You are, in my opinion, much closer to what they are planning than you may realize. Also, before I go any further, I think your solution is better than theirs for reasons I will list later.
By using a worm to distribute the fix they are, in effect, creating a peer-to-peer network. The difference is that in your scenario the machine initiates the upgrade process, while in Microsoft's the machine is given the upgrade. If you are running something critical, you can tell it to wait and come back later. Will Microsoft's worm even ask?
Both are peer-to-peer solutions, with one significant benefit for Microsoft being that it reduces their network traffic. I strongly suspect that is one of the more significant reasons behind this move. This will keep their servers from a potential DOS just from a large number of machines all going to Microsoft Update at the same time.
Your system, however, has a few drawbacks that Microsoft's solution addresses:
Your system relies on something on the (potentially compromised) machine to start the process. Also, your system requires the (potentially compromised) machine to "know" that there is a patch before it can request it.
In Microsoft's solution, the (potentially compromised) machine that needs an upgrade needs only to be connected to a network that has at least one other machine on it and that other machine has the Microsoft patch-worm. The patch-worm will "attack" the unpatched machine and patch it, and then go looking for more machines to patch.
From a technical standpoint, on the surface this looks good. However, many other readers have already brought up some of the myriad weaknesses with this system.
Again, to me this seems like a way to reduce Microsoft's network traffic. I do not see this as a "real" solution, because there are too many "middle men" which can be compromised, and something like this would be fairly easy to counterfit.
I will agree that we need a better solution (and please don't start screaming "make the OS secure" or "run Linux" or anything like that), but I do not believe that what Microsoft are proposing is the correct solution.
I'm waiting for someone to bring up one of those checklist "your idea won't work because..." replies.
Here is the "official" text, straight from page 4 of my US passport.
"LOSS OF CITIZENSHIP. Under certain circumstances, you may lose your U.S. citizenship by performing any of the following acts: (1) being naturalized in a foreign state; (2) taking an oath or making a declaration to a foreign state; (3) serving in the armed forces of a foreign state; (4) accepting employment with a foreign government; or (5) formally renouncing U.S. citizenship before a U.S. consular officer overseas. For detailed information, consult the nearest American Embassy or Consulate, or contact the Office of Citizens Counsular Services, Department of State, Washington, DC 20520-4818, or call (202) 647-3444."
Disclaimer: That passport was issued eight years ago, so the text may have changed.
(I find it amusing that the captcha for this post is "jailing".)
serving in a foreign military in an action against the USA will do it automatically without regard for your rank.
And, taking a "high elected office" (with no definition of "high" in this context given) will do it as well. The catch is the word "high". What counts? Mayor of a small town? Mayor of the largest city in the country? How large of a city does it have to be? The largest city in China has more people than all of Monaco, for example.
It's a bit vague on that last one, but also it is one that I suspect would not apply to the majority of the readership here at Slashdot.
If I may comment on #4, I would like to suggest a slightly different approach, one that I have seen work quite well.
I worked for a short time as an "administrator" in the Commonwealth of Massachusetts Department of Corrections. During my "watch", so to speak, we implemented a special facility for exactly those inmates mentioned in your point #4 - non-violent drug offenders. These were people whose only crimes were directly related to their substance abuse.
These people were given mandatory treatment (that is, NA/AA groups, etc) and were kept away from the "regular" criminals. The result: Less than 1% repeat offence rate.
Please, help them. There is a model in Massachusetts that worked very well about 20 years ago when I was there.
If I'm still a US citizen in 2016, i'll watch out for your platform. You'll get my vote (especially if you consider my "ammendment" to your point #4.)
Your reasoning on the telephone situation is sound, but you have overlooked something: VOIP. I have received telemarketing calls from overseas, and it was obvious by the sound quality that it was a VOIP call. The caller even confirmed that he was calling from India.
Unfortunately, they have already figured a way around that law if they want to do it.
There is a difference between the cyclogyro and the autogyro (gyroplane). The cyclogyro uses powered rotating wings to generate the lift. The engine actively turnes those rotating wings, which rotate along the sides of the aircraft.
An autogyro, however, uses a propeller, just like a fixed-winged prop-driven aircraft, to generate thrust. The rotary wings are on the top of the craft and are _not_ driven by the engine. They are in "autorotation", which means they rotate because of the other stuff going on around them (movement relative to air d/t thrust, etc). This autorotation (one-directional clutch) generates lift.
They are very different aircraft. The autogyro / gyroplane is well known and understood. The cyclogyro, OTOH, is a bit of an odd design. It would be interesting to see one work.
The difference between a "lost password" and "cracking someone else's password" revolves around the legal right to access the information.
"lost password" situations (obviously, not an exhaustive list):
I could forget a password for something. I've done it before, and I'm sure I'll do it again.
I could be hit by a bus and my employer will need access to my encrypted files. (Granted, we have a better system to handle this, but I think you understand.)
"cracking":
trying to access your soon-to-be-ex-wife's files to find evidence that she's having an affair.
trying to access files you "found" or copied that you really should not be reading anyway.
As you can see, the main difference revolves around the legal right to access the information. They are both "password recovery" or "password cracking", but the former has connotations of legitimacy while the latter (in most social circles, at least) bears a connotation of illicit activity.
That said, I agree that it will more likely be used for illicit activity, but this application clearly has legitimate uses as well.
I am not sure this could be patented. (IANAL, etc.)
This looks like a new spin on the old Commodore 64 trick of pushing computation tasks off to the CPU in the model 1541 floppy drive. It is interesting that someone has done it. I am sure many of us have thought about this, but the folks at ElcomSoft actually did it.
Pretty cool, IMHO. Also, somewhat frightening.
And, just for fun, I need to add the obligatory "...but imagine a Beowulf cluster of these!"
Actually, that would be interesting - sort of a nested cluster effect.
There are ways to detect this type of alteration. One of my fellow doctoral candidates was working on it while we were at the university together. I graduated and lost contact with him, since my research was not even remotely related to image processing.
What I do remember is that when he explained it, it was quite impressive and very, very difficult to circumvent.
Short story: Think of the ways people can ID those faked 9/11 pictures where the guy was supposedly on a balcony when the plane hit. Now, apply some of those same analyses mathematically to the data in the image file rather than simply observing the image produced by rendering the data. It involves fractal analysis and comparisons between the different elements of the image in order to identify the parts that were added to the image.
Then again, I wonder how many law enforcement agencies are aware of this technique. I hope enough will be so that innocent people are not jailed.
I hope they catch the RIGHT guy and put him away for a very long time. Child molesters do not last very long in US prisons by what I've heard.
If you read the site, people go to this site to post questions when they are having problems. It is not only a "security" site for those of us who are security practitioners, but it is also a forum where non-security people can ask questions or ask for help.
Actually, it's a great target because one would think that a security site would be safe. And, due to the nature of this attack, there is not much that the site's operators could have done to prevent it (other than the obvious use SSL, which I still don't know why they didn't do that).
So, in retrospect, it makes perfect sense. This is sort of why some criminals dress up as various "trusted" types of people - they play on that assumed trust.
However, the problem lies not in those who understand security, but in those who control budgets and make the policy decisions. I am sure I am not the only security person who has had his or her technically (and financially) sound recommendation overturned by a non-technical manager.
The people we need to consider here are those who make business policy decisions. Remember, these are the same people who insist on everything being Microsoft and who believe everything that Gartner's analysts say.
Since when have Microsoft been distributing Linux? I suspect that Mr. McBride is mistaken or perhaps this is simply a despirate grab at anyone who has money. (Note he did not go after Ubuntu, etc. - only "deep pockets")
I have several friends in China with whom I communicate on a daily basis via the Internet. I am sorry, but I do not see this fear of which you speak. We discuss just about any topic we wish, in a free and open discussion. They also have done wonders for my ability to use their language, and I hope that I have helped them with their English.
I do not believe that the Chinese government fears the internet. I think that it is concerned for its citizens and wants to exercise the controls that it feels are appropriate. BEFORE YOU START FLAMING ME, keep in mind that the USA prohibits certain things on the Internet that are legal in other jurisdictions.
Again, I feel that it would be easy for the Chinese government to control Internet gaming as you have suggested, but I do not believe that they intend to do that to the extent that your post implies.
It would be very easy to impose a curfew on Internet cafes and solve the problem. I feel they are taking their time to find a moderate approach.
I will concede that point in that your statements discussing a lack of "truthiness", etc., appeared to me that you were implying conspiracy. Mea culpa.
What would the Chinese media or the Chinese Government gain from this?
There's no reason to release details. It would only embarass the gamer's family. Having an addiction is a weakness, and the media did (IMHO) the right thing in not releasing the gamer's name. There is no reason to shame the gamer or the gamer's family.
Also, if the Chinese Government wanted, they could easily impose a curfew on Internet cafes such as the curfews that are imposed on bars in the USA. In many states they are required to close after a certain time, such as 2AM or 4AM and not reopen again until something like 10AM or noon. It would be very easy to impose such a curfew and require that the facility remain closed for a period of at least 6 or 8 consecutive hours out of each 24 hour period, though exceptions could be granted for tournements, etc.
The Chinese government are serious about battling this sort of thing, but as you can see they are not going to resort to a knee-jerk reaction and start shutting everything down. They are trying to find a proper balance.
I'm sorry, cduffy, I do not see a conspiracy here. I respect your opinion, and I can see how you arrived at it, but from my experience and what I have learned about China from my Chinese friends I do not see a conspiracy here.
Except that even with following the instructions for gtkpod very carefully it still borked my iPod mini. And I lost some music in the process. Sorry. I'm not that confident in 3rd party solutions for my iPod quite yet.
I am glad that they're still working on it, because I feel that people should be able to do this (on general principle). It's an audio player. I don't see why it is such a big deal to Apple that it only work on OS X and Windows, but that's why I'm a scientist and not a business person.
I find it curious that as far as I can tell from the "Who we are" page, the highest degree anyone has in Computer Science is a Masters, yet they have several Ph.D.s in policy, economics, etc.
I would think that a think tank dedicated to IT policy and innovation would have at least one CS/CIS Ph.D. on board.
Maybe that is intentional. Maybe they don't _want_ someone with high-level qualifications in the technical areas. Maybe they are a corporate front group used to foist their agenda in the guise of "research".
Or maybe they just could not find anyone willing to do it.
In South Carolina, for example, they alternate the state and federal office elections just as you recommend. The theory behind this is that the local parties can focus their attention on either the state offices or the federal offices in each two-year half of the four-year election cycle. It also has the benefit of the currently seated officials being able to campaign on behalf of their fellow party members for the office that is up for election. Mr. Bush made appearances on behalf of Governor Sanford, and I am sure the Mr. Sanford will make appearances on behalf of the Republican candidate once the party selects one. (SC is a very red state, so to speak. I am not endorsing any party here, just citing examples from where I live.)
I agree with the "federal holiday" approach as well. I believe they do this in Australia.
Imagine the use of this technology to allow MS to overwrite or replace ads? Now Google's ads will be downloaded but no-one will see them. No click-throughs. Reduced (or no) revenue for Google, and most likely no way to stop it from happening. Microsoft have control of the OS code and could easily make it (nearly) impossible to circumvent this. (OK, I know it is only a matter of time, but what I mean is that it would be quite difficult, involve hidden and changing APIs, threats of DMCA suits, etc.)
Another abuse of this technology heralds back to the DVD. I predicted this one and then saw it happen. In the USA (I've not seen this on my foreign DVDs), there is a section on a video DVD that will play when you first insert the disc. You cannot skip this section. It was intended for the FBI / InterPol warning about copyrights. However, that same section on the DVD is now being used for advertising. I first saw this on a free DVD attached to a cereal box (for the kids - Muppets From Outer Space) but I have now seen this on discs that I have purchased.
Welcome to Corporate America.
I, for one, do not welcome our new invasive advertising overlords.
Slashdot Mirror
You are, in my opinion, much closer to what they are planning than you may realize. Also, before I go any further, I think your solution is better than theirs for reasons I will list later.
By using a worm to distribute the fix they are, in effect, creating a peer-to-peer network. The difference is that in your scenario the machine initiates the upgrade process, while in Microsoft's the machine is given the upgrade. If you are running something critical, you can tell it to wait and come back later. Will Microsoft's worm even ask?
Both are peer-to-peer solutions, with one significant benefit for Microsoft being that it reduces their network traffic. I strongly suspect that is one of the more significant reasons behind this move. This will keep their servers from a potential DOS just from a large number of machines all going to Microsoft Update at the same time.
Your system, however, has a few drawbacks that Microsoft's solution addresses:
Your system relies on something on the (potentially compromised) machine to start the process. Also, your system requires the (potentially compromised) machine to "know" that there is a patch before it can request it.
In Microsoft's solution, the (potentially compromised) machine that needs an upgrade needs only to be connected to a network that has at least one other machine on it and that other machine has the Microsoft patch-worm. The patch-worm will "attack" the unpatched machine and patch it, and then go looking for more machines to patch.
From a technical standpoint, on the surface this looks good. However, many other readers have already brought up some of the myriad weaknesses with this system.
Again, to me this seems like a way to reduce Microsoft's network traffic. I do not see this as a "real" solution, because there are too many "middle men" which can be compromised, and something like this would be fairly easy to counterfit.
I will agree that we need a better solution (and please don't start screaming "make the OS secure" or "run Linux" or anything like that), but I do not believe that what Microsoft are proposing is the correct solution.
I'm waiting for someone to bring up one of those checklist "your idea won't work because..." replies.
Dude, I'm in South Carolina - it is already a 21st century stone age. I don't have to wait until the 22nd century.
It's the Jedi _mind_ trick. It needs to be able to target a _mind_ in order for it to work.
I'll leave the determination of the answer to the parent poster's question as an exercise for the reader.
To quote MoFoQ "And that Congress declares the RIAA as racketeering bunch of a-holes....(under RICO)."
Riiiiiiiiight. In an election year?
(amusing note: the captcha is "saviors")
Here is the "official" text, straight from page 4 of my US passport.
"LOSS OF CITIZENSHIP. Under certain circumstances, you may lose your U.S. citizenship by performing any of the following acts: (1) being naturalized in a foreign state; (2) taking an oath or making a declaration to a foreign state; (3) serving in the armed forces of a foreign state; (4) accepting employment with a foreign government; or (5) formally renouncing U.S. citizenship before a U.S. consular officer overseas. For detailed information, consult the nearest American Embassy or Consulate, or contact the Office of Citizens Counsular Services, Department of State, Washington, DC 20520-4818, or call (202) 647-3444."
Disclaimer: That passport was issued eight years ago, so the text may have changed.
(I find it amusing that the captcha for this post is "jailing".)
-Q
Also,
serving in a foreign military in an action against the USA will do it automatically without regard for your rank.
And, taking a "high elected office" (with no definition of "high" in this context given) will do it as well. The catch is the word "high". What counts? Mayor of a small town? Mayor of the largest city in the country? How large of a city does it have to be? The largest city in China has more people than all of Monaco, for example.
It's a bit vague on that last one, but also it is one that I suspect would not apply to the majority of the readership here at Slashdot.
I've investigated this issue quite thoroughly.
Yes! Finally, a "Red Dwarf" meme we can use!
If I may comment on #4, I would like to suggest a slightly different approach, one that I have seen work quite well.
I worked for a short time as an "administrator" in the Commonwealth of Massachusetts Department of Corrections. During my "watch", so to speak, we implemented a special facility for exactly those inmates mentioned in your point #4 - non-violent drug offenders. These were people whose only crimes were directly related to their substance abuse.
These people were given mandatory treatment (that is, NA/AA groups, etc) and were kept away from the "regular" criminals. The result: Less than 1% repeat offence rate.
Please, help them. There is a model in Massachusetts that worked very well about 20 years ago when I was there.
If I'm still a US citizen in 2016, i'll watch out for your platform. You'll get my vote (especially if you consider my "ammendment" to your point #4.)
-Q
Your reasoning on the telephone situation is sound, but you have overlooked something: VOIP. I have received telemarketing calls from overseas, and it was obvious by the sound quality that it was a VOIP call. The caller even confirmed that he was calling from India.
Unfortunately, they have already figured a way around that law if they want to do it.
There is a difference between the cyclogyro and the autogyro (gyroplane). The cyclogyro uses powered rotating wings to generate the lift. The engine actively turnes those rotating wings, which rotate along the sides of the aircraft.
An autogyro, however, uses a propeller, just like a fixed-winged prop-driven aircraft, to generate thrust. The rotary wings are on the top of the craft and are _not_ driven by the engine. They are in "autorotation", which means they rotate because of the other stuff going on around them (movement relative to air d/t thrust, etc). This autorotation (one-directional clutch) generates lift.
They are very different aircraft. The autogyro / gyroplane is well known and understood. The cyclogyro, OTOH, is a bit of an odd design. It would be interesting to see one work.
The difference between a "lost password" and "cracking someone else's password" revolves around the legal right to access the information.
"lost password" situations (obviously, not an exhaustive list):
I could forget a password for something. I've done it before, and I'm sure I'll do it again.
I could be hit by a bus and my employer will need access to my encrypted files. (Granted, we have a better system to handle this, but I think you understand.)
"cracking":
trying to access your soon-to-be-ex-wife's files to find evidence that she's having an affair.
trying to access files you "found" or copied that you really should not be reading anyway.
As you can see, the main difference revolves around the legal right to access the information. They are both "password recovery" or "password cracking", but the former has connotations of legitimacy while the latter (in most social circles, at least) bears a connotation of illicit activity.
That said, I agree that it will more likely be used for illicit activity, but this application clearly has legitimate uses as well.
I am not sure this could be patented. (IANAL, etc.)
This looks like a new spin on the old Commodore 64 trick of pushing computation tasks off to the CPU in the model 1541 floppy drive. It is interesting that someone has done it. I am sure many of us have thought about this, but the folks at ElcomSoft actually did it.
Pretty cool, IMHO. Also, somewhat frightening.
And, just for fun, I need to add the obligatory "...but imagine a Beowulf cluster of these!"
Actually, that would be interesting - sort of a nested cluster effect.
Gege (I can't make Slashdot show the Chinese characters for this) means "Older brother", so "Big Gege" is redundant in this context.
There are ways to detect this type of alteration. One of my fellow doctoral candidates was working on it while we were at the university together. I graduated and lost contact with him, since my research was not even remotely related to image processing.
What I do remember is that when he explained it, it was quite impressive and very, very difficult to circumvent.
Short story: Think of the ways people can ID those faked 9/11 pictures where the guy was supposedly on a balcony when the plane hit. Now, apply some of those same analyses mathematically to the data in the image file rather than simply observing the image produced by rendering the data. It involves fractal analysis and comparisons between the different elements of the image in order to identify the parts that were added to the image.
Then again, I wonder how many law enforcement agencies are aware of this technique. I hope enough will be so that innocent people are not jailed.
I hope they catch the RIGHT guy and put him away for a very long time. Child molesters do not last very long in US prisons by what I've heard.
Not a strange choice at all...
If you read the site, people go to this site to post questions when they are having problems. It is not only a "security" site for those of us who are security practitioners, but it is also a forum where non-security people can ask questions or ask for help.
Actually, it's a great target because one would think that a security site would be safe. And, due to the nature of this attack, there is not much that the site's operators could have done to prevent it (other than the obvious use SSL, which I still don't know why they didn't do that).
So, in retrospect, it makes perfect sense. This is sort of why some criminals dress up as various "trusted" types of people - they play on that assumed trust.
I agree with what I believe you are saying.
However, the problem lies not in those who understand security, but in those who control budgets and make the policy decisions. I am sure I am not the only security person who has had his or her technically (and financially) sound recommendation overturned by a non-technical manager.
The people we need to consider here are those who make business policy decisions. Remember, these are the same people who insist on everything being Microsoft and who believe everything that Gartner's analysts say.
Since when have Microsoft been distributing Linux? I suspect that Mr. McBride is mistaken or perhaps this is simply a despirate grab at anyone who has money. (Note he did not go after Ubuntu, etc. - only "deep pockets")
I have several friends in China with whom I communicate on a daily basis via the Internet. I am sorry, but I do not see this fear of which you speak. We discuss just about any topic we wish, in a free and open discussion. They also have done wonders for my ability to use their language, and I hope that I have helped them with their English.
I do not believe that the Chinese government fears the internet. I think that it is concerned for its citizens and wants to exercise the controls that it feels are appropriate. BEFORE YOU START FLAMING ME, keep in mind that the USA prohibits certain things on the Internet that are legal in other jurisdictions.
Again, I feel that it would be easy for the Chinese government to control Internet gaming as you have suggested, but I do not believe that they intend to do that to the extent that your post implies.
It would be very easy to impose a curfew on Internet cafes and solve the problem. I feel they are taking their time to find a moderate approach.
-Q
I will concede that point in that your statements discussing a lack of "truthiness", etc., appeared to me that you were implying conspiracy. Mea culpa.
-Q
I see no reason not to believe it.
What would the Chinese media or the Chinese Government gain from this?
There's no reason to release details. It would only embarass the gamer's family. Having an addiction is a weakness, and the media did (IMHO) the right thing in not releasing the gamer's name. There is no reason to shame the gamer or the gamer's family.
Also, if the Chinese Government wanted, they could easily impose a curfew on Internet cafes such as the curfews that are imposed on bars in the USA. In many states they are required to close after a certain time, such as 2AM or 4AM and not reopen again until something like 10AM or noon. It would be very easy to impose such a curfew and require that the facility remain closed for a period of at least 6 or 8 consecutive hours out of each 24 hour period, though exceptions could be granted for tournements, etc.
The Chinese government are serious about battling this sort of thing, but as you can see they are not going to resort to a knee-jerk reaction and start shutting everything down. They are trying to find a proper balance.
I'm sorry, cduffy, I do not see a conspiracy here. I respect your opinion, and I can see how you arrived at it, but from my experience and what I have learned about China from my Chinese friends I do not see a conspiracy here.
-Q
Except that even with following the instructions for gtkpod very carefully it still borked my iPod mini. And I lost some music in the process. Sorry. I'm not that confident in 3rd party solutions for my iPod quite yet.
I am glad that they're still working on it, because I feel that people should be able to do this (on general principle). It's an audio player. I don't see why it is such a big deal to Apple that it only work on OS X and Windows, but that's why I'm a scientist and not a business person.
-Q
First, I applaud your determination to uphold the implied freedom to do what one will (within reason, of course) with something that someone owns.
However, if you are in the USA you are running the risk of Apple invoking the DMCA.
I hope they don't. I hope you succeed. I firmly believe from a technical standpoint it can be done. My concern is the legal ramifications.
I find it curious that as far as I can tell from the "Who we are" page, the highest degree anyone has in Computer Science is a Masters, yet they have several Ph.D.s in policy, economics, etc.
I would think that a think tank dedicated to IT policy and innovation would have at least one CS/CIS Ph.D. on board.
Maybe that is intentional. Maybe they don't _want_ someone with high-level qualifications in the technical areas. Maybe they are a corporate front group used to foist their agenda in the guise of "research".
Or maybe they just could not find anyone willing to do it.
I still don't trust them.
This is not the case in all states.
In South Carolina, for example, they alternate the state and federal office elections just as you recommend. The theory behind this is that the local parties can focus their attention on either the state offices or the federal offices in each two-year half of the four-year election cycle. It also has the benefit of the currently seated officials being able to campaign on behalf of their fellow party members for the office that is up for election. Mr. Bush made appearances on behalf of Governor Sanford, and I am sure the Mr. Sanford will make appearances on behalf of the Republican candidate once the party selects one. (SC is a very red state, so to speak. I am not endorsing any party here, just citing examples from where I live.)
I agree with the "federal holiday" approach as well. I believe they do this in Australia.
Actually, I see something a bit more sinister...
Imagine the use of this technology to allow MS to overwrite or replace ads? Now Google's ads will be downloaded but no-one will see them. No click-throughs. Reduced (or no) revenue for Google, and most likely no way to stop it from happening. Microsoft have control of the OS code and could easily make it (nearly) impossible to circumvent this. (OK, I know it is only a matter of time, but what I mean is that it would be quite difficult, involve hidden and changing APIs, threats of DMCA suits, etc.)
Another abuse of this technology heralds back to the DVD. I predicted this one and then saw it happen. In the USA (I've not seen this on my foreign DVDs), there is a section on a video DVD that will play when you first insert the disc. You cannot skip this section. It was intended for the FBI / InterPol warning about copyrights. However, that same section on the DVD is now being used for advertising. I first saw this on a free DVD attached to a cereal box (for the kids - Muppets From Outer Space) but I have now seen this on discs that I have purchased.
Welcome to Corporate America.
I, for one, do not welcome our new invasive advertising overlords.