There is one unfortunate side effect of your plan that may, in fact, render it illegal.
IANAL! However, it is my understanding that there are no "receipts" that voters keep for elections specifically to prevent coersion of votes. I am not sure if this is a genuine legal requirement or just a very good idea that has become a standard, but either way it is a very good idea.
Sorry.
This problem has been addressed by many researchers, and there are quite suitable solutions that can be mathematically demonstrated to be secure (barring physical security issues that could only prevent votes from being counted, not allowing votes to be added or altered).
The fact that the powers that be have not even invited these recognized experts to assist in this process, to me, indicates that they _want_ a corruptable system. These experts have offered their services because they believe in the overall process. The fact that their offers were rejected and the systems were designed by people who were not qualified indicates that the system is failing, or has already failed.
This is a sad turn of events for a country that, at one time, stood as a beacon of democracy. Some other country will step up to the plate and fill that void. It will be interesting to see which country it that will be. Any guesses?
The encryption itself will only be partly effective, since the bot needs to have the decryption key available, it would simply be a matter of analysis to locate the key. This would allow researchers to intercept messages headed to the bots.
Messages to the Command and Control will still be protected if public-key crypto is used.
The signatures will not be able to be faked, so your approach is correct in that it would prevent the researchers from injecting commands.
And for point (2):
The bots can use PKI to talk among themselves, but because each bot will have its own keys (and how will they negotiate keys to encrypt?) the process should be at least observable at a much deeper level unless the programmers are very careful to have considered a man-in-the-middle attack and, for example, used signed keys. This would prevent forgery of signatures, but would still allow the researchers to intercept any communications for a bot which the researchers can control. A small percentage, but in a lab this could allow the researchers to decode at least some of the "Secret Handshakes" used, those being the ones for bot to bot communication.
Communication TO the Command and Control, however, would remain inaccessible.
However, public key encryption is notoriously hard on the CPU, requiring many more cycles when compared to a similar (equal protection from brute force attack) symmetric algorithm.
I guess your approach will work partially, but enough to make life difficult for "the good guys".
I agree with your second and third points, so I will not comment further on those.
However, I must take exception to your first point, if only from a technical standpoint.
Doubling the key size dramatically increases the security in the one way that can be a standard for such things: the time it would take to perform a brute-force attack.
2^128 is approximately 3E38. 2^256 is approximately 1.15E77.
Since there have been no published successful attacks against AES in its full form (no reduced-round versions) with a "normal" sized key (128 or 256), the "best" attack other than exploiting an implementation flaw would be a brute force attack. (Being better than brute-force is one of the benchmarks to determine if the "attack" "works".)
Granted, in either case we are looking at a very, very long time and massive amounts of computing power to brute force AES 128 or AES 256. However, we are also looking at nearly 39 orders of magnitude difference.
Given the current state of the available technology, going from 128 to 256 bits in the AES key makes no practical difference, but from a mathematical and cryptological standpoint, the difference is significant.
Also, as computers become faster and more powerful, the 128-bit key will fall long before the 256-bit key (barring quantum cryptography living up to the hype).
Unfortunately, it was not zero if the Ars Technica article is accurate. It was very close to zero, two cached thumbnail pictures, but apparently it was enough.
It's frightening. According to the AT article, numerous computer experts offered their opinions that boiled down to "It's not his fault. The browser put them there and he didn't know they were there or how to remove them."
I would be very afraid of a court that would throw out (supposedly) expert opinions just to gain a conviction with regard to a truly evil (imho) crime.
I can't believe no one else has said this one yet...
The obligatory:
"Nice computer ya' got there. It'd be a shame if anything happened to it."
Selling security updates as a SERVICE? It may be legal. It may make good business sense and maximize returns to stockholders, but dyn bach, it's unethical in my book.
I was a DM as well, but in one campaign (AD&D 2nd Ed) back in the 80's I was playing a halfling psionicist. My poor DM never saw this one comming...
DM: The ogre approaches. ME: I place a psionic portal on the ground directly below his feet. DM: Where is the other end? ME: About four feet above it. DM: And why are you doing this? ME: Do the math. (that was a "catch phrase" we had back then.) He will continue to accelerate due to gravity. Give him a minute or so of freefall and then close the portals. He hits terminal velocity and hits the ground.
We did the math. The ogre did not survive the fall.:-)
I always enjoyed campaigns where creative thinking would win the day. It was always fun to come up with something that the DM didn't consider and then have it work.
(I also find it amusing that the captcha is "forfeit")
It looks for numeric operators and, using certain rules such as change a subtracting a constant to adding a negative constant, will change some and leave others alone to encode binary data. The executable's hash is changed, obviously, but its functionality is not, and you can encode a message within an executable in a manner that would be difficult to detect, especially if people do things like subtracting negatives as a sort of "signature" to detect stolen code.
South Carolina is considering such a law, and there are several states that already have one.
Also, there are several good certifications out there, such as CCE and GCFA (SANS/GIAC). I know there are others that are only available to law enforcement (which I am not).
I find two things troubling about this trend:
1. It seems to be an effort for PIs to grab a new market and ensure their exclusive access to a market. (I know - police can do this, but I'm talking about making a profit doing it.)
2. Whenever governments start to regulate qualifications for a profession, qualified people are going to be left out or unqualified people will be let in. Either they insist on one specific certification or accreditation, and excellent people without the cert suffer, or they "grandfather" current practitioners and we obtain people who are not qualified. An alternative to the traditional "grandfather" clause could be to "grandfather" current practitioners and give them a license cycle (or some other reasonable period) to meet the requirements. E.g., if the license lasts for two years, you have two years to meet the official requirements or your license will lapse.
I would strongly recommend continuing ed (which the good certs require) as well, just like doctors, nurses, and engineers (as well as others).
I live just outside of Roebuck, in Spartanburg County. Yes, it's rural, and so is the majority of South Carolina. So, while the larger cities have broadband, that only reaches a small portion of the population.
I don't know about Washington, DC, (which I suspect has great broadband) but where I live in South Carolina all I can get is dial-up. I get better connectivity when I'm in China.
I wanted to mod this up (funny), but I decided to comment instead...
My brother has a Shrap calculator. (Yes, S-H-R-A-P, not Sharp). The lettering looks exactly like the lettering used by Sharp during that time period (1980s). He keeps it for the humor value.
With all due respect, Ted, I am going to take issue with your reasoning (but not your conclusion).
You need to keep in mind, as another poster commented, that many of these "predictions" can turn into self-fulfilling prophecies, such as the "there will be trouble in the relationship" example that the other poster mentioned.
Also, it is entirely possible to an astrological prediction to seem to be accurate. However, in order to demonstrate some form of real causality or other strong relationship we need to demonstrate that the prediction was accurate and there was no other reasonable way that the prediction could have been made.
For example (since you brought up meteorology) let us suppose that the meteorologists predict a bright, warm, sunny day. Many, many meterologists all agree that it will be a nice sunny day. They apply all of their scientific understanding to the observable facts and current scientific theory and they all predict a nice, sunny day.
Now, let us consider two possible predictions from the local astrologer (there are more than two, but two should demonstrate my point).
Astrological prediction 1: nice, sunny day. if we have a nice day, then the astrologer could claim that astrology was correct. However, since other, recognized scientific methods _also_ predicted the same outcome, I would personally be inclined to believe the scientists.
Astrological prediction 2: snow.
OK, that is an extreme, but still -
Prediction 2, outcome 1: Astrologer is wrong. This is what we would expect, and while most would then conclude that astrology is bunk, we must consider that the sole astrologer misapplied the techniques and failed.
However, if we have a group of astrologers who all independently applied their techiniques, came to the same prediction, and were still all wrong, then we _may_ be able to say that astrology is bunk. However, we still cannot firmly conclude that based on one failure. We would need a decent history of failures (which I believe we can find readily by pulling past predictions) in order to make a reasonable assumption that future predictions would have little more possibility than chance of being right.
Prediction 2, outcome 2: Astrologer is correct.
if the astrologer is correct and the scientists are wrong, then we have an interesting situation. The astrologer can claim to have access to a superior knowledge that allowed the accurate prediction in the face of the failed scientific understanding. However, a scientist would conclude that there is a gap in the scientific understanding that would then proceed to determine what that gap would be in order to correct the scientific model being applied.
However, one accurate prediction would not prove astrology is correct, especially one prediction from one astrologer. We would need multiple predictions, all correct, to even begin to suspect that it may be correct.
Then we need to have independent, "non-believers" trained in the methods (since astrologers claim theirs is a "science" of sorts) and have these impartial third parties apply the techniques, perhaps checked by a "qualified" astrologer before the prediction would occur to verify "correct" application of the techniques>
That is the beauty of the scientific method. A true science should work no matter who is doing it as long as the same processes and procedures are followed. Once you get into the idea that someone requires a "gift", such as psychics claim, then you move away from the realm of science. Even then, the presence of that "gift" can be confirmed by a similar test, such as using a Zener deck (http://skepdic.com/zener.html) (a technique using cards that otherwise parallels the test performed on the young Anakin Skywalker in Star Wars, Episode I). With proper controls, a believable test can be conducted.
Again, Ted, I agree with your conclusion. I only object to how you arrived there.
You raise a very interesting point: conflicting Zodiacs.
I don't believe any of this zodiac stuff, but I have looked into it out of curiousity and in an attempt to understand those who believe it.
I find it interesting that I am a Scorpio and I was born in a "Snake" year in the Chinese Zodiac. Those two signs are very, very similar. However, the western zodiac is 12 signs per year and the Chinese zodiac is one sign every 12 years, so it was a 1/144 chance that I would be born under signs in both systems that happen to be so similar in the implications of the signs.
What, however, would you do with someone who was born in a "Boar" year but in the western sign of "Scorpio"? Pretty much diametric opposite signs.
My point is that there are conflicting systems, each of which claims to explain things. It is the conflict that makes this interesting, because people seem to believe each system, even when conflicts exist.
Do Chinese zodiacs only apply to Chinese? Asians in general? People _born_ in Asia without regard to ethnicity? What about western zodiacs? And, I am sure there are myriad other systems that could introduce more conflicts.
I would suspect that this alone would either cause a rational person to suspect that something is not right with the whole zodiac thing, or cause one to claim (perhaps with near-religious ferver) that one system is correct and the others are wrong.
Thus, I can see how many would compare this to religion, if only for the ferver with which adherants hold on to their beliefs when confronted with contradictory reasoning.
(I find it amusing that the captcha is "dateline" - sort of makes me think of one of those "dating" chat lines one would see advertised on very-late-night television.)
However, I can see a few issues that would impact the rate of adoption and the overall utility of your approach (assuming, for the sake of simplicity, that the cryptographic aspects are implemented in a truly secure manner, the crypto itself is strong, etc. I fully realize that this is like the proveribial "frictionless surface" and the proverbial "ideal conductor" used in science books. I'm just trying to cover the big points here, OK?):
1. It will not happen until Verisign (for example) decide that there is enough of a market that they can make a decent profit.
2. It will either price small businesses out of the market (given Verisign's prices, this is likely) or it the price will be such that small businesses can afford it and then so can the spammers. Before you start claiming that is why there is a vetting process, I would suggest that hurdles low enough for small "mom-and-pop" businesses to jump will be low enough for a determined spammer.
3. Either we need a "Root CA" mechanism like other certificates (again, profit and "are you sure you can trust this") or the whole "web of trust" thing from PGP. The web of trust would be difficult in that it would make legit messages appear fake until you can determine it. Also, how would "Joe Sixpack" know the difference between a legit cert for the IRS and a faked one?
Your idea is good. Unfortunately, the current environment is not ready for it. I hope we will see the day when it will work.
I'm flying out on Wednesday (will land Thursday d/t time zone diffs and length of flight). I'll try to check in sometime during the 10 days I'll be in China.
That will answer your question. I did not check the last time I was in China (last November). I do remember that my connection was _really_ good from the hotel in Guangzhou, using a friend's laptop running the Chinese edition of Vista Home Premium.
Again, I'll report back either while there or when I return on the 24th.
(Editors, please feel free to contact me if there is anything specific you want me to check while I'm there.)
That sounds like an excellent idea. However, it is no where as easy as it may seem at first. My doctoral research was on a similar problem, identifying intrusion attacks based on behaviour and not signatures. I know people who are working on exactly what you have suggested from an anti-malware perspective. These are people working on their dissertations. This is a rather complex problem when you dig into the details.
Your overall approach is a very good one, and it is one that has been attempted several times before. As AI theory improves and computers become more powerful, we will move closer to being able to do what you have suggested. Unfortunately, from what I have seen, don't hold your breath waiting. We will need to rely on signatures for a while yet while researchers work out the details on how to make an heuristic-based system work adequately.
Remember, we need to defend against anything and everything. The "bad guys" need only find _one_ weakness to exploit it and gain entry. It's a difficult battle, and we (the "white hat" crowd) are always playing "catch up".
If you _really_ want to see it happen, go to grad school at a university known for its InfoSec program and do it as your Master's / Doctoral research. Others are working on it, too, but as we often read here on Slashdot, there can be a significant advantage to more eyes examining an issue.
My research is headed in a different direction, but I'd be happy to discuss what I know about this issue in greater detail with anyone who would be interested in pursuing the matter.
The two sets are not mutually exclusive. It is possible for a "virus" (or a "worm") to include spyware functionality, but just because something is a virus or a worm does not mean it is spyware. Spyware is often installed by either a "drive-by download", where a website pushes something onto your computer without you knowing about it, or it is included with some other application. However, it _can_ be installed by a virus or worm. (Or, for that matter, though an active attack and exploit such as via someone using Metasploit for less-than-noble purposes.)
Being included with another application may or may not qualify it as a member of the set "Trojan Horse", depending entirely if the application intentionally installed includes the spyware in its function or if the spyware is a secondary piece of software that is not directly announced. A "Trojan Horse", in the software sense, is a piece of software that reportedly does one thing but actually does something else, either with or without including the reported functions.
However, I agree with what I believe to be the general, pervailing thought that a user should need only one anti-malware application that should be able to handle all of these. I also believe that "defense in depth", when possible (corporate environment, for example) is the best approach. I look at it this way: just because the castle has really high walls and good archers doesn't mean that the guards inside the castle shouldn't be carrying weapons of some sort. The only issue with many "anti-virus" products is that they take so much CPU time and other resources that they negatively impact the overall usability of the computer.
As a security professional, this irritates me as well. I agree with the Yankee Group's analysis that this amounts to "double-dipping", and I feel it is ethically wrong. However, in a (supposedly) free-market economy, these things will happen until the market sorts them out. (I am _not_ an economist. My speciality is InfoSec.)
Google (and perhaps Yahoo!, but I rarely use Yahoo!) would be one of the sites blocked by those ISPs.
Have you searched Google Images? All you need to do is turn "Safe Search" off and nearly any search string will bring up images that would fall under the proposed ban. Since Google serves up those images, they are a "site" that offers "objectional material" and would, therefore, be blocked by the participating ISPs.
To me, at least, it makes sense why the search engines would object.
Quoth the poster "What scares people about China is not that it is getting ahead but that we're open to their citizens but they are not really open to us"
I must disagree. I've been to China, and I'm going back soon. It was _very_ easy to obtain a visa as an American citizen.
I have a very dear friend in China who wanted to come here. She could not obtain a visa - a tourist visa - to visit the USA. The requirements and the questions asked are amazingly intrusive. It is very difficult for a citizen of the PRC to obtain a tourist visa to come to the USA.
Slashdot Mirror
Use Microsoft Excel?
There is one unfortunate side effect of your plan that may, in fact, render it illegal.
IANAL! However, it is my understanding that there are no "receipts" that voters keep for elections specifically to prevent coersion of votes. I am not sure if this is a genuine legal requirement or just a very good idea that has become a standard, but either way it is a very good idea.
Sorry.
This problem has been addressed by many researchers, and there are quite suitable solutions that can be mathematically demonstrated to be secure (barring physical security issues that could only prevent votes from being counted, not allowing votes to be added or altered).
The fact that the powers that be have not even invited these recognized experts to assist in this process, to me, indicates that they _want_ a corruptable system. These experts have offered their services because they believe in the overall process. The fact that their offers were rejected and the systems were designed by people who were not qualified indicates that the system is failing, or has already failed.
This is a sad turn of events for a country that, at one time, stood as a beacon of democracy. Some other country will step up to the plate and fill that void. It will be interesting to see which country it that will be. Any guesses?
For your first point (1), there are some issues:
The encryption itself will only be partly effective, since the bot needs to have the decryption key available, it would simply be a matter of analysis to locate the key. This would allow researchers to intercept messages headed to the bots.
Messages to the Command and Control will still be protected if public-key crypto is used.
The signatures will not be able to be faked, so your approach is correct in that it would prevent the researchers from injecting commands.
And for point (2):
The bots can use PKI to talk among themselves, but because each bot will have its own keys (and how will they negotiate keys to encrypt?) the process should be at least observable at a much deeper level unless the programmers are very careful to have considered a man-in-the-middle attack and, for example, used signed keys. This would prevent forgery of signatures, but would still allow the researchers to intercept any communications for a bot which the researchers can control. A small percentage, but in a lab this could allow the researchers to decode at least some of the "Secret Handshakes" used, those being the ones for bot to bot communication.
Communication TO the Command and Control, however, would remain inaccessible.
However, public key encryption is notoriously hard on the CPU, requiring many more cycles when compared to a similar (equal protection from brute force attack) symmetric algorithm.
I guess your approach will work partially, but enough to make life difficult for "the good guys".
That should be: Cogito cogitare, ergo cogito esse. You need to use the infinitive (cogitare, esse) in those cases, not the present active indicative.
I agree with your second and third points, so I will not comment further on those.
However, I must take exception to your first point, if only from a technical standpoint.
Doubling the key size dramatically increases the security in the one way that can be a standard for such things: the time it would take to perform a brute-force attack.
2^128 is approximately 3E38. 2^256 is approximately 1.15E77.
Since there have been no published successful attacks against AES in its full form (no reduced-round versions) with a "normal" sized key (128 or 256), the "best" attack other than exploiting an implementation flaw would be a brute force attack. (Being better than brute-force is one of the benchmarks to determine if the "attack" "works".)
Granted, in either case we are looking at a very, very long time and massive amounts of computing power to brute force AES 128 or AES 256. However, we are also looking at nearly 39 orders of magnitude difference.
Given the current state of the available technology, going from 128 to 256 bits in the AES key makes no practical difference, but from a mathematical and cryptological standpoint, the difference is significant.
Also, as computers become faster and more powerful, the 128-bit key will fall long before the 256-bit key (barring quantum cryptography living up to the hype).
Unfortunately, it was not zero if the Ars Technica article is accurate. It was very close to zero, two cached thumbnail pictures, but apparently it was enough.
It's frightening. According to the AT article, numerous computer experts offered their opinions that boiled down to "It's not his fault. The browser put them there and he didn't know they were there or how to remove them."
I would be very afraid of a court that would throw out (supposedly) expert opinions just to gain a conviction with regard to a truly evil (imho) crime.
I can't believe no one else has said this one yet...
The obligatory:
"Nice computer ya' got there. It'd be a shame if anything happened to it."
Selling security updates as a SERVICE? It may be legal. It may make good business sense and maximize returns to stockholders, but dyn bach, it's unethical in my book.
It also gave us one of the best "one liners" from the entire war: the "Axis of Weasels".
OK, since you started it...
:-)
I was a DM as well, but in one campaign (AD&D 2nd Ed) back in the 80's I was playing a halfling psionicist. My poor DM never saw this one comming...
DM: The ogre approaches.
ME: I place a psionic portal on the ground directly below his feet.
DM: Where is the other end?
ME: About four feet above it.
DM: And why are you doing this?
ME: Do the math. (that was a "catch phrase" we had back then.) He will continue to accelerate due to gravity. Give him a minute or so of freefall and then close the portals. He hits terminal velocity and hits the ground.
We did the math. The ogre did not survive the fall.
I always enjoyed campaigns where creative thinking would win the day. It was always fun to come up with something that the DM didn't consider and then have it work.
(I also find it amusing that the captcha is "forfeit")
"So after reading the article like a good slashdotter,..."
:-)
You must be new here.
(I've wanted a good reason to use that line. Thanks!)
Just don't put alcohol in it when running Mathematica (TM) or anything similar.
Remember: Maths and alcohol don't mix. Don't drink and derive!
MADD: Mathematicians Against Drunk Deriving.
There is a very interesting program named hydan http://www.crazyboy.com/hydan/ that does something very interesting.
It looks for numeric operators and, using certain rules such as change a subtracting a constant to adding a negative constant, will change some and leave others alone to encode binary data. The executable's hash is changed, obviously, but its functionality is not, and you can encode a message within an executable in a manner that would be difficult to detect, especially if people do things like subtracting negatives as a sort of "signature" to detect stolen code.
Share and enjoy.
South Carolina is considering such a law, and there are several states that already have one.
Also, there are several good certifications out there, such as CCE and GCFA (SANS/GIAC). I know there are others that are only available to law enforcement (which I am not).
I find two things troubling about this trend:
1. It seems to be an effort for PIs to grab a new market and ensure their exclusive access to a market. (I know - police can do this, but I'm talking about making a profit doing it.)
2. Whenever governments start to regulate qualifications for a profession, qualified people are going to be left out or unqualified people will be let in. Either they insist on one specific certification or accreditation, and excellent people without the cert suffer, or they "grandfather" current practitioners and we obtain people who are not qualified. An alternative to the traditional "grandfather" clause could be to "grandfather" current practitioners and give them a license cycle (or some other reasonable period) to meet the requirements. E.g., if the license lasts for two years, you have two years to meet the official requirements or your license will lapse.
I would strongly recommend continuing ed (which the good certs require) as well, just like doctors, nurses, and engineers (as well as others).
I live just outside of Roebuck, in Spartanburg County. Yes, it's rural, and so is the majority of South Carolina. So, while the larger cities have broadband, that only reaches a small portion of the population.
I don't know about Washington, DC, (which I suspect has great broadband) but where I live in South Carolina all I can get is dial-up. I get better connectivity when I'm in China.
I wanted to mod this up (funny), but I decided to comment instead...
:-)
My brother has a Shrap calculator. (Yes, S-H-R-A-P, not Sharp). The lettering looks exactly like the lettering used by Sharp during that time period (1980s). He keeps it for the humor value.
"From Shrap minds come shrap products..."
This kind of thing really does happen.
With all due respect, Ted, I am going to take issue with your reasoning (but not your conclusion).
You need to keep in mind, as another poster commented, that many of these "predictions" can turn into self-fulfilling prophecies, such as the "there will be trouble in the relationship" example that the other poster mentioned.
Also, it is entirely possible to an astrological prediction to seem to be accurate. However, in order to demonstrate some form of real causality or other strong relationship we need to demonstrate that the prediction was accurate and there was no other reasonable way that the prediction could have been made.
For example (since you brought up meteorology) let us suppose that the meteorologists predict a bright, warm, sunny day. Many, many meterologists all agree that it will be a nice sunny day. They apply all of their scientific understanding to the observable facts and current scientific theory and they all predict a nice, sunny day.
Now, let us consider two possible predictions from the local astrologer (there are more than two, but two should demonstrate my point).
Astrological prediction 1: nice, sunny day.
if we have a nice day, then the astrologer could claim that astrology was correct. However, since other, recognized scientific methods _also_ predicted the same outcome, I would personally be inclined to believe the scientists.
Astrological prediction 2: snow.
OK, that is an extreme, but still -
Prediction 2, outcome 1: Astrologer is wrong.
This is what we would expect, and while most would then conclude that astrology is bunk, we must consider that the sole astrologer misapplied the techniques and failed.
However, if we have a group of astrologers who all independently applied their techiniques, came to the same prediction, and were still all wrong, then we _may_ be able to say that astrology is bunk. However, we still cannot firmly conclude that based on one failure. We would need a decent history of failures (which I believe we can find readily by pulling past predictions) in order to make a reasonable assumption that future predictions would have little more possibility than chance of being right.
Prediction 2, outcome 2: Astrologer is correct.
if the astrologer is correct and the scientists are wrong, then we have an interesting situation. The astrologer can claim to have access to a superior knowledge that allowed the accurate prediction in the face of the failed scientific understanding. However, a scientist would conclude that there is a gap in the scientific understanding that would then proceed to determine what that gap would be in order to correct the scientific model being applied.
However, one accurate prediction would not prove astrology is correct, especially one prediction from one astrologer. We would need multiple predictions, all correct, to even begin to suspect that it may be correct.
Then we need to have independent, "non-believers" trained in the methods (since astrologers claim theirs is a "science" of sorts) and have these impartial third parties apply the techniques, perhaps checked by a "qualified" astrologer before the prediction would occur to verify "correct" application of the techniques>
That is the beauty of the scientific method. A true science should work no matter who is doing it as long as the same processes and procedures are followed. Once you get into the idea that someone requires a "gift", such as psychics claim, then you move away from the realm of science. Even then, the presence of that "gift" can be confirmed by a similar test, such as using a Zener deck (http://skepdic.com/zener.html) (a technique using cards that otherwise parallels the test performed on the young Anakin Skywalker in Star Wars, Episode I). With proper controls, a believable test can be conducted.
Again, Ted, I agree with your conclusion. I only object to how you arrived there.
You raise a very interesting point: conflicting Zodiacs.
I don't believe any of this zodiac stuff, but I have looked into it out of curiousity and in an attempt to understand those who believe it.
I find it interesting that I am a Scorpio and I was born in a "Snake" year in the Chinese Zodiac. Those two signs are very, very similar. However, the western zodiac is 12 signs per year and the Chinese zodiac is one sign every 12 years, so it was a 1/144 chance that I would be born under signs in both systems that happen to be so similar in the implications of the signs.
What, however, would you do with someone who was born in a "Boar" year but in the western sign of "Scorpio"? Pretty much diametric opposite signs.
My point is that there are conflicting systems, each of which claims to explain things. It is the conflict that makes this interesting, because people seem to believe each system, even when conflicts exist.
Do Chinese zodiacs only apply to Chinese? Asians in general? People _born_ in Asia without regard to ethnicity? What about western zodiacs? And, I am sure there are myriad other systems that could introduce more conflicts.
I would suspect that this alone would either cause a rational person to suspect that something is not right with the whole zodiac thing, or cause one to claim (perhaps with near-religious ferver) that one system is correct and the others are wrong.
Thus, I can see how many would compare this to religion, if only for the ferver with which adherants hold on to their beliefs when confronted with contradictory reasoning.
(I find it amusing that the captcha is "dateline" - sort of makes me think of one of those "dating" chat lines one would see advertised on very-late-night television.)
They'll contact the RIAA for advice on that one. They seem to be allowed to file myriad "v John Doe" legal actions.
The underlying concept of your idea is good.
However, I can see a few issues that would impact the rate of adoption and the overall utility of your approach (assuming, for the sake of simplicity, that the cryptographic aspects are implemented in a truly secure manner, the crypto itself is strong, etc. I fully realize that this is like the proveribial "frictionless surface" and the proverbial "ideal conductor" used in science books. I'm just trying to cover the big points here, OK?):
1. It will not happen until Verisign (for example) decide that there is enough of a market that they can make a decent profit.
2. It will either price small businesses out of the market (given Verisign's prices, this is likely) or it the price will be such that small businesses can afford it and then so can the spammers. Before you start claiming that is why there is a vetting process, I would suggest that hurdles low enough for small "mom-and-pop" businesses to jump will be low enough for a determined spammer.
3. Either we need a "Root CA" mechanism like other certificates (again, profit and "are you sure you can trust this") or the whole "web of trust" thing from PGP. The web of trust would be difficult in that it would make legit messages appear fake until you can determine it. Also, how would "Joe Sixpack" know the difference between a legit cert for the IRS and a faked one?
Your idea is good. Unfortunately, the current environment is not ready for it. I hope we will see the day when it will work.
I'm flying out on Wednesday (will land Thursday d/t time zone diffs and length of flight). I'll try to check in sometime during the 10 days I'll be in China.
That will answer your question. I did not check the last time I was in China (last November). I do remember that my connection was _really_ good from the hotel in Guangzhou, using a friend's laptop running the Chinese edition of Vista Home Premium.
Again, I'll report back either while there or when I return on the 24th.
(Editors, please feel free to contact me if there is anything specific you want me to check while I'm there.)
-Q
That sounds like an excellent idea. However, it is no where as easy as it may seem at first. My doctoral research was on a similar problem, identifying intrusion attacks based on behaviour and not signatures. I know people who are working on exactly what you have suggested from an anti-malware perspective. These are people working on their dissertations. This is a rather complex problem when you dig into the details.
Your overall approach is a very good one, and it is one that has been attempted several times before. As AI theory improves and computers become more powerful, we will move closer to being able to do what you have suggested. Unfortunately, from what I have seen, don't hold your breath waiting. We will need to rely on signatures for a while yet while researchers work out the details on how to make an heuristic-based system work adequately.
Remember, we need to defend against anything and everything. The "bad guys" need only find _one_ weakness to exploit it and gain entry. It's a difficult battle, and we (the "white hat" crowd) are always playing "catch up".
If you _really_ want to see it happen, go to grad school at a university known for its InfoSec program and do it as your Master's / Doctoral research. Others are working on it, too, but as we often read here on Slashdot, there can be a significant advantage to more eyes examining an issue.
My research is headed in a different direction, but I'd be happy to discuss what I know about this issue in greater detail with anyone who would be interested in pursuing the matter.
The two sets are not mutually exclusive. It is possible for a "virus" (or a "worm") to include spyware functionality, but just because something is a virus or a worm does not mean it is spyware. Spyware is often installed by either a "drive-by download", where a website pushes something onto your computer without you knowing about it, or it is included with some other application. However, it _can_ be installed by a virus or worm. (Or, for that matter, though an active attack and exploit such as via someone using Metasploit for less-than-noble purposes.)
Being included with another application may or may not qualify it as a member of the set "Trojan Horse", depending entirely if the application intentionally installed includes the spyware in its function or if the spyware is a secondary piece of software that is not directly announced. A "Trojan Horse", in the software sense, is a piece of software that reportedly does one thing but actually does something else, either with or without including the reported functions.
However, I agree with what I believe to be the general, pervailing thought that a user should need only one anti-malware application that should be able to handle all of these. I also believe that "defense in depth", when possible (corporate environment, for example) is the best approach. I look at it this way: just because the castle has really high walls and good archers doesn't mean that the guards inside the castle shouldn't be carrying weapons of some sort. The only issue with many "anti-virus" products is that they take so much CPU time and other resources that they negatively impact the overall usability of the computer.
As a security professional, this irritates me as well. I agree with the Yankee Group's analysis that this amounts to "double-dipping", and I feel it is ethically wrong. However, in a (supposedly) free-market economy, these things will happen until the market sorts them out. (I am _not_ an economist. My speciality is InfoSec.)
Google (and perhaps Yahoo!, but I rarely use Yahoo!) would be one of the sites blocked by those ISPs.
Have you searched Google Images? All you need to do is turn "Safe Search" off and nearly any search string will bring up images that would fall under the proposed ban. Since Google serves up those images, they are a "site" that offers "objectional material" and would, therefore, be blocked by the participating ISPs.
To me, at least, it makes sense why the search engines would object.
Quoth the poster "What scares people about China is not that it is getting ahead but that we're open to their citizens but they are not really open to us"
I must disagree. I've been to China, and I'm going back soon. It was _very_ easy to obtain a visa as an American citizen.
I have a very dear friend in China who wanted to come here. She could not obtain a visa - a tourist visa - to visit the USA. The requirements and the questions asked are amazingly intrusive. It is very difficult for a citizen of the PRC to obtain a tourist visa to come to the USA.