I don't know how or why it came to this. The world is hooked on insecure authentication protocols. NTLMv2, Kerberos, plaintext, plaintext over encrypted tunnel protected by group secrets (sigh..) or certificates and dull thud of every flawed permutation of a challenge handshake system imaginable.
These things are employed virtually everywhere and the consequences are visible everywhere.
Haha I tricked you or your computer into connecting to my file system or my fake bank or my fake web site and because of that I now have your credentials and your f*****d.
Living with consequences has become so routine and institutionalized some find it difficult to see the problem at all... instead resorting to blaming failure of a castle defense or operating in an unsafe environment rather than notice the root cause of the problem - broken authentication systems.
When the most widely deployed use of a secure authentication protocol is protecting an online role playing game I have no interest in Microsoft's (And all other vendors) lame excuses for not fixing these problems decades ago.
No, seriously. There is really something very wrong with you. It sounds like a mental illness. You NEED to get it looked at by medical professionals.
What is wrong with the people who take information for purposes other than original intent without asking and proceeding to leverage it for commercial gain?
Did these companies ask the Pilots for permission first?
Why not use the grid as a reservoir..like a battery or capacitor?
Cuz it aint one.
When your local production exceeds your demand..push the rest into the reservoir
When you have a deficit..draw from it
When you have excess so does everyone else and when you have a deficit so does everyone else. Little capability exists to buffer energy at scale in current systems.
Many people who advocate being off the grid are extreme isolationists..who value isolation over practicality
Practical is more often than not determined by how many are willing to spend how much to get a desired result.
What happens if someone just wants to use this technology for the intended purpose of enhancing safety and does not want nor appreciate global collaboration of spies using it to track their every move?
Conversations in the clear overheard on public frequencies are fair game and can be reused and rebroadcasted for any purpose without limits...right? If something moves in a public space the world has an inherent right to know about it with no limitations....right?
I'm sure the execs running flightaware would have no problem with someone following their and their families asses around town every time they leave their driveway for the entire day and broadcast it all live on the Internet.
It's rare that a jury should exercise "jury nullification" but cases like these, where the punishment does not fit the crime, are one of them.
What is even rarer these days is the jury trial. With evolution of threat of insane sentences looming and nonsensical cost of litigation even the completely innocent dare not risk ignoring plea deals and settlement.
Acquitting a guilty person when the charge is over-the-top for the circumstances sends a loud message to prosecutors to dial-it-back to something sane the next time around.
Blemishing the record of a prosecutor constitutes a high crime against god that will not be tolerated under any circumstance.
A CA isn't required at all to encrypt, just accept any self-signed certificate. If we want to introduce CAs or other method of identity verification, that may be fine but it is a different problem from encryption.
When real people in the real world hear the word "encrypted" the word they actually hear is "secured"... encryption without trust is a dangerously nonsensical illusion.
We are seeing bits of this with the various opportunistic encryption extensions to SMTP and HTTP.
What is the point? This does not stop the NSA from using QUANTUM INSERT and there is a very good chance anyone able to easedrop on wire has the means to spoof a few packets and coopt TCP sessions... so what does doing this buy you other than confusing people with doublespeak nobody understands?
I agree with the trust issue on certs however encrypting doesn't mean that I have to use a trust based model if it's for personal uses or for close proximity use, such as within a family or business environment.
Maybe I don't understand what your trying to say but there is no point at all in encrypting without trust. If your saying you would rather use a local CA for internal business or family use this is an excellent idea.
As a start I'd like to see the CA system revamped or replaced with multiple trust authorities, not just one chain and have meaningful teeth to eliminate trust associations with authorities who violate trust which seems to be more rampant and obvious as of late.
This isn't ever going to happen unless trust anchors are deterministically derivable from DNS names implying little to no choice in your selection of a trust anchor.
Names is all that you can use because it is all people are willing to accept. Nobody is willing to go to google.com and manually enter or have to confirm use of the proper registry nor does relying on some coordinating structure do anything other than recreate the same problems in a different form.
Certs don't work, never have. Aggregating so much power and responsibility into the hands of CAs is just as foolish as key escrows run by governments and organized crime. Something will always go wrong there will always be too much incentive locked up in ensuring that it does. The more successful and useful a "simple" solution for everyone becomes the more incentive exists to coopt it.
The answer is not doubling down on these things and "encrypting" just because you can or just because its easy.
Most systems worth securing already require you to provide a password to login. If you want to improve the status quo and really make a difference then get browser vendors to natively support secure logins via TLS-SRP and relegate free certs to the margins for service discovery and account setup where there is no other practical means of establishing trust.
Snowden's deception (really Greenwalds) is in deliberately misleading people to believe that which the agency is using the technical capabilities on everyone, everywhere. It's a subtle, but deliberate lie.
Snowden addressed this in his interview with his gun analogy.
Those in the know are still very frustrated that the NSA has consistently under-used resources and been hesitant to collect and disseminate information. However, that doesn't sell newspaper ads.
Merely collecting and having the information is crossing the line. It is undisputed Irrefutable public knowledge NSA possess call records of EVERYONE who uses a phone in this country.
Nobody has any idea or can know what NSA does with it nor do they have any reason to trust the government. The point of view "oh but we don't use it" is simply irrelevant. The word "collect" does not mean "unless I use" anymore than stealing money from a bank only counts as stealing once the stolen money has been spent.
There is enough bullshit (e.g. parallel construction) going on behind the scenes to justify blanket mistrust.
Most interesting part for me was all the wikileaks references in the "random" non-cherry picked interviews. Had all but forgotten about intersection of Wikileaks and Snowden. Reminded me of all the people who thought Iraq war was about Terrorism... wonder how these things happen?
It almost seems as if Hanlon's Razor is actively working to reassert itself in the commercial airline space.
Give me a break commercial Airline industry can't even be bothered to integrity protect basic routine communications with aircraft and now people are chattering about remote controls.
However I'm afraid we often are not understanding the bigger picture.
The underlying problem is our own behavior. We are hoisting responsibility for security of everything in the "cyber world" upon CAs and acting surprised when the tidal wave of pressure from all sources to betray that trust washes them away.
Trusted third parties should be used only for initially establishing trust... after that we should be finding off-ramps and decentralizing trust as much and as quickly as possible. The goal is to reduce "tidal waves" of incentive to something more manageable by reducing the reasons for wanting to compromise these systems in the first place.
For example while I am creating my gmail account I should be able to establish a separate trust relationship (password...etc) with Google that does not depend on third party CAs. A PAKE algorithm (TLS-SRP) would fit the bill nicely here.
Later even if some government wanted to clamp down or spy on everyone compromising PKI does not result in compromise of users... and better still the offloaded trust can be used to crosscheck PKI detecting intrusions quickly.
This is critically important because not only will the pay out for successful compromise be relegated to "new users" but your chance of being caught in the act instantly goes up to 100%.
If you don't trust him or otherwise feel justified in being overtly paranoid thank him for the offer and escort him out otherwise there is nothing for you to do other than your job.
By constantly taking the 'safe' option, you can actually end up in a very high-risk stagnant position, where you'll be slower to market, or new entrants can dramatically undercut your cost structure. It's also very easy to end up with millions of lines of inflexible, proprietary code; because you're ignoring new frameworks that your competitors leverage with just 10's of thousands of lines instead.
What I'm not seeing in the market is enabling capabilities.
People always like to talk about language/feature x or framework y or pattern z... yet all browsers, codecs, operating systems, networking stacks, game engines, database engines of import are written in some form of C. Automated porting tools exist and decade(s) have passed...still crickets.
The useful progress I see occurring is locked up in incremental improvements rather than "new ideas" and fly by night projects.
What I really want to see is something transformative... something where if you don't use it you will be left behind or simply otherwise not have the capability to implement a system like your competitor.
If you take away the game engine or the database engine or the browser or network stack a lot of people would be screwed simply not otherwise have the time, intelligence or capability to implement solutions.
These things were all started decades ago and continuously refined and improved upon with herculean amounts of now dead labor.
Ignoring new entrants who are in too many cases just reinventing the wheel...poorly... is not a way to be left behind it is a way to get ahead and be successful. The era of "surprise... I found something new... everyone do this now.." is over has been for a while. Betting against it even out of ignorant dismissal gets safer every day.
Products can often live long lives, with most of the cost ending up being in maintenance & future features. But don't just consider the technology you need today, but also consider what will be most appropriate for the organisation in the years ahead too.
The best way to be successful is to heavily invest in architecture and design while de-emphasizing import of syntactic details. If you are having endless meetings over what language or API to use you are already screwed.
Not sure if that should be +12V, +18V, or +48V, but it's time to have an integrate power management for all your home, avoiding power supplys on standby.
Great idea for those who own or have stock in copper mines. Counterproductive and pointless otherwise.
Having a flight-attendant sit in for a two-person rule may not have saved the plane, but at least the co-pilot would have to work harder for it.
Hard not to be "impressed" with outcome of making policy in reaction to specific incidents. Somewhat akin to taking the red pill and never quite making it to the bottom of the rabbit hole.
From a quick check of text ISP side retention appears similar to previous failed US attempts. Basically ISP connection "session" level detail.
ISP assigned IP, aggregate data and packet counts, physical connection point..etc. with a uniform minimum retention period... Frankly shit most ISPs keep anyway.
On the Information provider side (websites, email providers) retention appears to be per mail or transaction... an access log or email log file... This is on the hosting side only not ISP side unless of course ISP is hosting.
Thy explicitly seems to not include granular collection on the ISP end... IP flows, DPI/URL type shit.
Slashdot Mirror
I don't know how or why it came to this. The world is hooked on insecure authentication protocols. NTLMv2, Kerberos, plaintext, plaintext over encrypted tunnel protected by group secrets (sigh..) or certificates and dull thud of every flawed permutation of a challenge handshake system imaginable.
These things are employed virtually everywhere and the consequences are visible everywhere.
Haha I tricked you or your computer into connecting to my file system or my fake bank or my fake web site and because of that I now have your credentials and your f*****d.
Living with consequences has become so routine and institutionalized some find it difficult to see the problem at all ... instead resorting to blaming failure of a castle defense or operating in an unsafe environment rather than notice the root cause of the problem - broken authentication systems.
When the most widely deployed use of a secure authentication protocol is protecting an online role playing game I have no interest in Microsoft's (And all other vendors) lame excuses for not fixing these problems decades ago.
article = new nonsensefilledstory();
article.addStrife();
article.addContraversy();
article.stoketribalisim();
article.allowAnonymousComments(true);
stack_of_trolls *users = article.create();
forall users as user (
if (user.isTroll() == false && user.respondsToTrolls() == true)
(globalBanList.addUser(user));
)
Dude, what is wrong with you?
No, seriously. There is really something very wrong with you. It sounds like a mental illness. You NEED to get it looked at by medical professionals.
What is wrong with the people who take information for purposes other than original intent without asking and proceeding to leverage it for commercial gain?
Did these companies ask the Pilots for permission first?
Do these people even listen to themselves? They can't even communicate a coherent value proposition.
Why not use the grid as a reservoir..like a battery or capacitor?
Cuz it aint one.
When your local production exceeds your demand..push the rest into the reservoir
When you have a deficit..draw from it
When you have excess so does everyone else and when you have a deficit so does everyone else. Little capability exists to buffer energy at scale in current systems.
Many people who advocate being off the grid are extreme isolationists..who value isolation over practicality
Practical is more often than not determined by how many are willing to spend how much to get a desired result.
You're a retard. Really.
Truly, certainly, actually indeed.
Besides this is already being done on our roadways, with license plate readers...
Using the fact that something has been done to justify doing it is genius.
What happens if someone just wants to use this technology for the intended purpose of enhancing safety and does not want nor appreciate global collaboration of spies using it to track their every move?
Conversations in the clear overheard on public frequencies are fair game and can be reused and rebroadcasted for any purpose without limits...right? If something moves in a public space the world has an inherent right to know about it with no limitations....right?
I'm sure the execs running flightaware would have no problem with someone following their and their families asses around town every time they leave their driveway for the entire day and broadcast it all live on the Internet.
It's rare that a jury should exercise "jury nullification" but cases like these, where the punishment does not fit the crime, are one of them.
What is even rarer these days is the jury trial. With evolution of threat of insane sentences looming and nonsensical cost of litigation even the completely innocent dare not risk ignoring plea deals and settlement.
Acquitting a guilty person when the charge is over-the-top for the circumstances sends a loud message to prosecutors to dial-it-back to something sane the next time around.
Blemishing the record of a prosecutor constitutes a high crime against god that will not be tolerated under any circumstance.
A CA isn't required at all to encrypt, just accept any self-signed certificate. If we want to introduce CAs or other method of identity verification, that may be fine but it is a different problem from encryption.
When real people in the real world hear the word "encrypted" the word they actually hear is "secured" ... encryption without trust is a dangerously nonsensical illusion.
We are seeing bits of this with the various opportunistic encryption extensions to SMTP and HTTP.
What is the point? This does not stop the NSA
from using QUANTUM INSERT and there is a very good chance anyone able to easedrop on wire has the means to spoof a few packets and coopt TCP sessions... so what does doing this buy you other than confusing people with doublespeak nobody understands?
I agree with the trust issue on certs however encrypting doesn't mean that I have to use a trust based model if it's for personal uses or for close proximity use, such as within a family or business environment.
Maybe I don't understand what your trying to say but there is no point at all in encrypting without trust. If your saying you would rather use a local CA for internal business or family use this is an excellent idea.
As a start I'd like to see the CA system revamped or replaced with multiple trust authorities, not just one chain and have meaningful teeth to eliminate trust associations with authorities who violate trust which seems to be more rampant and obvious as of late.
This isn't ever going to happen unless trust anchors are deterministically derivable from DNS names implying little to no choice in your selection of a trust anchor.
Names is all that you can use because it is all people are willing to accept. Nobody is willing to go to google.com and manually enter or have to confirm use of the proper registry nor does relying on some coordinating structure do anything other than recreate the same problems in a different form.
Certs don't work, never have. Aggregating so much power and responsibility into the hands of CAs is just as foolish as key escrows run by governments and organized crime. Something will always go wrong there will always be too much incentive locked up in ensuring that it does. The more successful and useful a "simple" solution for everyone becomes the more incentive exists to coopt it.
The answer is not doubling down on these things and "encrypting" just because you can or just because its easy.
Most systems worth securing already require you to provide a password to login. If you want to improve the status quo and really make a difference then get browser vendors to natively support secure logins via TLS-SRP and relegate free certs to the margins for service discovery and account setup where there is no other practical means of establishing trust.
Snowden's deception (really Greenwalds) is in deliberately misleading people to believe that which the agency is using the technical capabilities on everyone, everywhere. It's a subtle, but deliberate lie.
Snowden addressed this in his interview with his gun analogy.
Those in the know are still very frustrated that the NSA has consistently under-used resources and been hesitant to collect and disseminate information. However, that doesn't sell newspaper ads.
Merely collecting and having the information is crossing the line. It is undisputed Irrefutable public knowledge NSA possess call records of EVERYONE who uses a phone in this country.
Nobody has any idea or can know what NSA does with it nor do they have any reason to trust the government. The point of view "oh but we don't use it" is simply irrelevant. The word "collect" does not mean "unless I use" anymore than stealing money from a bank only counts as stealing once the stolen money has been spent.
There is enough bullshit (e.g. parallel construction) going on behind the scenes to justify blanket mistrust.
Most interesting part for me was all the wikileaks references in the "random" non-cherry picked interviews. Had all but forgotten about intersection of Wikileaks and Snowden. Reminded me of all the people who thought Iraq war was about Terrorism... wonder how these things happen?
It almost seems as if Hanlon's Razor is actively working to reassert itself in the commercial airline space.
Give me a break commercial Airline industry can't even be bothered to integrity protect basic routine communications with aircraft and now people are chattering about remote controls.
Doing internal DHCP/DNS/AD/Exchange? I'm fine with that, too.
AD was engineered by crazy people obsessed with self-mortification.
Exchange like Gas Pumps in Oregon and New Jersey is a jobs program for Administrators.
DNS beloved by DDOS mitigation services everywhere.
DHCP Jet databases are protected by a mysterious force that defies rational explanation.
This is an epic thread.. amusing.. and very sad.. at the same time..
https://bugzilla.mozilla.org/s...
However I'm afraid we often are not understanding the bigger picture.
The underlying problem is our own behavior. We are hoisting responsibility for security of everything in the "cyber world" upon CAs and acting surprised when the tidal wave of pressure from all sources to betray that trust washes them away.
Trusted third parties should be used only for initially establishing trust... after that we should be finding off-ramps and decentralizing trust as much and as quickly as possible. The goal is to reduce "tidal waves" of incentive to something more manageable by reducing the reasons for wanting to compromise these systems in the first place.
For example while I am creating my gmail account I should be able to establish a separate trust relationship (password...etc) with Google that does not depend on third party CAs. A PAKE algorithm (TLS-SRP) would fit the bill nicely here.
Later even if some government wanted to clamp down or spy on everyone compromising PKI does not result in compromise of users... and better still the offloaded trust can be used to crosscheck PKI detecting intrusions quickly.
This is critically important because not only will the pay out for successful compromise be relegated to "new users" but your chance of being caught in the act instantly goes up to 100%.
If you don't trust him or otherwise feel justified in being overtly paranoid thank him for the offer and escort him out otherwise there is nothing for you to do other than your job.
This is awesome news. Congratulations to Mozilla for taking the lead on this.
By constantly taking the 'safe' option, you can actually end up in a very high-risk stagnant position, where you'll be slower to market, or new entrants can dramatically undercut your cost structure. It's also very easy to end up with millions of lines of inflexible, proprietary code; because you're ignoring new frameworks that your competitors leverage with just 10's of thousands of lines instead.
What I'm not seeing in the market is enabling capabilities.
People always like to talk about language/feature x or framework y or pattern z... yet all browsers, codecs, operating systems, networking stacks, game engines, database engines of import are written in some form of C. Automated porting tools exist and decade(s) have passed...still crickets.
The useful progress I see occurring is locked up in incremental improvements rather than "new ideas" and fly by night projects.
What I really want to see is something transformative ... something where if you don't use it you will be left behind or simply otherwise not have the capability to implement a system like your competitor.
If you take away the game engine or the database engine or the browser or network stack a lot of people would be screwed simply not otherwise have the time, intelligence or capability to implement solutions.
These things were all started decades ago and continuously refined and improved upon with herculean amounts of now dead labor.
Ignoring new entrants who are in too many cases just reinventing the wheel ...poorly... is not a way to be left behind it is a way to get ahead and be successful. The era of "surprise... I found something new... everyone do this now.." is over has been for a while. Betting against it even out of ignorant dismissal gets safer every day.
Products can often live long lives, with most of the cost ending up being in maintenance & future features. But don't just consider the technology you need today, but also consider what will be most appropriate for the organisation in the years ahead too.
The best way to be successful is to heavily invest in architecture and design while de-emphasizing import of syntactic details. If you are having endless meetings over what language or API to use you are already screwed.
In case of thie flight, it would have helped if the captain had a code that would have opened the door regardless of it being locked from the inside.
http://www.cnn.com/2012/03/27/...
But then the copilot might have just killed him first, before diving the plane to the ground.
"But" is always the problem with reactionary policy.
Not sure if that should be +12V, +18V, or +48V, but it's time to have an integrate power management for all your home, avoiding power supplys on standby.
Great idea for those who own or have stock in copper mines. Counterproductive and pointless otherwise.
What I find more interesting is why stars rarely collide?
Too much empty space.
Having a flight-attendant sit in for a two-person rule may not have saved the plane, but at least the co-pilot would have to work harder for it.
Hard not to be "impressed" with outcome of making policy in reaction to specific incidents.
Somewhat akin to taking the red pill and never quite making it to the bottom of the rabbit hole.
911 - reinforce doors
GW - copilot crashes plane
??? - flight attendants crashes plane
???? - ????
Having known people who were able to score jobs as flight attendants personally I'm likening my odds with (co)pilots left alone.
Win or lose, merit or nonsense the lawyers always win.
From a quick check of text ISP side retention appears similar to previous failed US attempts. Basically ISP connection "session" level detail.
ISP assigned IP, aggregate data and packet counts, physical connection point..etc. with a uniform minimum retention period... Frankly shit most ISPs keep anyway.
On the Information provider side (websites, email providers) retention appears to be per mail or transaction... an access log or email log file... This is on the hosting side only not ISP side unless of course ISP is hosting.
Thy explicitly seems to not include granular collection on the ISP end... IP flows, DPI/URL type shit.