interests.
Absolutely. Conceptually speaking, it's laughable how easy it would be to compromise a Nix system. When's the last time you read through a thousand line makefile that was shipped with an app you've never heard of before? Just a couple lines in there can compromise your user account. On a desktop machine, it's pretty unlikely that you're paranoid enough with your root password to never elevate your privledges with su or the window manager even once.
Open source can be pretty dangerous, as far as package management and mirrors go.
> #1. Worms - if you don't have any open ports, then you're pretty much immune to worms (unless they can crack basic TCP/IP operations). Ubuntu ships BY DEFAULT with no open ports. Windows ships with lots of open ports. Change that behaviour and you've solved an entire CLASS of attacks.
Can you elaborate on this? I ask because I've always been confused by the nature of firewalls and open ports. I never understood why there is ever a need to "block" a port, if nothing on the host is ever listening in the first place. I can understand why you might want to block ports on a network firewall to stop people from using certain applications within your network. But assuming that your machine is trusted and there are no insecure services on it, what is the harm of leaving those ports that are not in use alone?
If a random cracked machine tries to infect me by connecting to port 12345, but I have no software listening on it, the connection is dropped, correct? Just like it would be if a firewall rule prevented it. So when you say Windows ships with open ports, do you really mean that it ships with services/daemons that are listening on those ports? Otherwise what does having an open port even mean?
> If you cannot do it securely, then you should not do it.
Damnit, now I have to stop driving, talking, eating, and breathing. I wish I hadn't been told that.u
Slashdot Mirror
Yeah, I thought it was talking about a dongle when I read the title. Luckily my /. bias reflex took control as adrenaline surged through my body, and I summoned the required sentiment of nausea mixed with loathing. I've been trained well.
Yep, Tremulous is pretty good once you get used to it.
Actually, the balance is god awful. The game feels like it's slanted against you regardless of the team you choose; matches regularly go to sudden death before they can even begin to be decided, making the first half hour of the game moot; and development is virtually invisible to most of the community and may have stagnated for all I know. So it's more like once you go through this initiation and begin to accept these facts, you may want to leave and save your soul, but you just can't abandon all the time you spent learning how to play.
It's not too late for you to save yourselves, Slashdotters. The world is burning. Run.
On second thought, it's GPL'd. WAN party tonight!
> Do it now, before your politicians trade your dental plan for a keg of beer for their meetings.
"Canadians need rights."
"Dental plan!"
"Canadians need rights."
"Dental plan!"
Ah, but you're forgetting that fragmenting into different formats reduces competition between manufacturers for each format individually. If half the companies choose HDDVD and half choose Blu-ray, that's less competition and less choice over what device you can play your movie on, if your movie is only offered in one format or the other.
Yes, but I believe blu-ray has additional measures besides AACS.
I don't understand why the player would have to take any active action on its part to revoke a key. My understanding is that once a disc like Serenity is cracked, there is no reason to recall existing copies, as the digital data is already out there on the P2P nets. If you're trying to prevent the same discs from being ripped again by the same player, that's futile because the player is presumably not connected to the Internet (what kind of hacker would allow his success to be overwritten by firmware updates?) and it's not like you can plant homing devices on commercial media and arrest people who refuse to comply with a mandatory recall. All you can do is not allow that player key to decrypt all future title keys on all future discs, and thanks to the broadcast encryption system that AACS uses, they shouldn't even have to update anyone else's player key to allow them continued legitimate access.
Question: Assuming that certs and domain registration were tied together, what damage could DNS spoofing do to the integrity of this system? It would seem to be immune to that problem, but I don't know enough about this to be sure.
Good point. I was assuming that it would be a reasonable expense, but if banks don't lose too much from fraud then it may not be. I suppose one could start to imagine various centralized systems for distributing multi-purpose crypto tokens - for example, turning your driver's license into a smartcard. That way, the cost is one-time and it can be useful in many different private systems.
(US citizen here.) I was going to make a sarcastic response in your favor, but you used my closer - the fact that Americans like to forget the origins of the Statue of Liberty, and that we would not have won the Revolutionary War without French aid.
So instead I'll poorly imitate your accent and mock you for not having a word in your language for "Renaissance".
Seriously, I get pissed off when I read French bashing, or other egotistic crap from within the US. I also don't like the fact that I as a citizen am implicitly included in retorts directed at this country as a whole, but there's not much I can do about that unless I want to buy Sealand.
Correlation is not causation. Feel free to mod me down for pointing that out.
I've gathered bits and pieces about this kind of thing from various sources over a long period of time, but is there anyone who can just lay it all out at once for me?
The Internet, unless it is a series of tubes (I got that out joke out of the way, so you can just save it for another thread), is a network of fiber optic cable and a few other physical and link layer mediums, that are all accessible via IP. But the backbones, and the networks they provide service to, are all privatized, aren't they? So who mandates that a particular network obeys the rules of the internet? That is, how do you stop some ISP from usurping globally addressable IPs that are designated as belonging to someone else? And add any other protocol requirements you can think of to the problem - In a global network, how do you stop one rogue from damaging the integrity of the system? Is it enforced via the contract each ISP has with its ISP, all the way up to the backbone? How do different backbones cooperate?
I guess the IP interoperability part is the difficult part. DNS isn't anywhere near as important by comparison, but I assume that a similar set of rules govern that system as well?
Essentially, its the details of how this unregulated network survives that confuses me.
> "But if the client's only point of interaction with the bank is through a single computer, that computer must be trusted. I don't see how you could have a secure system if that only point of interaction is compromised."
Simple: don't trust that computer. Home computers are general-purpose machines and very few of them are highly secured. A specialized, embedded device with a private key sounds much more trustworthy, and you could still use the untrusted home computer to transmit the resulting encrypted+signed message over the Internet.
> "I watch the video and it sounds like a lot of PR talk and buzzwords to me."
I couldn't watch the video because I'm on a crappy hotel connection. (Although I will say that this chain (Courtyard Marriott) is the only one I know of that doesn't charge you for said crappy connection. Being billed several dollars a day for crappy DSL speeds ranks high on my Grand List of Suck, since it undermines the idea of Internet as a ubiquitous utility.)
> "At the end of the day, assuming the computers and networks between you and the credit union are secure (they're not, but let's forget that), the only problem they have is to make sure you're Mr. John Doe, legitimate holder of the account you're trying to access ("who you are"). Period. All that matrix and multi-identification stuff is just a variation on the same theme."
First of all, you never need to assume that the connection between you and the credit union is secure - that's what SSL is for, correct? The much bigger problem is that the host machine itself is often insecure, and if that's the case then protecting the connection doesn't help you. Second, it's not enough to make sure that you're John Doe; they should make sure that the transaction they're processing is the one that you requested. There are probably other concerns as well that I can't think of. You are right in that the multi-identification they use is all essentially the same thing.
I am glad that they described this system in one of TFAs as merely adding an additional layer of security, rather than as a panacea. But they still seemed a bit too proud of themselves for such a simple "solution". And they are downright incorrect to call the matrix system "Something you have" instead of "Something you know". If it were the case that the matrix could not be reproduced by someone else, then they could argue that they've added a significant additional layer. But as it is, they just added another hoop for the malware writers to jump through.
> "Up to now, "what you know" (a password) was assumed to be representative of "who you are", with the single point of failure that someone else might be able to know what you know as well (being your password that's too simple, or someone looking over your shoulder while you type in the password). This was a reasonable assumption because you can't separate someone with this someone's knowledge."
I feel obligated to say it and pretend that I'm clever, so I will. "A fool, and his password are soon parted..."
> "If they want to do better than that, they'll have to use biometrics (DNA analysis, fingerprinting, iris scanning, etc...) or some sort of permanent electronic tagging (RFID implant). That's plain as day. So if your credit union isn't providing you a fingerprint scanner or telling you to go to your local vet to get a RFID implanted, you can safely assume that their new ultra-super-duper solutions are a variation of what's already been implemented before, perhaps a little better, perhaps not, but definitely a lot of PR fluff."
Woah, hold on there. Adding "Something you are" to the system, via biometrics, RFID, or whatever, won't address the issue. First of all, it might be forgeable all the same - the attacker would just have to physically meet the person at some point. Second, these systems would require physical presence to verify (how else would you be able to check someone's DNA?), so if you want to bring people the convenience of home-banking, then the bank is necessarily trusting whatever the (to them remote) verifier device is. Third, that would only address authentication, not authenticity. That is, even if we assume that we have some method of securely sending my fingerprint image to the server without it being copied, that doesn't stop malware from changing the transaction, or my password, once the session has been authenticated.
For proving the customer's identity, instead of embedding RFID chips under the skin, you could just give them a tamper-resistant secure token that held a private key, o
Yes, but that's easily circumvented by taking a screenshot when the mouse is clicked. The bottom line is that if you're using a compromised machine to do your banking, security is a depressing exercise in futility, where you can only stall by finding more and more complicated and obscure solutions.
A sequence of security codes would help a bit if they were not all stored on the compromised host, i.e. your paper statement suggestion. But the malware could also modify your session after you authenticate, so you could log in to transfer $50 and end up closing all your accounts without realizing it. The same problem is true of hardware tokens unless there's a display device on there and the commands are signed - that is, the token can't just be for authentication.
I would deeply like to read the testimony of the so-called expert, Mark Lounsbury, so I could see his exact wording, because that does indeed sound like an extraordinarily dumb thing for an expert to say. But then I have to keep in mind that, to most people, an expert is any man who can tell them that they should use one or more security features on their wireless router.
I tried googling Lounsbury for anything interesting, hoping to find other instances of dumb technical advice, but all I got was him drinking and driving while undercover, while his coworker photographed nude drunk women. (http://www.wtnh.com/Global/story.asp?S=594152) Of course, neither of these is as damaging to the public interest as allowing minors and nipples in the same room.
Oh, way to get my hopes up. I thought somebody was actually paying attention to me.
God, I'm so lonely.
True. Now it might be interesting if we see a case where someone tried to argue "I thought it was legal because the RIAA encourages it," or alternatively, "The RIAA is sending mixed messages as to whether they consider file sharing to be a violation of their IP." Obligatory IANAL.
Does this mean we'll have a choice of boxes with better UIs? I hate having to go through several button presses in the menu to access the one and only feature I ever use (listings, sometimes filtering movies only). Worse, the remote has a rather slow repeat rate and a very cheap feel to the button presses. That alone makes me feel like I have to fight the box to watch TV.
Those commercials are indeed disgusting, as they represent the very worst in advertising (or at least, television advertising). Most advertisers seem to be willing to play by the rules of the game, taking care to not actively piss off the viewer while communicating the message, image, or implication that they are being paid to. But these sleazy bastards decided to take the low road and squeeze as much name recognition as possible for the lowest buck, viewer sanity be damned.
Now it is possible that the Fuck Off commercials (I prefer to not contribute virally to their brand recognition) are highly effective on the typical potential customer. I would not know, as I am not a typical viewer. Low-budget commercials rank high on my list of pet peeves, but commercials that go out of their way to insult my intelligence or grate on my nerves are in a category of their own.
I tend to take this kind of abuse very seriously. Those cell-phone SMS service ads ("Want the hottest shit on your cell phone? Text 'shit' to 66666 for the crappiest, most-overstated and worthless content you've ever paid for!") were so bad that I used to race for the remote and change the channel as fast as humanly possible. The same applied to one particularly bad night when all of the trade school ads repeated within the same commercial break, every commercial break. And this is no different.
Well actually, since the Fuck Off ad is so short, I don't have time to flip to another station, but that's not the point. I am specifically repelled from their product by their advertising campaign, and as a result I use sheer conscious willpower to prevent myself from ever even considering buying it - not that I can imagine having a need for it anyway. I only wish the rest of their customer base was that principled.
Also, am I the only one who thinks that the best smartass retort is, in a good Kurtwood Smith voice, "In a minute, my Foot will be applied directly up your ass!"?
Well, if the system can pass a rigorous Turing Test and functionally replace you in all your roles, that may mean that you never even died. Either that or your life was so predictable and monotonous that a machine could live it for you.
You know what's really, really sad. I took you seriously and was in the middle of posting a response before I saw that you were modded Funny and smacked myself.
I apologize, it is late at night.
I don't agree about the centralization part, but I certainly think DNS could be vastly improved in other important ways. If we could redesign DNS from the start, I would like to add more hierarchical levels, along with support for choosing/merging different namespaces. Since I'm not an expert at this, I'm probably being a bit imprecise in my terminology, but I'll try to clarify.
.local TLD specific to my LAN. I could have just added all my host names on my network to each machine's /etc/hosts file, but that's an inelegant solution and the point of this was to be moderately elegant. I could have just turned one machine on the network into a nameserver, have it handle .local requests, and forward all others up the chain to a real DNS server, but that carried with it the problem that it was a single point of failure (where failure is "Oops, I forgot to turn the server on") for normal, real DNS requests, and that was unacceptable.
.local. If not, it would go on to the next, and so on. In that way, I could make the first nameserver in the list my own and modify the listings on that one server to control DNS over my whole LAN, while defaulting to the real nameservers for everything else. But the resolver doesn't work that way. It only goes on to the next nameserver in the list if the one it tries is actually not responding.
.com, .net, and .xxx are global entities when they really shouldn't be, since it fails to categorize them according to jurisdiction and can cause them to conflict with totally unrelated and geographically displaced entities. I think it would be preferable to eliminate all TLDs and use nothing but country codes (Of course I realize this is unrealistic, I'm not an idiot.). Then you could make the first subdomain of the country code indicate its purpose, subject to the jurisdiction and interpretation of the people of that country. Suddenly, what qualifies as obscene, or non-commercial, or personal, is no longer an international political crisis.
A while ago, I got curious as to how DNS worked, and was mildly interested in adding a
Ideally, I wanted the resolver on the clients to work by trying the first nameserver in its list and seeing if that one supported
It's really the same problem as trying to use one of those alternative root nameservers (which I briefly investigated, until I realized they were all crappy networks that were abandoned years ago). DNS does not lend itself to merging namespaces, or giving control to the end systems over that kind of thing. (Hmm, I guess that really is a matter of "centralization" then. I take back what I said at the beginning.)
Anyway, more relevant to this conversation: I would like to see a much more structured namespace than the crap that is today's TLDs. The problem is that things like
The price would be slightly longer domain names, but I think some sort of aliasing system that could be set to one country code by default might help. I dunno, I think that should be an after-thought.
I apologize if my thoughts are a bit jumbled, I'm rushing to get to bed at a reasonable hour tonight.
> Why should I need to have random packets going out and back when I'm not doing anything on the net?
> See, the problem is that for our "convenience" the internet world has become infinitely obfuscated [...]
The internet is no longer a tool for limited, discrete, and specialized purposes. It is an integral part of the computing experience, and will continue to grow more so for quite some time. The problem is that you are assuming that all connections on the lowest levels that are not a direct result of an action on your part are mallicious or dubious at best. But however much you want to make that assumption, however much you would like to be able to group all the bad traffic under the category of Things I Don't Remember Authorizing, it just cannot work that way. Advertising, spyware, and other cooperate interests do add bloat to your system and your network usage, but do not make the mistake of blaming them for the pervasiveness of the Internet. Honestly, I don't even understand why you consider a pervasive Internet to be a bad thing, so long as the intent of the traffic is in your interests.
Absolutely. Conceptually speaking, it's laughable how easy it would be to compromise a Nix system. When's the last time you read through a thousand line makefile that was shipped with an app you've never heard of before? Just a couple lines in there can compromise your user account. On a desktop machine, it's pretty unlikely that you're paranoid enough with your root password to never elevate your privledges with su or the window manager even once.
Open source can be pretty dangerous, as far as package management and mirrors go.
> #1. Worms - if you don't have any open ports, then you're pretty much immune to worms (unless they can crack basic TCP/IP operations). Ubuntu ships BY DEFAULT with no open ports. Windows ships with lots of open ports. Change that behaviour and you've solved an entire CLASS of attacks.
Can you elaborate on this? I ask because I've always been confused by the nature of firewalls and open ports. I never understood why there is ever a need to "block" a port, if nothing on the host is ever listening in the first place. I can understand why you might want to block ports on a network firewall to stop people from using certain applications within your network. But assuming that your machine is trusted and there are no insecure services on it, what is the harm of leaving those ports that are not in use alone?
If a random cracked machine tries to infect me by connecting to port 12345, but I have no software listening on it, the connection is dropped, correct? Just like it would be if a firewall rule prevented it. So when you say Windows ships with open ports, do you really mean that it ships with services/daemons that are listening on those ports? Otherwise what does having an open port even mean?
> If you cannot do it securely, then you should not do it.
Damnit, now I have to stop driving, talking, eating, and breathing. I wish I hadn't been told that.u