Specifically with regards to MS-CHAPv2 and Kerberos to be secure it MUST NOT be possible to use material from authentication challenges or responses to conduct an offline brute force password guessing campaign because majority of user passwords are simply unable to withstand one.
I consider an authentication protocol to be secure if it is able to meet all of the following requirements:
1. Authenticating against an attacker places the user at zero risk. 2. Mutual authentication... if login is successful it means trust relationship is bidirectional. 3. Provides session keys for encrypting subsequent communication channel 4. Secure against MITM 5. Does not leak ANY knowledge that can be used for offline compromise
I can't get over the fact in 2017 Microsoft has yet to incorporate a single secure authentication protocol into any of its operating systems. They haven't even tried.
It would be relatively trivial to select a PAKE and make it backwards compatible with existing NT hash databases. They just don't seem to care.
I would say, when a bunch of cosmologists come up with a potential explanation - even an extraordinary one - there is at least a chance they are able to argue for a causal connection and a theory, whereas your lame put-down clearly isn't even meant to meet the same standards.
I fail to see what renders "another bubble universe" substantially less constrainable of a concept for explaining the unexplained vs. "god" or "aliens".
Personally I'm quite happy with my odds of going through life blindly labeling anyone who goes to the multiverse well to explain something they don't understand a fool. You could call me a short sighted buffoon and I could of course one day end up being wrong...
Only problem I can't seem to bring myself to give a flying ***** anymore than I care to entertain stories of space aliens and permanent magnet anti-gravity free energy devices.
While you are undoubtedly correct, given how many times it has been demonstrated that cars are not currently secure, the fact is, cars do need this.
What makes software safety different from other considerations?
People wouldn't accept passenger cars filled with active fire suppression systems to work around defects that would otherwise cause a vehicle to spontaneously burst into flames.
They wouldn't accept a braking system that sometimes didn't work properly resulting in driver education campaigns to fill in safety gaps.
Why on earth should anyone accept a vehicle inherently unsafe to remote cyber attack? Because it's software?
The alterative is not between cars needing this and cars not needing this.
The alternative is between manufacturers making money and facing bankruptcy due to costs associated with bankrolling recalls and legal action.
So you decided to connect cars and shit to the Internet and results have been gloomy and unpleasant? Facing multi-million dollar lawsuits, bad PR and expenditures related to massive recall campaigns?
Don't sweat choosing between dangerous and irresponsible use of technology and juicy perpetual cyber stalking related profits.
Path to success is paved by doubling down on "defense in depth" shell games in a bid to prevent sufficient number of critically injured whiners and crying babies from coming to the otherwise obvious conclusion.
Virus scanners in particular are a fabulous choice:
- Positive public perception - Subscription fees (or else) show you care - Stunning record against unknown and targeted threats - Marvelous record of scanners leveraged as vectors to compromise otherwise secure systems.
Trying to basically create a clone of an operating system that is past it's prime -- and by the time it is "fully functional" all the software that you wanted to keep running on a WinXP clone has long past it's prime....
Effort would be best spent trying to create a new OS or new UI for an existing open source OS but this just seems like taking a love of an old UI to an insane level. For gods sake, it started it's history almost 20 years ago....
General purpose operating system market is maturing to the point where in majority of cases value derived by improvements will never outweigh cost of change absorbed by end users.
Point of fact, I still don't know what's so terrible about what the Russians supposedly did..
Attempting to interfere with a US election, according to both the CIA and the FBI. Not only that, what's now being investigated are evidences of collusion with the Trump campaignà - ostensibly, to hurt HRC.
I don't know it would seem to me AIPAC is a foreign lobby that persistently attempts to "interfere" with US elections.
Does interference only count as "interference" when you bypass an access control?
Are actions that constitute interference somehow based on arbitrary value judgments made by politicians? Russia bad... Israel good?.. that sort of thing?
Does Israeli propaganda stink less than Russian propaganda?
Why do you false dichotomy guys always show up in these threads? Of course pattern recognition is AI
The problem here seems to be language / communication failure. "AI" simply means too much to too many at this point to communicate any substantively distinctive information. It's right up there with "cloud" and "that thing".
Of course pattern recognition is AI, and of course it is just an advanced program.
To put it another way... what isn't AI? If I write a sorting or maze walking algorithm is this AI? What if my algorithm is simply make all left or right turns? Is that AI? If I use chi-squares as a "pattern recognition" algorithm is that AI? What about a computer tic-tac-toe opponent?... LEARN DAMMIT..LEARN..
From where I sit general understanding of what "AI" is in the minds of many non-experts is much closer to Futuristic AGI or otherwise convincingly mimicking of human behavior. To make matters worse we are now compounding confusion with fact "AI" is now a marketing term.
Your brain went through the same brute force feedback loop when it was wiring itself before you were conscious enough to recognize it. It is also far better than anything we'll be able to make artificially in a variety of ways, but it isn't qualitatively different.
Lets all hear one fired persons account of a story and implicitly assume it's all true untarnished by hyperbole. Don't wait for outcome of suit or production of objective evidence judge now now now in the lynch mob of public opinion.
People get WannaCry by clicking on the wrong email not by SMB exploits. I get that repurposed NSA exploit angle makes for interesting and irresistible news stories but substantively it's way overhyped and using it to support blanket assertions is a nonstarter in my view.
There is compelling quantifiable evidence to support the position vaccines help more than they hurt. The case for updates is closer to the question of whether throwing billions into the intelligence industrial complex makes real people quantifiably safer from being terrorized given opportunity cost of not investing these funds to address significantly more statistically substantial problems such as pulling down US murder rate.
What we know for sure is social engineering accounts for 90% of general p0wnage worldwide. Even if all unintentional software bugs were patched with 100% coverage overnight absolutely nothing would change.
In 2017 given Microsoft's proven track record of both incompetence and sleaze when it comes to updates it's an open question as far as I'm concerned whether updates are still worth applying at all. Majority of end users are behind stealth mode firewalls and the only whackable thing they have sticking out is a web browser. If you keep firefox or chromium or whatever up to date and lock down some associated configuration are you really appreciably safer vs probability of computer failing to boot or introduction of some new Microsoft "telemetry" malware or Microsoft false choice prompt dismissal scam? I honestly don't know the answer. I do know it very much depends on context not only in terms of the users needs and environment but the value judgments of the end user.
If Microsoft would stop constantly peddling malware, firing QA staff, fix updates to not use insane amounts of resources while taking forever and requiring a reboot to sneeze... If only updates were properly labeled and people trusted Microsoft not to screw with them... my guess less will find value in disabling updates.
I personally believe coordinated automated updates of billions of systems globally in a matter of days is an extraordinarily perilous activity in and of itself no matter how careful you are. Sooner or later this is bound to end in a major disaster. While updates do fix problems quicker they also significantly lower the cost and tolerance for releasing defective software. It sends a signal to the market releasing defective software is a cost free activity.
although.. after we've all finally moved onto IPv6 networking, and all our home systems (not just well-run geek systems but also all Joe Public's PCs running Windows 17) are sitting on publically routable real addresses and *not* behind NATs, the situation won't be as comfortable any more.
Nothing changes with deployment of IPv6.
- All customer IPv6 capable routers on the market provide SPI making them more secure than existing packet mangling IPv4 NAT routers... The baseline requirement for SPI isn't going away.
- Windows firewall works just the same over also IPv6 blocking SMB by default.
- ISPs block SMB over IPv6 the same as they do over IPv4.
So no NAT any more, and we have to hope that everybody's ISP-supplied "router" will contain an adequate firewall as a perimeter defence. People with home networks of Mom, Dad, Granny, Billy & Sue's PCs will be depending on their individual PCs' host firewalls having the SMB ports open in order to "share" their, er, "family vacation photos", or whatever the hell it is they share.
The reality is only thing that changes for end users is ease at which connections between peers can be primed using IPv6 SPI vs IPv4 NAT.
For example if two parties want to have a video or voice conversation or play an interactive game and both using IPv6 behind SPIs then they need only use a common server to trivially "prime" SPI associations. From then on all data is direct communication between peers. This is because TCP/UDP port space maps cleanly 1:1 across using IPv6 SPI. With IPv4 even if there is compatible port space at all between CGN/NAT implementations it generally does not map cleanly across so your left either giving up and routing through other servers which sucks for all concerned (server and bandwidth costs, increased latency) or crossing your fingers and firing off some kind of brute force/birthday paradox scheme to establish a viable association.
The NSA's job is securing the nation's communications.
This is like arguing that a photon is a particle. This description is only half right.
Part of that would be reporting vulnerabilities to vendors so that they can be fixed.
Blaming NSA for having dual sometimes mutually exclusive missions is misguided.
NSA peeps don't just wake up in the morning and decide to get into baking cookies, stacking boxes or policing traffic. NSA's Job description is handed down by the same people who created the NSA in the first place -- your representatives in government. If you don't like NSA's mission or priorities then you can work to build consensus for your position and lobby your representatives to have their Job descriptions changed.
There are more than enough XP users in the world for Microsoft to dedicate resources and turn a profit supporting it. Arbitrary sunset dates disconnected from reality of who is still using software amount to nothing more than sales tools intended to extort upgrade revenue.... buy this or get owned.
I personally don't believe vendors should be allowed to walk away from safety defects in products in order to make money on upgrades. Buffer overflows are entirely preventable classes of software failures. It is a tractable problem to solve. That it may not be in the case of XP isn't the end users problem.
Nobody is perfect, all software has vulnerabilities.
This isn't a falsifiable statement. Any software defect no matter how egregiously pathetic could be explained away by the same statement. Just saying nobody is perfect doesn't communicate objectively useful information.
NSA's SMB exploit was just another buffer overflow vulnerability.
Buffer overflows like various forms of injection attacks are entirely preventable classes of failure by imposing constraints on software design. You can even get to no overflows for free just by selecting a different programming language with constraints for better or worse already baked in.
While I'm sure it's all quite difficult in practice given codebase MS is dealing with.. it's hardly intractable either. Given scale MS operates with billions of Windows users and decades to get it right I personally don't believe a pass is warranted for this.
Had our relevant TLAs bothered to tell the relevant companies about the holes they found we would all be a hundredfold safer. But no, they kept them secret, figuring they could hack Some Bad Guy's computer and Stop Some Low Level Bad Thing.
TLAs find this shit with the explicit intent to wield as leverage against adversaries. It simply isn't rational to expect the same TLA to work against their own interests in the manner suggested.
The fault here lies in our countries TLA's deciding it was better to leave 100% of the country at risk hoping they would be able to exploit a hole before someone else could exploit that same hole against us.
I disagree. NSA is at fault only for failing to keep their weapons safe. The politicians and everyone who voted for them is at fault for defining their mission and for government paying lip service to funding basic R&D into tools and methods to improve security.. code analysis, language design, education... etc.
FFS computer illiterate peoples were calling me about this ransomware long before a single email hit from the comically worthless US-Cert list.
"researchers have been able to experimentally achieve it - transferring a black and white bitmap image from one location to another without sending any physical particles."
If you pretend a photon is only a particle which it is not then you can make pretend statements such as the above. And in a counterfactual pretend universe you would be right.
Getting rid of passwords is a good idea, though. It's just that replacing them with biometrics is a change for the worse. A change for the better is to use public key cryptography: instead of your keychain containing passwords that you have to remember and that are sent to the far end
Passwords never have to be sent anywhere. You can use a zero knowledge proofs to determine mutual possession without leaking ANYTHING about the password other than binary outcome of whether fact of mutual possession has been established.
Don't confuse widespread adoption of stupidity (e.g. passwords entered into adhoc web forms).. for something inherent to passwords. Widespread use of insecure authentication protocols and yes entering plaintext passwords over TLS counts as insecure authentication is directly responsible for proliferation of phishing related p0wnage.
Secure authentication using technology already widely available in most of the worlds popular crypto stacks allow users to attempt to "login" to without ever putting their secret password at risk with deployment of PKI being completely optional.
, you have public keys, possibly more than one, for every service you need to contact, and you use your private key to authenticate with them. Trust is established at first use, or in person (with your bank).
There's work being done on this in the IETF, using token binding. It's early days, but you can enable it in Chrome. Dunno if it's in Firefox yet.
Client certificates have been widely deployed across all major browsers for decades. Little in the way of legitimate excuses remain for failure to deploy in a business setting in 2017.
Where? I don't see any credit given to the people who actually wrote the fuzz software in blog post referenced in TFA.
What do you expect a front page NYT article?
I expect to see proper attribution. Normally I wouldn't care but Google is requiring people to credit it's bot which primarily executes software Google didn't write. This is BS in my view.
The FSF can't win this one. There is too much money on the other side.
If all that matters is who has more money this issue would have been quashed in the early 90's. Today the question on the table for W3C today would be mandatory laser scanning of eyeballs or mandatory browser APIs to give websites with too much money ring0 access to everyone's systems.
You have Google, Netflix, every major web browser, Microsoft, and even the inventor of the web himself. What is going to stop that kind of support?
There has to be "Broad consensus"... simply voting or allowing those with the most money to win violates W3C's own rules.
The open internet was a quirk of history. It was doomed from the start. It may have started as a wild west, an open digital frontier, but control over it is being re-established step by step by step.
It's never been cheaper or easier to communicate globally with billions of people. Source code for systems, networking and application stacks are readily available to anyone who wants them for FREE. Those bitching about being doomed and helpless need to get their heads examined.
It seems all Google is doing is executing LibFuzzer. I'm unsure what value Google is bringing to the table here other than public attention whoring. They demand you give their bot credit for finding vulnerabilities. What about giving credit to the people who actually wrote the software?
This is all about giving three letter agencies a chance to rummage through and or hack your electronic shit without you even knowing.
Everyone knows a bomb in a laptop leads to substantially similar outcomes no matter location inside the aircraft. If this was actually for safety they would ban laptops from aircraft outright.
TFA is entirely corporate doublespeak. It literally makes as much sense as Intel PR shills attempting to justify a shift in production from ICs to abacus beads.
The benefits of running applications in isolated containers is a justification for jails not artificially restricting execution and the means of distribution.
Next time you launch your imperial fighter from the hanger of your friends ship weaving thru structures of stations and massive ships with 6DOF control like a leaf on the wind try closing one of your eyes.
With remaining eye open look around you...what do you see? Hint: your still IN the same frisking spaceship. "3D" binocular vision means nothing in VR. It means nothing in space or past about 5 meters here on earth either.
Simply labeling something new a "fad" and declaring they never last would mean steam engines, difference engines, horseless carriages, heavier than air ships and telegraphs "never last" either.
There are many valid reasons to believe VR sucks or the market for VR sucks. Facebook closing a studio to produce VR content certainly seems to be evidence such endeavors sure as heck are not currently or likely soon to become profitable.
Slashdot Mirror
--Hey motherfucker, citation needed.
https://www.harmj0y.net/blog/p...
Different AC here; what are some examples of authentication protocols that you consider secure?
Any PAKE with a zero knowledge proof...e.g. SRP, JPAKE.
https://en.wikipedia.org/wiki/...
Specifically with regards to MS-CHAPv2 and Kerberos to be secure it MUST NOT be possible to use material from authentication challenges or responses to conduct an offline brute force password guessing campaign because majority of user passwords are simply unable to withstand one.
I consider an authentication protocol to be secure if it is able to meet all of the following requirements:
1. Authenticating against an attacker places the user at zero risk.
2. Mutual authentication... if login is successful it means trust relationship is bidirectional.
3. Provides session keys for encrypting subsequent communication channel
4. Secure against MITM
5. Does not leak ANY knowledge that can be used for offline compromise
they've been using kerberos since like 1999. NTLM is there for backwards compatibility
KERBEROS IS NOT A SECURE AUTHENTICATION PROTOCOL.
No there is nothing wrong my caps lock. I was intentionally shouting.
I can't get over the fact in 2017 Microsoft has yet to incorporate a single secure authentication protocol into any of its operating systems. They haven't even tried.
It would be relatively trivial to select a PAKE and make it backwards compatible with existing NT hash databases. They just don't seem to care.
I would say, when a bunch of cosmologists come up with a potential explanation - even an extraordinary one - there is at least a chance they are able to argue for a causal connection and a theory, whereas your lame put-down clearly isn't even meant to meet the same standards.
I fail to see what renders "another bubble universe" substantially less constrainable of a concept for explaining the unexplained vs. "god" or "aliens".
Personally I'm quite happy with my odds of going through life blindly labeling anyone who goes to the multiverse well to explain something they don't understand a fool. You could call me a short sighted buffoon and I could of course one day end up being wrong...
Only problem I can't seem to bring myself to give a flying ***** anymore than I care to entertain stories of space aliens and permanent magnet anti-gravity free energy devices.
While you are undoubtedly correct, given how many times it has been demonstrated that cars are not currently secure, the fact is, cars do need this.
What makes software safety different from other considerations?
People wouldn't accept passenger cars filled with active fire suppression systems to work around defects that would otherwise cause a vehicle to spontaneously burst into flames.
They wouldn't accept a braking system that sometimes didn't work properly resulting in driver education campaigns to fill in safety gaps.
Why on earth should anyone accept a vehicle inherently unsafe to remote cyber attack? Because it's software?
The alterative is not between cars needing this and cars not needing this.
The alternative is between manufacturers making money and facing bankruptcy due to costs associated with bankrolling recalls and legal action.
So you decided to connect cars and shit to the Internet and results have been gloomy and unpleasant? Facing multi-million dollar lawsuits, bad PR and expenditures related to massive recall campaigns?
Don't sweat choosing between dangerous and irresponsible use of technology and juicy perpetual cyber stalking related profits.
Path to success is paved by doubling down on "defense in depth" shell games in a bid to prevent sufficient number of critically injured whiners and crying babies from coming to the otherwise obvious conclusion.
Virus scanners in particular are a fabulous choice:
- Positive public perception
- Subscription fees (or else) show you care
- Stunning record against unknown and targeted threats
- Marvelous record of scanners leveraged as vectors to compromise otherwise secure systems.
Trying to basically create a clone of an operating system that is past it's prime -- and by the time it is "fully functional" all the software that you wanted to keep running on a WinXP clone has long past it's prime....
Effort would be best spent trying to create a new OS or new UI for an existing open source OS but this just seems like taking a love of an old UI to an insane level. For gods sake, it started it's history almost 20 years ago....
General purpose operating system market is maturing to the point where in majority of cases value derived by improvements will never outweigh cost of change absorbed by end users.
Point of fact, I still don't know what's so terrible about what the Russians supposedly did..
Attempting to interfere with a US election, according to both the CIA and the FBI. Not only that, what's now being investigated are evidences of collusion with the Trump campaignà - ostensibly, to hurt HRC.
I don't know it would seem to me AIPAC is a foreign lobby that persistently attempts to "interfere" with US elections.
Does interference only count as "interference" when you bypass an access control?
Are actions that constitute interference somehow based on arbitrary value judgments made by politicians? Russia bad... Israel good? .. that sort of thing?
Does Israeli propaganda stink less than Russian propaganda?
Why do you false dichotomy guys always show up in these threads? Of course pattern recognition is AI
The problem here seems to be language / communication failure. "AI" simply means too much to too many at this point to communicate any substantively distinctive information. It's right up there with "cloud" and "that thing".
Of course pattern recognition is AI, and of course it is just an advanced program.
To put it another way... what isn't AI? If I write a sorting or maze walking algorithm is this AI? What if my algorithm is simply make all left or right turns? Is that AI? If I use chi-squares as a "pattern recognition" algorithm is that AI? What about a computer tic-tac-toe opponent? ... LEARN DAMMIT..LEARN..
From where I sit general understanding of what "AI" is in the minds of many non-experts is much closer to Futuristic AGI or otherwise convincingly mimicking of human behavior. To make matters worse we are now compounding confusion with fact "AI" is now a marketing term.
Your brain went through the same brute force feedback loop when it was wiring itself before you were conscious enough to recognize it. It is also far better than anything we'll be able to make artificially in a variety of ways, but it isn't qualitatively different.
This is far from a settled question.
Lets all hear one fired persons account of a story and implicitly assume it's all true untarnished by hyperbole. Don't wait for outcome of suit or production of objective evidence judge now now now in the lynch mob of public opinion.
People get WannaCry by clicking on the wrong email not by SMB exploits. I get that repurposed NSA exploit angle makes for interesting and irresistible news stories but substantively it's way overhyped and using it to support blanket assertions is a nonstarter in my view.
There is compelling quantifiable evidence to support the position vaccines help more than they hurt. The case for updates is closer to the question of whether throwing billions into the intelligence industrial complex makes real people quantifiably safer from being terrorized given opportunity cost of not investing these funds to address significantly more statistically substantial problems such as pulling down US murder rate.
What we know for sure is social engineering accounts for 90% of general p0wnage worldwide. Even if all unintentional software bugs were patched with 100% coverage overnight absolutely nothing would change.
In 2017 given Microsoft's proven track record of both incompetence and sleaze when it comes to updates it's an open question as far as I'm concerned whether updates are still worth applying at all. Majority of end users are behind stealth mode firewalls and the only whackable thing they have sticking out is a web browser. If you keep firefox or chromium or whatever up to date and lock down some associated configuration are you really appreciably safer vs probability of computer failing to boot or introduction of some new Microsoft "telemetry" malware or Microsoft false choice prompt dismissal scam? I honestly don't know the answer. I do know it very much depends on context not only in terms of the users needs and environment but the value judgments of the end user.
If Microsoft would stop constantly peddling malware, firing QA staff, fix updates to not use insane amounts of resources while taking forever and requiring a reboot to sneeze... If only updates were properly labeled and people trusted Microsoft not to screw with them... my guess less will find value in disabling updates.
I personally believe coordinated automated updates of billions of systems globally in a matter of days is an extraordinarily perilous activity in and of itself no matter how careful you are. Sooner or later this is bound to end in a major disaster. While updates do fix problems quicker they also significantly lower the cost and tolerance for releasing defective software. It sends a signal to the market releasing defective software is a cost free activity.
although .. after we've all finally moved onto IPv6 networking, and all our home systems (not just well-run geek systems but also all Joe Public's PCs running Windows 17) are sitting on publically routable real addresses and *not* behind NATs, the situation won't be as comfortable any more.
Nothing changes with deployment of IPv6.
- All customer IPv6 capable routers on the market provide SPI making them more secure than existing packet mangling IPv4 NAT routers... The baseline requirement for SPI isn't going away.
- Windows firewall works just the same over also IPv6 blocking SMB by default.
- ISPs block SMB over IPv6 the same as they do over IPv4.
So no NAT any more, and we have to hope that everybody's ISP-supplied "router" will contain an adequate firewall as a perimeter defence. People with home networks of Mom, Dad, Granny, Billy & Sue's PCs will be depending on their individual PCs' host firewalls having the SMB ports open in order to "share" their, er, "family vacation photos", or whatever the hell it is they share.
The reality is only thing that changes for end users is ease at which connections between peers can be primed using IPv6 SPI vs IPv4 NAT.
For example if two parties want to have a video or voice conversation or play an interactive game and both using IPv6 behind SPIs then they need only use a common server to trivially "prime" SPI associations. From then on all data is direct communication between peers. This is because TCP/UDP port space maps cleanly 1:1 across using IPv6 SPI. With IPv4 even if there is compatible port space at all between CGN/NAT implementations it generally does not map cleanly across so your left either giving up and routing through other servers which sucks for all concerned (server and bandwidth costs, increased latency) or crossing your fingers and firing off some kind of brute force/birthday paradox scheme to establish a viable association.
The NSA's job is securing the nation's communications.
This is like arguing that a photon is a particle. This description is only half right.
Part of that would be reporting vulnerabilities to vendors so that they can be fixed.
Blaming NSA for having dual sometimes mutually exclusive missions is misguided.
NSA peeps don't just wake up in the morning and decide to get into baking cookies, stacking boxes or policing traffic. NSA's Job description is handed down by the same people who created the NSA in the first place -- your representatives in government. If you don't like NSA's mission or priorities then you can work to build consensus for your position and lobby your representatives to have their Job descriptions changed.
There are more than enough XP users in the world for Microsoft to dedicate resources and turn a profit supporting it. Arbitrary sunset dates disconnected from reality of who is still using software amount to nothing more than sales tools intended to extort upgrade revenue.... buy this or get owned.
I personally don't believe vendors should be allowed to walk away from safety defects in products in order to make money on upgrades. Buffer overflows are entirely preventable classes of software failures. It is a tractable problem to solve. That it may not be in the case of XP isn't the end users problem.
Nobody is perfect, all software has vulnerabilities.
This isn't a falsifiable statement. Any software defect no matter how egregiously pathetic could be explained away by the same statement. Just saying nobody is perfect doesn't communicate objectively useful information.
NSA's SMB exploit was just another buffer overflow vulnerability.
Buffer overflows like various forms of injection attacks are entirely preventable classes of failure by imposing constraints on software design. You can even get to no overflows for free just by selecting a different programming language with constraints for better or worse already baked in.
While I'm sure it's all quite difficult in practice given codebase MS is dealing with.. it's hardly intractable either. Given scale MS operates with billions of Windows users and decades to get it right I personally don't believe a pass is warranted for this.
Had our relevant TLAs bothered to tell the relevant companies about the holes they found we would all be a hundredfold safer. But no, they kept them secret, figuring they could hack Some Bad Guy's computer and Stop Some Low Level Bad Thing.
TLAs find this shit with the explicit intent to wield as leverage against adversaries. It simply isn't rational to expect the same TLA to work against their own interests in the manner suggested.
The fault here lies in our countries TLA's deciding it was better to leave 100% of the country at risk hoping they would be able to exploit a hole before someone else could exploit that same hole against us.
I disagree. NSA is at fault only for failing to keep their weapons safe. The politicians and everyone who voted for them is at fault for defining their mission and for government paying lip service to funding basic R&D into tools and methods to improve security.. code analysis, language design, education... etc.
FFS computer illiterate peoples were calling me about this ransomware long before a single email hit from the comically worthless US-Cert list.
"The basic idea is this - someone wants to send an image to Alice using only light (which acts as a wave, not a particle, in the quantum realm)."
Nonsense. Photons have properties of both.
https://en.wikipedia.org/wiki/...
"researchers have been able to experimentally achieve it - transferring a black and white bitmap image from one location to another without sending any physical particles."
If you pretend a photon is only a particle which it is not then you can make pretend statements such as the above. And in a counterfactual pretend universe you would be right.
Getting rid of passwords is a good idea, though. It's just that replacing them with biometrics is a change for the worse. A change for the better is to use public key cryptography: instead of your keychain containing passwords that you have to remember and that are sent to the far end
Passwords never have to be sent anywhere. You can use a zero knowledge proofs to determine mutual possession without leaking ANYTHING about the password other than binary outcome of whether fact of mutual possession has been established.
Don't confuse widespread adoption of stupidity (e.g. passwords entered into adhoc web forms) .. for something inherent to passwords. Widespread use of insecure authentication protocols and yes entering plaintext passwords over TLS counts as insecure authentication is directly responsible for proliferation of phishing related p0wnage.
Secure authentication using technology already widely available in most of the worlds popular crypto stacks allow users to attempt to "login" to without ever putting their secret password at risk with deployment of PKI being completely optional.
, you have public keys, possibly more than one, for every service you need to contact, and you use your private key to authenticate with them. Trust is established at first use, or in person (with your bank).
There's work being done on this in the IETF, using token binding. It's early days, but you can enable it in Chrome. Dunno if it's in Firefox yet.
Client certificates have been widely deployed across all major browsers for decades. Little in the way of legitimate excuses remain for failure to deploy in a business setting in 2017.
It was mentioned what 3rd party tools were being used.
https://opensource.googleblog....
Where? I don't see any credit given to the people who actually wrote the fuzz software in blog post referenced in TFA.
What do you expect a front page NYT article?
I expect to see proper attribution. Normally I wouldn't care but Google is requiring people to credit it's bot which primarily executes software Google didn't write. This is BS in my view.
The FSF can't win this one. There is too much money on the other side.
If all that matters is who has more money this issue would have been quashed in the early 90's. Today the question on the table for W3C today would be mandatory laser scanning of eyeballs or mandatory browser APIs to give websites with too much money ring0 access to everyone's systems.
You have Google, Netflix, every major web browser, Microsoft, and even the inventor of the web himself. What is going to stop that kind of support?
Before commenting further please review W3C's member list.
https://www.w3.org/Consortium/...
Also review open principals that W3C advertises adherence to.
https://open-stand.org/about-u...
There has to be "Broad consensus" ... simply voting or allowing those with the most money to win violates W3C's own rules.
The open internet was a quirk of history. It was doomed from the start. It may have started as a wild west, an open digital frontier, but control over it is being re-established step by step by step.
It's never been cheaper or easier to communicate globally with billions of people. Source code for systems, networking and application stacks are readily available to anyone who wants them for FREE. Those bitching about being doomed and helpless need to get their heads examined.
It seems all Google is doing is executing LibFuzzer. I'm unsure what value Google is bringing to the table here other than public attention whoring. They demand you give their bot credit for finding vulnerabilities. What about giving credit to the people who actually wrote the software?
This is all about giving three letter agencies a chance to rummage through and or hack your electronic shit without you even knowing.
Everyone knows a bomb in a laptop leads to substantially similar outcomes no matter location inside the aircraft. If this was actually for safety they would ban laptops from aircraft outright.
https://en.wikipedia.org/wiki/...
TFA is entirely corporate doublespeak. It literally makes as much sense as Intel PR shills attempting to justify a shift in production from ICs to abacus beads.
The benefits of running applications in isolated containers is a justification for jails not artificially restricting execution and the means of distribution.
Will be gone in a few years. Fads never last.
Next time you launch your imperial fighter from the hanger of your friends ship weaving thru structures of stations and massive ships with 6DOF control like a leaf on the wind try closing one of your eyes.
With remaining eye open look around you...what do you see? Hint: your still IN the same frisking spaceship. "3D" binocular vision means nothing in VR. It means nothing in space or past about 5 meters here on earth either.
Simply labeling something new a "fad" and declaring they never last would mean steam engines, difference engines, horseless carriages, heavier than air ships and telegraphs "never last" either.
There are many valid reasons to believe VR sucks or the market for VR sucks. Facebook closing a studio to produce VR content certainly seems to be evidence such endeavors sure as heck are not currently or likely soon to become profitable.