I strongly disagree with the people who say encrypted but unauthenticated is as bad as unencrypted. Yes a targetted attack can use man-in-the-middle techniques but if anyone starts doing that on a large scale they are likely to get noticed.
I don't think people realize how easy it is to hijack a TCP session. There is essentially no filtering being done by any operator... packet spoofing can be trivially carried out from virtually anywhere on the network.
I think your right in the abstract that opportunistic encryption is helpful against certain types of threats (e.g. Room 641A)... and I would be supportive of implementation provided nobody knew it was going on.
The trouble is this nuance is too big an ask for normal users whose day job is not security to understand. When we say "it's encrypted" they hear "it's secure"... which isn't true.
This is my problem with opportunistic encryption is that people will rely on it and then get burned by it and this is worse than not doing it.
I don't think I've entered either of those things in the last 10 years. Heck they aren't even shown on my URL at the moment.
That's the problem they removed all of the indicators that would tell people what the hell is going on and confuse them with fake pointless assertions. Only now they are realizing they fucked up. When and if they fix it I hope they don't overreact and put even more people at risk.
Do you also consider having a front door with a door lock any better than just having a hole in the wall open to the road?
HTTP should look like the entrance to a 7-11 busy churning our Slurpees for all the good little boys and girls.
HTTPS should look like the entrance to a bank vault with armed guards standing watch.
The industry has failed for a number of reasons to present this picture to the user... at every turn they let their designers loose with their abstract Spartan design bullshit taking away critical information from the user. All the while legitimate sites routinely trick users with fake assertions of security having no basis in reality.
I don't think doubling down and forcing SSL on everyone is the answer.. the answer is realizing you have fucked up and fixing the underlying problem. The underlying problem is browser is not saying shit about security status of a site and when it does it is not obvious enough.
Any employee dumb enough to fall for a phish should be fired.
The messages were *targeted* they appeared to come from real people within the company. If your PM sent you a word doc detailing a new project proposal and you opened it should YOU be fired?
SMTP email is a failed experiment causing untold damage to millions of users around the world.
Doesn't it make sense? What makes you so sure? Do you run a gardening shop? How do you know your customers aren't being watched for fertilizer references? Maybe you sell some memorabilia or trinkets with a war or political relevance? God forbid you actually sell stuff that can be used to make firearms.
Your fertilizer page is 14674 bytes in length. What differences does it make if you encrypt it? I still know you went there and I know who you are by your address. Fail.
Oh give me a break this does not defeat HSTS it just links to the wrong hostname offered up by an insecure site. Garbage-In-Garbage-Out.
Saying this defeats HSTS is like saying getting domain micr0s0ft.com registered and an SSL cert assigned defeats SSL because I tricked someone into going there and thinking it was the real deal.
It has bugged me for years that unencrypted plain text data is given a pass, but a self-signed certificate with encryption brings up a warning that requires multiple clicks and in some cases even importing a certificate to get through.
When you enter http:/// you are declaring your intent to view unsecured content.
When entering https:/// you are declaring your intent to view secured content. An untrusted certificate is not trustworthy and cannot be used as a means of securing content.
Personally I think the colour scheme is simply wrong. Rather than White for plain, Red for SSL with some minor error (self signed cert), and green for proper encryption, why not go red for unencrypted, orange for encryption with problems, and green for encrypted and verified?
That's easy most websites will appear red and users will tune it out. You have now increased confusion and lost your ability to communicate important information to the user.
Encouraging the web to go 100% SSL only is a unquestionably a good thing.
Not if it means paying rent to CAs every year so they can sit on their fat ass and do nothing.
The issues with performance were gone a decade ago...
Even if maintaining session state and TLS were completely free round trip delay and assuming the best case that session resumption occurs for all accesses you still have to eat additional round trips...delay that is quite noticeable to those accessing content internationally and over wireless or low bandwidth links.
It makes no sense that all the "anti-SSL" posts have been modded up.
Why should people have to screw with SSL when they have no secure content to offer? This is what makes no sense to me. Google is twisting arms to have their way.
Regardless of what you think of making everything "secure" I don't subscribe to the notion that ends should justify means.
Every web connection needs to be HTTPs, to keep random people from snooping on which URLs you visit. Problems only multiply with every cookie that discloses information or correlation between different requests.
Fire up wireshark, sort by DNS and pick any well known website at random. why are there all these queries for dozens of others sites? Their all leaking tracking cookies and all kinds of bullshit to many DOZENS of providers who have nothing to do with providing content your browser requested their only job is to stalk your ass wherever you go on the Internet. Turning on HTTPS won't make them go away.
Just sitting on the wire and collecting destination addresses, amount of data transferred and timing stats is more than enough to piece together exactly what your doing even while everything is encrypted.
How much did the CA cartel pay Google to come up with this load of BS? Talk to me about SSL everywhere when everyone is using DANE and CAs have long since gone out of business.
You don't scare people with warnings like this. Crying wolf only places your users at increased and unnecessary risk.
Since we're not quite done writing them, what, instead, do you propose we put on paper checks Other than the routing number and account number so that the receiving bank can figure out what bank, and what account, to request funds from?
I won't pretend to know best approach yet half baked ones appear to be easily reachable.
Something as simple as printing random numbers instead of bank account... The numbers get registered with your account when new checks ordered.
Or instead of signing check one presses a bank provided magical stamp like thing against check to "bless" transaction.
It could be as trivial as a challenge response scheme where checks come printed with challenge codes and bank provided stamp writes cryptographic response.
Black because that is the current big issue in America.
Aggregate damage to society caused by media professionally trolling for ratings and attention is grossly underestimated.
Couldn't begin to count masses of terrified old ladies who think the world is full of pedophiles and murders because that's all the glowing box ever tells them. Ditto on number of tools who think there is a terrorist waiting to behead them under every staircase.
Schools have turned into fortresses with armed guards and draconian "zero tolerance" policies with scary lockdown drills because the media tells us our kids are constantly under attack when in fact actual objective statistics bear out reductions of shooting incidents and deaths decade over decade.
Everyone is so wound up and scared when they get on an airplane even the most absurd overreactions to any event or inhuman security policies (e.g. genital groping) are deemed acceptable and applauded.
All these fears directly feed into and influence policy creating their own reality... not a virtual reality but a real reality with real consequences.
The reason "black" is the current big issue in America is because poking away at tribalism is a train wreck that nobody can resist and it pays off big time as CNN is always rewarded when they do it. From CNN original documentaries on the "N" word to getting black and white talking heads to spew nonsense at each other to praying for riots.
CNN and other news outlets were right there waiting and hoping for people to show up at the event they all but sold tickets for. They couldn't have picked a more divisive example of police (Ferguson) brutality if they tried to fan an enduring controversy.
Everyone in the media is cought up in cherry picking events to support their presuppositions when they SHOULD know better. NOBODY is spending time examining statistics and even trying to understand root causes of problems... divison sells, chaos sells. If the media really cared they would have been doing investigative reports but that takes effort and explaining is boring. Taking pictures of shouting and destruction and fires is both easier and more exciting.
A good step is getting people like you to stop injecting there knee jerk nonsense into the discussion..we ANY discussion, really
Next up a TFA about how blackbody radiation has something to do with black people. Even TFA was complete media spin to fit a narrative that never existed in the first place for hits.
We're all being trolled on a grand scale for profit. Not for fun and jollies but professionally by experts to make money.
What you don't hear is talk about the treatment of poor people or political calculations affecting their treatment. You won't hear anyone talking about plea deals and assorted selective enforcement regimes allowed to metastasis over decades granting prosecutors powers they have no business having. You won't hear jack about globalization or aggregation of wealth or effects of lawyers and jails capturing legal system. It is all about black people vs. white people. Keep the fucking "morans" fighting each other we don't give a shit... we have money to make.
I know millennials think they are the first generation that is morally superior and have the answers to everything. But I was playing Mike Tyson's Punch out when your parents were still wearing Zooba's. Not everyone is the racist.
Punch out was a hoot. Only game that was ever fun to play with the power glove.
I've often wondered how it is that banks get away with plastering account numbers on every check or who in their right mind would want a credit card tied directly to their bank account.
Slowness of international transactions is a feature affording banks an excuse to sit on the money day(s), collect interest and then charge exorbitant wire fees on top. Who knows it might also give them some time to review transactions but I doubt it.
The fundamental security problem with many electronic systems is they operate more like credit cards and less like paypal. Until the equation is changed such that only operation possible is "giving" rather than "taking" fraud detection algorithms don't have a prayer in hell and any "progress" is limited to deck chairs of the Costa Concordia.
I've never seen as many bad drives as the 3TB WD Greens, but about 80% of mine are still working fine, and I only had to replace one early. The oldest now has nearly 30,000 power-on hours.
The 2 year warranty should be enough of a warning to all to stay far away from "green" variants.
What can one expect to happen when drives are constantly speeding up, slowing down and parking heads?
What's even worse there is no meaningful difference in power consumption between black and green drives. If you want to save power get a 2.5" drive... any environmental impact is by far offset by reduced lifespan and energy cost of production.
You mean you got hit by the 7200.11 bug and didn't do any research into it to discover that it's a firmware issue with a simple fix?
Its simple to upgrade the firmware when you can still access the drive otherwise you have to jigger up a TTL level serial interface and send AT commands to unbrick the thing...lots of "fun".
Not a big pharma corp, that makes 2 billion dollars a year in vaccine sales and pushes them as mandatory for everyone.
This is vaccine fascism, to force everyone, regardless whether they want it or not.
I think this is a valid point. Allowing pharma with a direct conflict of interest to influence legislation and vaccination schedules must not be allowed if you concurrently expect people to trust you.
Pharma routinely belches out millions in support various vaccination campaigns and legislation directly responsible for authoring quite a bit of supporting scientific literature.
As long as this is allowed to continue don't expect public trust deficient to improve. People will just be scared and have no idea "who to trust"
While I believe in principal not being vaccinated is stupid so is the scope creep in vaccination schedules.
Its illegal to be naked in most public places, its illegal to knowingly infect others with dangerous illnesses, so why shouldn't it be illegal to
I see drag reducing agent has been generously applied to an already slippery slide.
knowingly be in a public place when you are much more open to infection from dangerous illnesses and thus to infect others with them...?
Just to make sure there are no misunderstandings your advocating anyone with an immunodeficiency disorder be barred from public spaces for "the greater good".
In the past I would have written this off as great but stands no chance of ever being used.
Then I looked at html code just a simple..IMG SRC="...bpg".. thing and javascript include up at the top.
The one problem preventing new significantly better formats from catching on and being deployed in the field is now gone... I can imagine at some point browser vendors ending up adding native support just for the sake of saving a few CPU cycles.
The home hotspots also require login prior to use, they can't be used anonymous by non comcast customers
Interesting claim... Unsecured wireless L2 networks can't be used anonymously. Perhaps not if it were located on Mars or Neptune far from human civilization. Here on Earth I'm pretty sure it can easily be used anonymously.
All you need to do is wait and hijack the session once an authorized user connects.
Why sue? For $80 she could buy a Surfboard 6141 at Best Buy, and save the money by not paying modem rental. The modem will pay for itself in 10 months.
My guess they are suing because they don't like Comcast acting like a bunch of asshats and this is the only avenue available to them with any hope of making them stop.
It isn't so much about any one individual as it is aggregate affect on the masses of a scheme which uses customers facilities and power without any compensation and largely without their knowledge while concurrently charging $10/month for rental... strikingly distasteful.
People should not have to be tech heads to keep from being taken for a ride by cable monopolies in the same way people who are not mechanics or HVAC experts or doctors or loan experts do not deserve to be taken advantage of.
One of the things that bugs me about America is this mindset that we seem to generally have of, 'sue first, look at other options later, if at all.'
Yea this sucks all around doesn't it. Monopolies suck, using the legal system to get your way or bully others sucks, people acting like asshats sucks... Society gets what it deserves.
Slashdot Mirror
I strongly disagree with the people who say encrypted but unauthenticated is as bad as unencrypted. Yes a targetted attack can use man-in-the-middle techniques but if anyone starts doing that on a large scale they are likely to get noticed.
I don't think people realize how easy it is to hijack a TCP session. There is essentially no filtering being done by any operator... packet spoofing can be trivially carried out from virtually anywhere on the network.
I think your right in the abstract that opportunistic encryption is helpful against certain types of threats (e.g. Room 641A) ... and I would be supportive of implementation provided nobody knew it was going on.
The trouble is this nuance is too big an ask for normal users whose day job is not security to understand. When we say "it's encrypted" they hear "it's secure" ... which isn't true.
This is my problem with opportunistic encryption is that people will rely on it and then get burned by it and this is worse than not doing it.
I don't think I've entered either of those things in the last 10 years. Heck they aren't even shown on my URL at the moment.
That's the problem they removed all of the indicators that would tell people what the hell is going on and confuse them with fake pointless assertions. Only now they are realizing they fucked up. When and if they fix it I hope they don't overreact and put even more people at risk.
Do you also consider having a front door with a door lock any better than just having a hole in the wall open to the road?
HTTP should look like the entrance to a 7-11 busy churning our Slurpees for all the good little boys and girls.
HTTPS should look like the entrance to a bank vault with armed guards standing watch.
The industry has failed for a number of reasons to present this picture to the user... at every turn they let their designers loose with their abstract Spartan design bullshit taking away critical information from the user. All the while legitimate sites routinely trick users with fake assertions of security having no basis in reality.
I don't think doubling down and forcing SSL on everyone is the answer.. the answer is realizing you have fucked up and fixing the underlying problem. The underlying problem is browser is not saying shit about security status of a site and when it does it is not obvious enough.
Any employee dumb enough to fall for a phish should be fired.
The messages were *targeted* they appeared to come from real people within the company. If your PM sent you a word doc detailing a new project proposal and you opened it should YOU be fired?
SMTP email is a failed experiment causing untold damage to millions of users around the world.
Doesn't it make sense? What makes you so sure? Do you run a gardening shop? How do you know your customers aren't being watched for fertilizer references? Maybe you sell some memorabilia or trinkets with a war or political relevance? God forbid you actually sell stuff that can be used to make firearms.
Your fertilizer page is 14674 bytes in length. What differences does it make if you encrypt it? I still know you went there and I know who you are by your address. Fail.
The secure vs trustworthy issue is a fundamental flaw with HTTPS where both encryption and authenticity are meshed into the same protocol.
This is doublespeak. Encryption without authentication is an illusion.
Trivial to defeat HSTS:
https://github.com/sensepost/m...
Oh give me a break this does not defeat HSTS it just links to the wrong hostname offered up by an insecure site. Garbage-In-Garbage-Out.
Saying this defeats HSTS is like saying getting domain micr0s0ft.com registered and an SSL cert assigned defeats SSL because I tricked someone into going there and thinking it was the real deal.
It has bugged me for years that unencrypted plain text data is given a pass, but a self-signed certificate with encryption brings up a warning that requires multiple clicks and in some cases even importing a certificate to get through.
When you enter http:/// you are declaring your intent to view unsecured content.
When entering https:/// you are declaring your intent to view secured content. An untrusted certificate is not trustworthy and cannot be used as a means of securing content.
Personally I think the colour scheme is simply wrong. Rather than White for plain, Red for SSL with some minor error (self signed cert), and green for proper encryption, why not go red for unencrypted, orange for encryption with problems, and green for encrypted and verified?
That's easy most websites will appear red and users will tune it out. You have now increased confusion and lost your ability to communicate important information to the user.
Encouraging the web to go 100% SSL only is a unquestionably a good thing.
Not if it means paying rent to CAs every year so they can sit on their fat ass and do nothing.
The issues with performance were gone a decade ago...
Even if maintaining session state and TLS were completely free round trip delay and assuming the best case that session resumption occurs for all accesses you still have to eat additional round trips...delay that is quite noticeable to those accessing content internationally and over wireless or low bandwidth links.
It makes no sense that all the "anti-SSL"
posts have been modded up.
Why should people have to screw with SSL when they have no secure content to offer? This is what makes no sense to me. Google is twisting arms to have their way.
Regardless of what you think of making everything "secure" I don't subscribe to the notion that ends should justify means.
Every web connection needs to be HTTPs, to keep random people from snooping on which URLs you visit. Problems only multiply with every cookie that discloses information or correlation between different requests.
Fire up wireshark, sort by DNS and pick any well known website at random. why are there all these queries for dozens of others sites? Their all leaking tracking cookies and all kinds of bullshit to many DOZENS of providers who have nothing to do with providing content your browser requested their only job is to stalk your ass wherever you go on the Internet. Turning on HTTPS won't make them go away.
Just sitting on the wire and collecting destination addresses, amount of data transferred and timing stats is more than enough to piece together exactly what your doing even while everything is encrypted.
How much did the CA cartel pay Google to come up with this load of BS? Talk to me about SSL everywhere when everyone is using DANE and CAs have long since gone out of business.
You don't scare people with warnings like this. Crying wolf only places your users at increased and unnecessary risk.
Since we're not quite done writing them, what, instead, do you propose we put on paper checks
Other than the routing number and account number so that the receiving bank can figure out what bank, and what account, to request funds from?
I won't pretend to know best approach yet half baked ones appear to be easily reachable.
Something as simple as printing random numbers instead of bank account... The numbers get registered with your account when new checks ordered.
Or instead of signing check one presses a bank provided magical stamp like thing against check to "bless" transaction.
It could be as trivial as a challenge response scheme where checks come printed with challenge codes and bank provided stamp writes cryptographic response.
Black because that is the current big issue in America.
Aggregate damage to society caused by media professionally trolling for ratings and attention is grossly underestimated.
Couldn't begin to count masses of terrified old ladies who think the world is full of pedophiles and murders because that's all the glowing box ever tells them. Ditto on number of tools who think there is a terrorist waiting to behead them under every staircase.
Schools have turned into fortresses with armed guards and draconian "zero tolerance" policies with scary lockdown drills because the media tells us our kids are constantly under attack when in fact actual objective statistics bear out reductions of shooting incidents and deaths decade over decade.
Everyone is so wound up and scared when they get on an airplane even the most absurd overreactions to any event or inhuman security policies (e.g. genital groping) are deemed acceptable and applauded.
All these fears directly feed into and influence policy creating their own reality... not a virtual reality but a real reality with real consequences.
The reason "black" is the current big issue in America is because poking away at tribalism is a train wreck that nobody can resist and it pays off big time as CNN is always rewarded when they do it. From CNN original documentaries on the "N" word to getting black and white talking heads to spew nonsense at each other to praying for riots.
CNN and other news outlets were right there waiting and hoping for people to show up at the event they all but sold tickets for. They couldn't have picked a more divisive example of police (Ferguson) brutality if they tried to fan an enduring controversy.
Everyone in the media is cought up in cherry picking events to support their presuppositions when they SHOULD know better. NOBODY is spending time examining statistics and even trying to understand root causes of problems... divison sells, chaos sells. If the media really cared they would have been doing investigative reports but that takes effort and explaining is boring. Taking pictures of shouting and destruction and fires is both easier and more exciting.
A good step is getting people like you to stop injecting there knee jerk nonsense into the discussion..we ANY discussion, really
Next up a TFA about how blackbody radiation has something to do with black people. Even TFA was complete media spin to fit a narrative that never existed in the first place for hits.
We're all being trolled on a grand scale for profit. Not for fun and jollies but professionally by experts to make money.
What you don't hear is talk about the treatment of poor people or political calculations affecting their treatment. You won't hear anyone talking about plea deals and assorted selective enforcement regimes allowed to metastasis over decades granting prosecutors powers they have no business having. You won't hear jack about globalization or aggregation of wealth or effects of lawyers and jails capturing legal system. It is all about black people vs. white people. Keep the fucking "morans" fighting each other we don't give a shit... we have money to make.
I know millennials think they are the first generation that is morally superior and have the answers to everything. But I was playing Mike Tyson's Punch out when your parents were still wearing Zooba's. Not everyone is the racist.
Punch out was a hoot. Only game that was ever fun to play with the power glove.
Body paint is cheaper and works better.
I've often wondered how it is that banks get away with plastering account numbers on every check or who in their right mind would want a credit card tied directly to their bank account.
Slowness of international transactions is a feature affording banks an excuse to sit on the money day(s), collect interest and then charge exorbitant wire fees on top. Who knows it might also give them some time to review transactions but I doubt it.
The fundamental security problem with many electronic systems is they operate more like credit cards and less like paypal. Until the equation is changed such that only operation possible is "giving" rather than "taking" fraud detection algorithms don't have a prayer in hell and any "progress" is limited to deck chairs of the Costa Concordia.
I know, why should the government force rules and regulations on an industry?
This is not a falsifiable statement. One can apply the same reasoning and analogies to justify ANY regulation.
Statements which cannot be falsified convey no useful information.
I've never seen as many bad drives as the 3TB WD Greens, but about 80% of mine are still working fine, and I only had to replace one early. The oldest now has nearly 30,000 power-on hours.
The 2 year warranty should be enough of a warning to all to stay far away from "green" variants.
What can one expect to happen when drives are constantly speeding up, slowing down and parking heads?
What's even worse there is no meaningful difference in power consumption between black and green drives. If you want to save power get a 2.5" drive... any environmental impact is by far offset by reduced lifespan and energy cost of production.
You mean you got hit by the 7200.11 bug and didn't do any research into it to discover that it's a firmware issue with a simple fix?
Its simple to upgrade the firmware when you can still access the drive otherwise you have to jigger up a TTL level serial interface and send AT commands to unbrick the thing...lots of "fun".
Not a big pharma corp, that makes 2 billion dollars a year in vaccine sales
and pushes them as mandatory for everyone.
This is vaccine fascism, to force everyone, regardless whether they want it or not.
I think this is a valid point. Allowing pharma with a direct conflict of interest to influence legislation and vaccination schedules must not be allowed if you concurrently expect people to trust you.
Pharma routinely belches out millions in support various vaccination campaigns and legislation directly responsible for authoring quite a bit of supporting scientific literature.
As long as this is allowed to continue don't expect public trust deficient to improve. People will just be scared and have no idea "who to trust"
While I believe in principal not being vaccinated is stupid so is the scope creep in vaccination schedules.
Its illegal to be naked in most public places, its illegal to knowingly infect others with dangerous illnesses, so why shouldn't it be illegal to
I see drag reducing agent has been generously applied to an already slippery slide.
knowingly be in a public place when you are much more open to infection from dangerous illnesses and thus to infect others with them...?
Just to make sure there are no misunderstandings your advocating anyone with an immunodeficiency disorder be barred from public spaces for "the greater good".
In the past I would have written this off as great but stands no chance of ever being used.
Then I looked at html code just a simple ..IMG SRC="...bpg".. thing and javascript include up at the top.
The one problem preventing new significantly better formats from catching on and being deployed in the field is now gone... I can imagine at some point browser vendors ending up adding native support just for the sake of saving a few CPU cycles.
The home hotspots also require login prior to use, they can't be used anonymous by non comcast customers
Interesting claim... Unsecured wireless L2 networks can't be used anonymously. Perhaps not if it were located on Mars or Neptune far from human civilization. Here on Earth I'm pretty sure it can easily be used anonymously.
All you need to do is wait and hijack the session once an authorized user connects.
Why sue? For $80 she could buy a Surfboard 6141 at Best Buy, and save the money by not paying modem rental. The modem will pay for itself in 10 months.
My guess they are suing because they don't like Comcast acting like a bunch of asshats and this is the only avenue available to them with any hope of making them stop.
It isn't so much about any one individual as it is aggregate affect on the masses of a scheme which uses customers facilities and power without any compensation and largely without their knowledge while concurrently charging $10/month for rental... strikingly distasteful.
People should not have to be tech heads to keep from being taken for a ride by cable monopolies in the same way people who are not mechanics or HVAC experts or doctors or loan experts do not deserve to be taken advantage of.
One of the things that bugs me about America is this mindset that we seem to generally have of, 'sue first, look at other options later, if at all.'
Yea this sucks all around doesn't it. Monopolies suck, using the legal system to get your way or bully others sucks, people acting like asshats sucks... Society gets what it deserves.
I must be one of those asleep because I fail to see how the USA is a police state. Care to provide any evidence?
The answer has its own Wikipedia page.
http://en.wikipedia.org/wiki/I...