I saw someone earlier mention Verizon offers the unlimited family texting for $15.00 a month. If they had that, it would take 73.3 months to equate to $1100.00. Then again I can't believe she's smiling and on the thumbnail pic for that story. Her family should ban her from texting anything even if it SNF (so not fair).
Hell, I'd probably make her stand in front of Wal-Mart with one of those big signs and it'd say "I'm a loser - I raised my parents cell phone bill by $1000 because I am a moron."
So name one remotely exploitable vulnerability in IIS 6.0. Should be simple right? I'll pay you $16,000 when you point it out.:D And no pointing to an ASP vulnerability that requires the user to be able to upload and execute the file doesn't count.
Yes, yes they should patch them all. Personally it'd eat away at me knowing I could spending a few minutes, hours, or days to fix a vulnerability in my software. I don't think I could take pride in what I do if I just leave crap like this around because I don't have to fix it and don't think it's important unless someone finds it publicly. I'm glad they fix the HIGHs (however they rate this.. who knows?) and the publicly disclosed ones. But why not fix the small ones as you find them? It's a little bit of embarassment every time an issue is found. This is one less piece of embarassment. However, maybe it's the quasi-perfectionist in me, I couldn't imagine not fixing this stuff.
I know I am bit late here as there's already like 200 replies but here we go anyway. First, if the system has been flawed this whole time, it will also reduce the estimate mileage for a non-hybrid vehicle. So if a Hybrid rated at 60 mpg loses 10 mpg.. that's at 16.6% drop. If a car rated at 20 mpg loses 3 mpg tha's a 15% drop. You're looking at about the same cost-efficiency at this point.
In any event, why do people always complaina bout the EPA rating. You've known how it's been done for a while. You basically have a comparison of cars at their same "unrealistic" measurement. So you know your car Y is X-times better/worse than car Z in this test. Who relies on a single set of tests for their data anyway. EPA updating it to be more realistic is great, as it will probably more accurately report the mileage. But it still won't be perfect, so what? Guess how long it takes to test your gas mileage yourself? I don't know.. a week on average? How long does it takes you to fill up all the way, reset the meter, and wait for the gas light to be on for a while? Not rocket science and there's plenty of websites of car owners that report what they're actually getting.
Regardless of whether not not this provides a "false sense of security" it is a good idea. It would certainly be better than nothing. It won't really provide a false sense of security anymore than a phishing tool bar, antivirus software, or e-mail filtering. Right now people search for stuff on Google and click the link. There is no false sense of security. People are already assuming the websites are safe. If Google steps in and says "hey, this site isn't safe", then at least people have advance notice and choice.
I see references to common things like widgets, but I don't see that as the most commonly attacked/exploited part of websites. Sure it's a real issue and is common (yes AdSense was hit with this kind of attack), but I hope they look for a lot more. One of the most common these days are the surprise addition to website sources of iframes with widths of 0. Or new and sudden references to.js files or new obfuscated JavaScript. If they look for all of this and possibly analyze/process it, they can go a long way to stop this type of malware. This feature if implemented correctly is a win for everyone on the Internet... well except the bad guys.:)
One thing is not so clear to me here. Is this *definitely* a case of a "fake"-ID or a stolen/borrowed ID? I have not seen the ID in question and didn't find it in a 1.8 second search of the page. I'm probably also not familiar with what the state's real ID's look like. My question here is.. which is not 100% clear to me is.. was this truly a fake ID?
People often refer to using their older brother's ID as a fake-ID as it is not them on the ID. The same goes for a stolen/found ID. If someone is using an ID that is not there's, it's considered a fake-ID and it's illegal for them to use it. Thus it can be confiscated. Is the ID in question really a fake.. scanned or one of those "not official" IDs? Because if someone stole my ID, used it at a club, got it confiscated, and then it was posted online.. I'd do whatever it takes to get it down.
Yes, I think it's a great idea. It is very akin to how you go to a.gov site and know it's official. People look for it and know what it means.
2) Not 100% Fool-proof!
Why? Well it's not 100% fool-proof because people are morons. Some people will fall for anything. They'll see citibank.bank.bank-info.info and still fall for it. DNS poisoining will also do the trick. Modified hosts files will also do the trick. People are dumb, but this will still help!
If ICANN introduced a.safe domain (or.sure or.bank), which could only be used by registered financial institutions, it would allow security providers to create better software to protect the public, according to F-Secure. It would be similar to other top level domain names such as.uk and.gov. A month ago?
Yes, absolutely. This is how I am trying to make a distinction between service/e-mail-based system and AIM-based systems. I am not sure of how to better word this. It appears some of these tie into the legacy system. This is similar to Basic Auth, but worse. There is no disctinction between uppercase and lowercase characters. However, I am not quite following Brian's blog to make this a huge security risk as they do not accurately make the distinction between the two systems or even recognize they exist.
First, this article is flat out wrong and I challenge you to try it yourself. The AOL service will only allow up to 8 character passwords for e-mail related items. My password for my AIM clients has always been greater than 8 characters and I *cannot* log into anything without typing the entire password. This includes any web-based service at *.aol.com (primarily controlled by my.screenname.aol.com). I am a bit perplexed at where this article is getting its information.
Notice it only allows you to choose a password that's 6-8 characters, just like the AOL service itself. So now try and login with your password that's 6-8 characters, but add a few more. It lets you in right? Ok, so do this... reset/change your password now. Click "Forgot my Password" or whatever the link is called. Go through the questions and set a new password. Oh wait, notice it only lets you pick a 6-8 character password.
What does this mean? It means for AOL-service based/AOL-mail based accounts, they only allow 6-8 characters for the password! Who cares if it accepts extra characters. There is a 6-8 character limitation. It's absolutely irrelevant that it accepts additional characters.
They seem to be confusing this with AIM-only based accounts, which allow up to 16 character passwords and DO NOT allow anything more or anything less than the *EXACT* password. Try it yourself. If my AIM password is "pCv921!$z" it will reject me if I put "pCv921!$" and it will reject me if I put "pCv921!$z44". This is not that big of a deal and certainly isn't embarrassing. This is flat out a difference in AOL's mail-based system vs. AOL's AIM-based system.
Want to know a big shocker about AOL's mail-based system that they didn't figure out and report on that *is* embarassing?
These AOL.com (mail-based) and AOL-service based account are *NOT* case sensitive. That's right, try and make your password with some uppercase letters. It doesn't make a difference if your 6-8 character password has uppercase letters or not. It doesn't recognize it! I didn't check but I don't believe it recognizes special characters either. So your character set is a-z0-9.
The link was encrypted using WEP, which had been known to be broken since 2001. The crackers who got into the TJX central databases are believed to be Romanians or Russians with ties to the Russian mobs. The eventual cost of the TXJ fiasco could exceed $1 billion -- not including the numerous lawsuits filed against the retailer. Well first WEP does encrypt the link. That's kind of part of the point of it. So saying "the link was unencrypted using WEP" makes absolutely no sense. Second when I read a different article yesterday, it seemed to cite a standard open network. So there seems to be conflicting reports. In any event whether or not it had WEP or not, it still shows they should have better security. WEP *is* better than nothing, and it shows intent to hack/illegaly access the network. However, WPA(2) should always be favored over WEP.. well so long as you don't use WPA Personal with the password being a dictionary word.:P
Also, isn't it funny that their cheap discount brand is the one they rode in through? Ironic huh? The discount store using discount wireless security! hahaha...
WOW, yeah, this is um.. important news. Glad I wasted time reading this on slashdot. Cool. Let me know when the guy who helped contributed to OS/2 Warp's GUI's ex-wife's friend's neighbor does something bad.
Ok, I see lots of comments about the U.S. being dependent on China for products, that we owe them money, that they're buying bonds from us, etc. like that has *anything* to do with the issue here. Since when does this justify someone just blatantly stealing someone else's work or ideas. You can argue that Disney, the U.S., and anyone else has stolen ideas, work, and so on, but I have two comments to this.
1: Two wrongs don't make a right. (blah blah cry about it if you want.. it's true)
2: *HELLO* they didn't just make a Disney-like attraction with similar characters and ideas.. they just absolutely stole them. There's a big difference here.
Go ahead and welcome your new Chinese overlords. It seems like you losers envy them so much, why don't you move there and enjoy their wonderous nature. Oh yea..then come on Slashdot and tell us how it is.. or not.
Really, I agree with what people have said above. eBay nor its sellers/community/etc. is responsible for what that piece of crap did. This shouldn't have any affect on an award and shouldn't cause it to be ill-timed. It's ridiculous to link these two together in such a way. There's no need to provide similar examples of why this is stupid as there are many above. It's time to let companies do what they need to do. No one is happy about the VT shootings, but harassing eBay and its sellers isn't going to help anyone. Btw, this is coming from a recent Virginia Tech graduate.
Yep.. big trouble a brewing at the polls because of this. If Obama can't reach out to those tens of thousands of 14-17 year olds and the tens of thousands of 18 to 20-somethings that aren't registered to vote on his MySpace.. what will he do? This may turn to political ruin for him.:(
Agree there as well. I am 100% for this and think it is wonderful if implemented appropriately. I am not saying the MITM scenarios will make this useless by any means. This will go a long way to stopping fraud. However, the attackers will then just try and get more targetted and sophisticated. Guess what.. they just stole your information and don't have the current code. Well, you probably entered in a phone number. So they're probably going to start calling you pretending to be the "bank" when they want to use your card now. This has potential to cut CC fraud in half. It would make CC's + info useless to someone that doesn't want to try and then call the user or target them with specific e-mails trying to get their current passcode. However, it won't stop the fraud. It will severely impact it though (a good thing).
You're right about the idea behind it and we agree there. However, there are man-in-the-middle type attacks that occur here. I don't think I want to get a link to my e-mail everytime I visit a shopping website or log into my bank. Chances are it's just an additional layer that has to be entered when making a transaction or logging in. If someone fakes this form or snoops it, they can quickly use and replay the information. This is why a lot of compromises in areas that use SecurID still occur. I send you a fake form that asks for your username and passocde (pin+tokencode) that looks legit. You enter it in and I'm waiting/watching and all fired up to login/make the real transaction with your information that you *just* provided. It limits the scope, but don't think for a second that it doesn't and won't happen.
First, before I go into why it's a good idea and how it's hackable, let me address a bunch of these posts above. *YES* similar ideas have been done before and *YES* this is very similar to an RSA SecurID token (or product of similar vendors). However, the BIG difference here is that it is built-in to your EXISTING credit/debit card. You do NOT have to carry an additional device. Get it? See that credit card you have already? OK.. imagine it with a little changing number on it. There you go! Basic reading 101 folks. End of the sarcasm too..
This is a great idea and will go a long way to stop illegal credit card use/reuse. Especially in the case of a compromised database. However there are a few issues and ways this is still possibly hackable.
Issue 1: SecurID is not even full proof currently. Why? Well, hacker sets up a fake form and asks you to enter in your information + your passcode. Well, since you just filled out a fake form, you haven't actually registered to the server as using your passcode. The hacker can then quickly (in near real-time) reuse your information and passcode. This is how SecurID is currently successfully attacked. This is another plus for smart cards for now.
Issue 2: What algorithm are they going to use? How easy can it be cracked? If they're teaming with RSA then I think they will be pretty good so long as the seed files aren't compromised. This shouldn't really happen, but who knows. If they algorithm was weak, it could potentially only take a few consecutive numbers to start generating the future numbers. However, who knows how feasible this will be.
I think it shounds like an excellent idea. Question is.. how much will it cost the consumer? If anything.
I look forward to the day when proposing a Windows SOE is a firing offence. As for the state of American IT... Aren't you guys supposed to have landed on the moon, way back before Microshit was founded? WHAT HAPPENED TO Y'ALL? Well first Microsoft Windows is the most widely used OS in the world. So if "Y'ALL" is referring to the people of the U.S., it looks like we made the most popular OS in the world, which you are probably running. On top of that a large number of the developers of open sources systems are from the U.S. as well. Then of all these "major companies" that are infected (think Fortune 500 or Fortune 100), a large portion [majority?] are U.S. companies. So it doesn't look like a whole lot happened besides a lot of success.
Hey I actually owe you and apology and I'm gonna go ahead and write it instead of just not responding. I had read three posts before yours specifically referring to the U.S. and didn't notice you were answering to the overall "plural" governments. So just to let you know.. I apologize.. if you happen to read this. Thanks.:D
Major companies infected with spam spewing bots?? No way. This is just to ground breaking to be true. Next thing they are going to tell us is that government machines are also infected. Since we all know that major companies and government machines are impenetrable because their users are so smart, savvy, and technologically secure. Oh wait, the users at these places are the same people that use AOL dial up at home. OK.. so maybe it is true *and* unsurprising.:P
What an ignorant post. Why don't you familiarize yourself with NIST. Yea they'll just ban it like they always have. Oh wait they continually are on the leading edge of publishing standards and key guidance for the government and for general public consumption and use.
I think the OP is worded a little strange and but I think I understand what you are getting at. The problem here is, as others have pointed out, you would essential have a free service and you get what you pay for. Who is going to do all the identity vetting and verifications of those requesting certificates? Are you going to have a full time staff that is verifying who individuals are and that they're authorized to be making such requests? What are the odds tons of *.microsoft.com and *.whatever.gov certs get issued? My guess is this would either be an unusable service (extremely slow in turn around) or it would be absolutely useless.
Why would it be useless you ask? (two main reasons)
Reason 1: With this sort of poor service I highly doubt anyone would want to trust this root certificate in their web browser or anywhere else for that matter so it would really be no different than a self-signed certificate.
Reason 2: If this service was trusted, it would be a major security issue. I think the number of people getting certificates that should not have them would be 100x what it is now.
Yes as you can see by my last statement in 'Reason 2', I am aware that there are times VeriSign or others have fowled up and accidentally issued certificates to those they should not have. However, I guarantee you this would happen much more often with a service like this. Also, the number of times this has occurred is amazing low -- due to a good process. With these other CAs you get what you pay for.
Oh yea -- last comment which I know you guys will love. Microsoft will never put this into IE! What does that mean? It is borderline useless. IE still has the majority of the market share. You can argue with it all you want, but it is true. You can import any CA's root cert to your browser of course. However, we're looking at things here on a grand scale. Not just what a group of 20 nerds want to do.
Slashdot Mirror
I saw someone earlier mention Verizon offers the unlimited family texting for $15.00 a month. If they had that, it would take 73.3 months to equate to $1100.00. Then again I can't believe she's smiling and on the thumbnail pic for that story. Her family should ban her from texting anything even if it SNF (so not fair).
Hell, I'd probably make her stand in front of Wal-Mart with one of those big signs and it'd say "I'm a loser - I raised my parents cell phone bill by $1000 because I am a moron."
So name one remotely exploitable vulnerability in IIS 6.0. Should be simple right? I'll pay you $16,000 when you point it out. :D And no pointing to an ASP vulnerability that requires the user to be able to upload and execute the file doesn't count.
..and one of them repeats: L O L
Yes, yes they should patch them all. Personally it'd eat away at me knowing I could spending a few minutes, hours, or days to fix a vulnerability in my software. I don't think I could take pride in what I do if I just leave crap like this around because I don't have to fix it and don't think it's important unless someone finds it publicly. I'm glad they fix the HIGHs (however they rate this.. who knows?) and the publicly disclosed ones. But why not fix the small ones as you find them? It's a little bit of embarassment every time an issue is found. This is one less piece of embarassment. However, maybe it's the quasi-perfectionist in me, I couldn't imagine not fixing this stuff.
I know I am bit late here as there's already like 200 replies but here we go anyway. First, if the system has been flawed this whole time, it will also reduce the estimate mileage for a non-hybrid vehicle. So if a Hybrid rated at 60 mpg loses 10 mpg.. that's at 16.6% drop. If a car rated at 20 mpg loses 3 mpg tha's a 15% drop. You're looking at about the same cost-efficiency at this point.
In any event, why do people always complaina bout the EPA rating. You've known how it's been done for a while. You basically have a comparison of cars at their same "unrealistic" measurement. So you know your car Y is X-times better/worse than car Z in this test. Who relies on a single set of tests for their data anyway. EPA updating it to be more realistic is great, as it will probably more accurately report the mileage. But it still won't be perfect, so what? Guess how long it takes to test your gas mileage yourself? I don't know.. a week on average? How long does it takes you to fill up all the way, reset the meter, and wait for the gas light to be on for a while? Not rocket science and there's plenty of websites of car owners that report what they're actually getting.
Regardless of whether not not this provides a "false sense of security" it is a good idea. It would certainly be better than nothing. It won't really provide a false sense of security anymore than a phishing tool bar, antivirus software, or e-mail filtering. Right now people search for stuff on Google and click the link. There is no false sense of security. People are already assuming the websites are safe. If Google steps in and says "hey, this site isn't safe", then at least people have advance notice and choice.
.js files or new obfuscated JavaScript. If they look for all of this and possibly analyze/process it, they can go a long way to stop this type of malware. This feature if implemented correctly is a win for everyone on the Internet... well except the bad guys. :)
I see references to common things like widgets, but I don't see that as the most commonly attacked/exploited part of websites. Sure it's a real issue and is common (yes AdSense was hit with this kind of attack), but I hope they look for a lot more. One of the most common these days are the surprise addition to website sources of iframes with widths of 0. Or new and sudden references to
One thing is not so clear to me here. Is this *definitely* a case of a "fake"-ID or a stolen/borrowed ID? I have not seen the ID in question and didn't find it in a 1.8 second search of the page. I'm probably also not familiar with what the state's real ID's look like. My question here is.. which is not 100% clear to me is.. was this truly a fake ID?
People often refer to using their older brother's ID as a fake-ID as it is not them on the ID. The same goes for a stolen/found ID. If someone is using an ID that is not there's, it's considered a fake-ID and it's illegal for them to use it. Thus it can be confiscated. Is the ID in question really a fake.. scanned or one of those "not official" IDs? Because if someone stole my ID, used it at a club, got it confiscated, and then it was posted online.. I'd do whatever it takes to get it down.
Yes, I think it's a great idea. It is very akin to how you go to a
2) Not 100% Fool-proof!
Why? Well it's not 100% fool-proof because people are morons. Some people will fall for anything. They'll see citibank.bank.bank-info.info and still fall for it. DNS poisoining will also do the trick. Modified hosts files will also do the trick. People are dumb, but this will still help!
3) Repost!!
Sort of.. we just had this mentioned on Slashdot the other day. See this article link http://it.slashdot.org/article.pl?sid=07/04/10/12
If ICANN introduced a
Yes, absolutely. This is how I am trying to make a distinction between service/e-mail-based system and AIM-based systems. I am not sure of how to better word this. It appears some of these tie into the legacy system. This is similar to Basic Auth, but worse. There is no disctinction between uppercase and lowercase characters. However, I am not quite following Brian's blog to make this a huge security risk as they do not accurately make the distinction between the two systems or even recognize they exist.
First, this article is flat out wrong and I challenge you to try it yourself. The AOL service will only allow up to 8 character passwords for e-mail related items. My password for my AIM clients has always been greater than 8 characters and I *cannot* log into anything without typing the entire password. This includes any web-based service at *.aol.com (primarily controlled by my.screenname.aol.com). I am a bit perplexed at where this article is getting its information.
n cid=AOLAOF00020000000602
:)
br/>
A few test cases to pay attention to:
1) Sign up for an AOL mail account https://new.aol.com/freeaolweb/?promocode=814322&
Notice it only allows you to choose a password that's 6-8 characters, just like the AOL service itself. So now try and login with your password that's 6-8 characters, but add a few more. It lets you in right? Ok, so do this... reset/change your password now. Click "Forgot my Password" or whatever the link is called. Go through the questions and set a new password. Oh wait, notice it only lets you pick a 6-8 character password.
What does this mean? It means for AOL-service based/AOL-mail based accounts, they only allow 6-8 characters for the password! Who cares if it accepts extra characters. There is a 6-8 character limitation. It's absolutely irrelevant that it accepts additional characters.
They seem to be confusing this with AIM-only based accounts, which allow up to 16 character passwords and DO NOT allow anything more or anything less than the *EXACT* password. Try it yourself. If my AIM password is "pCv921!$z" it will reject me if I put "pCv921!$" and it will reject me if I put "pCv921!$z44". This is not that big of a deal and certainly isn't embarrassing. This is flat out a difference in AOL's mail-based system vs. AOL's AIM-based system.
Want to know a big shocker about AOL's mail-based system that they didn't figure out and report on that *is* embarassing?
These AOL.com (mail-based) and AOL-service based account are *NOT* case sensitive. That's right, try and make your password with some uppercase letters. It doesn't make a difference if your 6-8 character password has uppercase letters or not. It doesn't recognize it! I didn't check but I don't believe it recognizes special characters either. So your character set is a-z0-9.
Chew on that. Steven
Also, isn't it funny that their cheap discount brand is the one they rode in through? Ironic huh? The discount store using discount wireless security! hahaha...
WOW, yeah, this is um.. important news. Glad I wasted time reading this on slashdot. Cool. Let me know when the guy who helped contributed to OS/2 Warp's GUI's ex-wife's friend's neighbor does something bad.
Ok, I see lots of comments about the U.S. being dependent on China for products, that we owe them money, that they're buying bonds from us, etc. like that has *anything* to do with the issue here. Since when does this justify someone just blatantly stealing someone else's work or ideas. You can argue that Disney, the U.S., and anyone else has stolen ideas, work, and so on, but I have two comments to this.
1: Two wrongs don't make a right. (blah blah cry about it if you want.. it's true)
2: *HELLO* they didn't just make a Disney-like attraction with similar characters and ideas.. they just absolutely stole them. There's a big difference here.
Go ahead and welcome your new Chinese overlords. It seems like you losers envy them so much, why don't you move there and enjoy their wonderous nature. Oh yea..then come on Slashdot and tell us how it is.. or not.
Really, I agree with what people have said above. eBay nor its sellers/community/etc. is responsible for what that piece of crap did. This shouldn't have any affect on an award and shouldn't cause it to be ill-timed. It's ridiculous to link these two together in such a way. There's no need to provide similar examples of why this is stupid as there are many above. It's time to let companies do what they need to do. No one is happy about the VT shootings, but harassing eBay and its sellers isn't going to help anyone. Btw, this is coming from a recent Virginia Tech graduate.
OK I'll try to keep up. Thanks for pointing this ou. CORRECTION TO ORIGINAL POST: and the 30-something plus that aren't registered to vote. Thanks.
Yep.. big trouble a brewing at the polls because of this. If Obama can't reach out to those tens of thousands of 14-17 year olds and the tens of thousands of 18 to 20-somethings that aren't registered to vote on his MySpace.. what will he do? This may turn to political ruin for him. :(
Agree there as well. I am 100% for this and think it is wonderful if implemented appropriately. I am not saying the MITM scenarios will make this useless by any means. This will go a long way to stopping fraud. However, the attackers will then just try and get more targetted and sophisticated. Guess what.. they just stole your information and don't have the current code. Well, you probably entered in a phone number. So they're probably going to start calling you pretending to be the "bank" when they want to use your card now. This has potential to cut CC fraud in half. It would make CC's + info useless to someone that doesn't want to try and then call the user or target them with specific e-mails trying to get their current passcode. However, it won't stop the fraud. It will severely impact it though (a good thing).
You're right about the idea behind it and we agree there. However, there are man-in-the-middle type attacks that occur here. I don't think I want to get a link to my e-mail everytime I visit a shopping website or log into my bank. Chances are it's just an additional layer that has to be entered when making a transaction or logging in. If someone fakes this form or snoops it, they can quickly use and replay the information. This is why a lot of compromises in areas that use SecurID still occur. I send you a fake form that asks for your username and passocde (pin+tokencode) that looks legit. You enter it in and I'm waiting/watching and all fired up to login/make the real transaction with your information that you *just* provided. It limits the scope, but don't think for a second that it doesn't and won't happen.
First, before I go into why it's a good idea and how it's hackable, let me address a bunch of these posts above. *YES* similar ideas have been done before and *YES* this is very similar to an RSA SecurID token (or product of similar vendors). However, the BIG difference here is that it is built-in to your EXISTING credit/debit card. You do NOT have to carry an additional device. Get it? See that credit card you have already? OK.. imagine it with a little changing number on it. There you go! Basic reading 101 folks. End of the sarcasm too..
This is a great idea and will go a long way to stop illegal credit card use/reuse. Especially in the case of a compromised database. However there are a few issues and ways this is still possibly hackable.
Issue 1: SecurID is not even full proof currently. Why? Well, hacker sets up a fake form and asks you to enter in your information + your passcode. Well, since you just filled out a fake form, you haven't actually registered to the server as using your passcode. The hacker can then quickly (in near real-time) reuse your information and passcode. This is how SecurID is currently successfully attacked. This is another plus for smart cards for now.
Issue 2: What algorithm are they going to use? How easy can it be cracked? If they're teaming with RSA then I think they will be pretty good so long as the seed files aren't compromised. This shouldn't really happen, but who knows. If they algorithm was weak, it could potentially only take a few consecutive numbers to start generating the future numbers. However, who knows how feasible this will be.
I think it shounds like an excellent idea. Question is.. how much will it cost the consumer? If anything.
Hey I actually owe you and apology and I'm gonna go ahead and write it instead of just not responding. I had read three posts before yours specifically referring to the U.S. and didn't notice you were answering to the overall "plural" governments. So just to let you know.. I apologize.. if you happen to read this. Thanks. :D
Major companies infected with spam spewing bots?? No way. This is just to ground breaking to be true. Next thing they are going to tell us is that government machines are also infected. Since we all know that major companies and government machines are impenetrable because their users are so smart, savvy, and technologically secure. Oh wait, the users at these places are the same people that use AOL dial up at home. OK.. so maybe it is true *and* unsurprising. :P
What an ignorant post. Why don't you familiarize yourself with NIST. Yea they'll just ban it like they always have. Oh wait they continually are on the leading edge of publishing standards and key guidance for the government and for general public consumption and use.
I think the OP is worded a little strange and but I think I understand what you are getting at. The problem here is, as others have pointed out, you would essential have a free service and you get what you pay for. Who is going to do all the identity vetting and verifications of those requesting certificates? Are you going to have a full time staff that is verifying who individuals are and that they're authorized to be making such requests? What are the odds tons of *.microsoft.com and *.whatever.gov certs get issued? My guess is this would either be an unusable service (extremely slow in turn around) or it would be absolutely useless.
Why would it be useless you ask? (two main reasons)
Reason 1: With this sort of poor service I highly doubt anyone would want to trust this root certificate in their web browser or anywhere else for that matter so it would really be no different than a self-signed certificate.
Reason 2: If this service was trusted, it would be a major security issue. I think the number of people getting certificates that should not have them would be 100x what it is now.
Yes as you can see by my last statement in 'Reason 2', I am aware that there are times VeriSign or others have fowled up and accidentally issued certificates to those they should not have. However, I guarantee you this would happen much more often with a service like this. Also, the number of times this has occurred is amazing low -- due to a good process. With these other CAs you get what you pay for.
Oh yea -- last comment which I know you guys will love. Microsoft will never put this into IE! What does that mean? It is borderline useless. IE still has the majority of the market share. You can argue with it all you want, but it is true. You can import any CA's root cert to your browser of course. However, we're looking at things here on a grand scale. Not just what a group of 20 nerds want to do.
I can tell you about a whole bunch of fun tokens. :P
Is this AFC ShaunC and/or FiIe? wow.. memories.