You are mistaken. Security is not something you know, have or are. That's authentication. HSM has nothing to do with authentication. It is key management and secure storage. Your understanding of how an HSM is used is also mistaken. The idea with an HSM is that it does all encryption and decryption operations without ever releasing the key and takes care of requiring proper authorization before performing decryption operations.
When initially configuring an HSM, a key should be created and backed up in a secure manner. The key should be encrypted by one or more additional keys and these keys and final version of the encrypted key should be sent to multiple different secure sites (one key per site). Some redundancy should also be done in case one of the sites is destroyed and each site should only have one key so that all the pieces must be compromised for the key to be compromised.
The final, unencrypted key is loaded in to the HSM. While the server is running, the HSM is authorized from the boot to perform decryption operations. This can be done via a network boot or by direct action when the server boots (the later is more secure but more of a pain). Thus, a running server has access to the HSM and can operate on the data. However, if the server is stolen, the ability the credentials must be entered to unlock the HSM and access the data (credentials which are unavailable) thus the only option is to try and break in to the HSM. Since the hardware is tamper resistant, any mistake will result in the keys being cleared and the encrypted data is protected unless it can be brute forced (effectively impossible as far as we know). If the server is recovered, the backup keys are accessed, the original key is decrypted and reloaded on the HSM and all is back to normal.
While you are correct about the impact of anything currently running on the server, you are dead wrong about physical theft. An HSM should be hardened against picking the key out of it and should actually destroy the key if tampering is detected. Encryption on the server is still of limited benefit since the data key could probably be abused in most remote exploits on a running system, but for powered down security, such as physical breach, it is very significant, even if the chances of someone breaking in and stealing a server are generally much lower than a remote intrusion (though not as much as you might think since many attacks are internal).
Right, I'm just saying there is no moral grounds for him being some hero now. When it was exposing illegal surveillance outside the government's jurisdiction, there was perhaps a moral argument that he was doing the right thing, particularly since it could be difficult to make an argument that it truly hurt national security (since anyone that had a working brain would have already been suspect that such things were possible).
While I'm sure that there are countries that are thrilled at what he did revealing spying on US ally governments, it's normal and valid espionage activity, so any moral grounds go out the window. There is no moral imperative to turn traitor on your country (whatever country that may be) and leak information that your country trusted you with that has a damaging impact on them when they were doing nothing wrong.
He was a US citizen with a US security clearance leaking details of activities that are both valid national security activities and common (and legitimate) practice for all governments. This leak is a direct compromise of national security and doesn't have any moral grounds as a leak to expose wrong doing as there is no wrong doing being exposed.
Espionage is not an act of war, nor has it ever been. In fact, the penalties for spying in most countries differ specifically based on whether there is a war on or not. It's how countries make sure other countries are being honest with them, whether friend or enemy. It's also some of the most important information for getting at what countries actually want since the political sphere is all bullshit and positioning rather than actually getting things done.
I'm not sure how that is supposed to relate to my comment, but I don't disagree with you. Russia has absolutely no legal reason to hand over Snowden, though political reasons could still result in him being sent back. I don't think we have any right to blame Russia if they don't send him back though, but politicians have to act angry about it, just like European politicians have to act angry about us spying on them even though everyone knows that spying on allies is what makes allies work. How do you know you can trust another government if you don't know that they are telling you the truth by knowing things they don't know you know?
Android isn't a desktop OS, nor is it intended to be. It is designed specifically for high levels of process isolation and low power consumption. These are the opposite of what you want on a desktop where you are looking for power and interoperability. Windows 8 is a huge misstep driven by trying to compete with the vertically integrated dominance than is making Apple so much money. Metro is simply a move to push Windows Market on the world that is failing. If it wasn't for Metro, Windows 8 is actually a very nice step up from Windows 7. If MS realises that Metro isn't the way to get the vertical integration they are looking for, there is still lots of hope for them. They do need to see the error of their ways though.
That's testing rather than writing code and a Surface Pro isn't really a tablet, it's a laptop pretending to be a tablet. It has an actual full fledged OS on it and runs x86. You could also accomplish the same with a touch screen monitor on a much more powerful desktop that would build faster and give more area to work on your code in. Don't get me wrong, not saying tablets don't have their uses, but they are substandard for many, many activities.
It's only illegal if it is against the law... You do realize that espionage is ALWAYS illegal in the country being spied on right? That doesn't make it illegal in the country doing the spying. It makes it a valid portion of the government's job. Spying has been a part of international relations since, well, when did people first make countries again? It isn't illegal and it isn't going to change any time soon. It's certainly not good for relations when it gets exposed, but everyone really is doing it. If you think that this is A) news or B) a valid leak that has any possible purpose than to hurt the US, then you are sadly ignorant of the realities of the intelligence community for the last forever.
Let me know how writing code or actual real letters goes on your smartphone or tablet. The desktop market isn't going away, it just won't move as many machines (since they last longer now).
While I'm not sure it is relevant to the article, I do agree with you that private registrations are bothersome though I know I personally don't ever completely trust a site with a private registration. I intentionally leave WHOIS open for the world to see on my sites, but then again, you can actually find my details on the About pages of most of them without even having to go to WHOIS. Anonymity on the web is more or less a myth anyway. A determined attacker can figure out who you are unless you take lots of special precautions, so why not make your info available to those who might actually have legit uses for it too.
This has nothing to do with Snowden. This has everything to do with backlash against the US for blocking use of backdoored Chinese hardware in our networks. Since we blocked them from selling to us, they are trying to match the move by blocking us from selling networking gear to them, regardless of if there is a back door or not. It's Tit for Tat, nothing more.
It's worth noting that if you are good at public speaking, you should also be good at writing via stream of consciousness. Thus, it shouldn't take that much longer to prepare a written work than to have a similar quality oral presentation. Sure, a typical typist may only be 40 to 100 words a minute, but this is still not THAT much slower than the 160 words per minute that can be spoken. It is also far less mistake prone as you can go back and correct yourself.
Does the law allow you to simply abandon the project? I thought it simply didn't allow the project to continue unless you removed the historical artifacts from the land. You don't technically have to spend more, but it could cause the project to be a loss up to that point.
Still, lying about it rather than advertising your intent to abuse consumers is sane behavior. I didn't say Sony's any better and I don't trust them as far as I can throw them, but MS saying to consumers faces "hey, we want to screw you over in every way we possibly can. Please buy our product, you'll like it." isn't exactly sane. Truth, unfortunately, hasn't been in advertising for some time.
1) A little, but mostly 2) That's exactly what I'm saying. We need to focus on this part of the issue, not throw around numbers that don't make a strong case and act like they do. I wholeheartedly agree that the reasons we incarcerate people are an issue we need to work on addressing as well as focusing on reforming rather than simply locking away.
You are confusing two different types of malware. There is adware and destructive viruses which generally make a system obviously compromised, but spying software and bot nodes want to remain hidden. They try to avoid detection, which includes in many cases trying to avoid messing with the user experience. Counter hacking them on the other hand and say, wiping out their machine is going to be rather obvious. You might get lucky and they just assume it is broken and replace it, or they might actually bring it to be fixed to someone who, I don't know, has a clue and then you could be in hot water. They might not find out, but is staking your freedom (or at the very least risking a civil suit) really worth it?
Your comparison of the US as worse than North Korea was a blatant attempt to abuse statistics to support your point through sensationalism rather than RATIONAL facts. Yes, you stated facts, but facts applied without reason aren't useful. You rely on sensationalism instead of making a strong argument for your case. Note, I agree with you that absent some strong evidence to why there is an actual large threat to national security (which has yet to be presented), there is no reason the collection of information should have been secret in the first place. That doesn't mean I need to make poor comparisons of America to Nazi Germany or North Korea. Neither is accurate (yet). We do need to be vigilant to make sure it doesn't go there, but when you make sensational claims, they only inflame people in whichever way they were already leaning and causes more of a problem rather than contributing towards a solution.
Your argument doesn't make any sense. Snowden ALSO worked for the intelligence community. He's just as likely to lie for a living as the rest of them are. It isn't like the magical intelligence fairy just came and dropped it on his lap. He was working in the intelligence community for years. Not saying that make him credible or not, but it has to apply equally to both parties.
The North Korea comparison is complete and total BS. North Korea only has 24.45 million people. That's more than 1 in 22 people in prison. The US meanwhile has 313.9 million people. Almost 2 million people in prison (less than 1 in 150) doesn't even begin to approach the scale of imprisonment in North Korea.
I'm all for arguments against government waste and erosion of privacy, but lets at least stick to valid, rational arguments that are actually supported by facts for our claims.
Yes, but most people are not going to take kindly to their system being attacked. If you can manage to just take out the bot software, then fine. If it hurts their system though you're probably looking at jail time.
While hacking back is generally a bad idea for a variety of reasons (such as, it's most likely an innocent user's computer being used as a bot), the article was a monstrosity of uselessness. An individual back hacking a Chinese government hacker isn't going to start cyber world war 3 and the entire notion that it would is stupid. The reasoning for why you don't back hack is completely invalid. It's simply a matter of not being worth it. Most attacks are going to happen through bots and wiping out the bots is just going to hurt innocents and possibly destroy evidence.
Slashdot Mirror
You are mistaken. Security is not something you know, have or are. That's authentication. HSM has nothing to do with authentication. It is key management and secure storage. Your understanding of how an HSM is used is also mistaken. The idea with an HSM is that it does all encryption and decryption operations without ever releasing the key and takes care of requiring proper authorization before performing decryption operations.
When initially configuring an HSM, a key should be created and backed up in a secure manner. The key should be encrypted by one or more additional keys and these keys and final version of the encrypted key should be sent to multiple different secure sites (one key per site). Some redundancy should also be done in case one of the sites is destroyed and each site should only have one key so that all the pieces must be compromised for the key to be compromised.
The final, unencrypted key is loaded in to the HSM. While the server is running, the HSM is authorized from the boot to perform decryption operations. This can be done via a network boot or by direct action when the server boots (the later is more secure but more of a pain). Thus, a running server has access to the HSM and can operate on the data. However, if the server is stolen, the ability the credentials must be entered to unlock the HSM and access the data (credentials which are unavailable) thus the only option is to try and break in to the HSM. Since the hardware is tamper resistant, any mistake will result in the keys being cleared and the encrypted data is protected unless it can be brute forced (effectively impossible as far as we know). If the server is recovered, the backup keys are accessed, the original key is decrypted and reloaded on the HSM and all is back to normal.
While you are correct about the impact of anything currently running on the server, you are dead wrong about physical theft. An HSM should be hardened against picking the key out of it and should actually destroy the key if tampering is detected. Encryption on the server is still of limited benefit since the data key could probably be abused in most remote exploits on a running system, but for powered down security, such as physical breach, it is very significant, even if the chances of someone breaking in and stealing a server are generally much lower than a remote intrusion (though not as much as you might think since many attacks are internal).
Right, I'm just saying there is no moral grounds for him being some hero now. When it was exposing illegal surveillance outside the government's jurisdiction, there was perhaps a moral argument that he was doing the right thing, particularly since it could be difficult to make an argument that it truly hurt national security (since anyone that had a working brain would have already been suspect that such things were possible).
While I'm sure that there are countries that are thrilled at what he did revealing spying on US ally governments, it's normal and valid espionage activity, so any moral grounds go out the window. There is no moral imperative to turn traitor on your country (whatever country that may be) and leak information that your country trusted you with that has a damaging impact on them when they were doing nothing wrong.
He was a US citizen with a US security clearance leaking details of activities that are both valid national security activities and common (and legitimate) practice for all governments. This leak is a direct compromise of national security and doesn't have any moral grounds as a leak to expose wrong doing as there is no wrong doing being exposed.
Espionage is not an act of war, nor has it ever been. In fact, the penalties for spying in most countries differ specifically based on whether there is a war on or not. It's how countries make sure other countries are being honest with them, whether friend or enemy. It's also some of the most important information for getting at what countries actually want since the political sphere is all bullshit and positioning rather than actually getting things done.
I'm not sure how that is supposed to relate to my comment, but I don't disagree with you. Russia has absolutely no legal reason to hand over Snowden, though political reasons could still result in him being sent back. I don't think we have any right to blame Russia if they don't send him back though, but politicians have to act angry about it, just like European politicians have to act angry about us spying on them even though everyone knows that spying on allies is what makes allies work. How do you know you can trust another government if you don't know that they are telling you the truth by knowing things they don't know you know?
Android isn't a desktop OS, nor is it intended to be. It is designed specifically for high levels of process isolation and low power consumption. These are the opposite of what you want on a desktop where you are looking for power and interoperability. Windows 8 is a huge misstep driven by trying to compete with the vertically integrated dominance than is making Apple so much money. Metro is simply a move to push Windows Market on the world that is failing. If it wasn't for Metro, Windows 8 is actually a very nice step up from Windows 7. If MS realises that Metro isn't the way to get the vertical integration they are looking for, there is still lots of hope for them. They do need to see the error of their ways though.
That's testing rather than writing code and a Surface Pro isn't really a tablet, it's a laptop pretending to be a tablet. It has an actual full fledged OS on it and runs x86. You could also accomplish the same with a touch screen monitor on a much more powerful desktop that would build faster and give more area to work on your code in. Don't get me wrong, not saying tablets don't have their uses, but they are substandard for many, many activities.
It's only illegal if it is against the law... You do realize that espionage is ALWAYS illegal in the country being spied on right? That doesn't make it illegal in the country doing the spying. It makes it a valid portion of the government's job. Spying has been a part of international relations since, well, when did people first make countries again? It isn't illegal and it isn't going to change any time soon. It's certainly not good for relations when it gets exposed, but everyone really is doing it. If you think that this is A) news or B) a valid leak that has any possible purpose than to hurt the US, then you are sadly ignorant of the realities of the intelligence community for the last forever.
Let me know how writing code or actual real letters goes on your smartphone or tablet. The desktop market isn't going away, it just won't move as many machines (since they last longer now).
While I'm not sure it is relevant to the article, I do agree with you that private registrations are bothersome though I know I personally don't ever completely trust a site with a private registration. I intentionally leave WHOIS open for the world to see on my sites, but then again, you can actually find my details on the About pages of most of them without even having to go to WHOIS. Anonymity on the web is more or less a myth anyway. A determined attacker can figure out who you are unless you take lots of special precautions, so why not make your info available to those who might actually have legit uses for it too.
This has nothing to do with Snowden. This has everything to do with backlash against the US for blocking use of backdoored Chinese hardware in our networks. Since we blocked them from selling to us, they are trying to match the move by blocking us from selling networking gear to them, regardless of if there is a back door or not. It's Tit for Tat, nothing more.
It's worth noting that if you are good at public speaking, you should also be good at writing via stream of consciousness. Thus, it shouldn't take that much longer to prepare a written work than to have a similar quality oral presentation. Sure, a typical typist may only be 40 to 100 words a minute, but this is still not THAT much slower than the 160 words per minute that can be spoken. It is also far less mistake prone as you can go back and correct yourself.
Does the law allow you to simply abandon the project? I thought it simply didn't allow the project to continue unless you removed the historical artifacts from the land. You don't technically have to spend more, but it could cause the project to be a loss up to that point.
Still, lying about it rather than advertising your intent to abuse consumers is sane behavior. I didn't say Sony's any better and I don't trust them as far as I can throw them, but MS saying to consumers faces "hey, we want to screw you over in every way we possibly can. Please buy our product, you'll like it." isn't exactly sane. Truth, unfortunately, hasn't been in advertising for some time.
Or they are simply acting sanely.
1) A little, but mostly
2) That's exactly what I'm saying. We need to focus on this part of the issue, not throw around numbers that don't make a strong case and act like they do. I wholeheartedly agree that the reasons we incarcerate people are an issue we need to work on addressing as well as focusing on reforming rather than simply locking away.
You are confusing two different types of malware. There is adware and destructive viruses which generally make a system obviously compromised, but spying software and bot nodes want to remain hidden. They try to avoid detection, which includes in many cases trying to avoid messing with the user experience. Counter hacking them on the other hand and say, wiping out their machine is going to be rather obvious. You might get lucky and they just assume it is broken and replace it, or they might actually bring it to be fixed to someone who, I don't know, has a clue and then you could be in hot water. They might not find out, but is staking your freedom (or at the very least risking a civil suit) really worth it?
Your comparison of the US as worse than North Korea was a blatant attempt to abuse statistics to support your point through sensationalism rather than RATIONAL facts. Yes, you stated facts, but facts applied without reason aren't useful. You rely on sensationalism instead of making a strong argument for your case. Note, I agree with you that absent some strong evidence to why there is an actual large threat to national security (which has yet to be presented), there is no reason the collection of information should have been secret in the first place. That doesn't mean I need to make poor comparisons of America to Nazi Germany or North Korea. Neither is accurate (yet). We do need to be vigilant to make sure it doesn't go there, but when you make sensational claims, they only inflame people in whichever way they were already leaning and causes more of a problem rather than contributing towards a solution.
Your argument doesn't make any sense. Snowden ALSO worked for the intelligence community. He's just as likely to lie for a living as the rest of them are. It isn't like the magical intelligence fairy just came and dropped it on his lap. He was working in the intelligence community for years. Not saying that make him credible or not, but it has to apply equally to both parties.
The North Korea comparison is complete and total BS. North Korea only has 24.45 million people. That's more than 1 in 22 people in prison. The US meanwhile has 313.9 million people. Almost 2 million people in prison (less than 1 in 150) doesn't even begin to approach the scale of imprisonment in North Korea.
I'm all for arguments against government waste and erosion of privacy, but lets at least stick to valid, rational arguments that are actually supported by facts for our claims.
Yes, but most people are not going to take kindly to their system being attacked. If you can manage to just take out the bot software, then fine. If it hurts their system though you're probably looking at jail time.
While hacking back is generally a bad idea for a variety of reasons (such as, it's most likely an innocent user's computer being used as a bot), the article was a monstrosity of uselessness. An individual back hacking a Chinese government hacker isn't going to start cyber world war 3 and the entire notion that it would is stupid. The reasoning for why you don't back hack is completely invalid. It's simply a matter of not being worth it. Most attacks are going to happen through bots and wiping out the bots is just going to hurt innocents and possibly destroy evidence.
No, no silly, Everyone knows, Ion Cannons go IN space. How else can you blast NOD on the ground?
And your new games won't work. Kind of like how they didn't force people to give up OtherOS, you just couldn't watch new movies or play new games.