Posts by mike acker

Glossing over a Critical Security Requirement

as I have noted in the past: the fundamental error here is that HTTPS bypasses the requirement for users to authenticate keys

this requirement is carefully detailed by Phil Zimmerman in his original PGP documentation in the section "Protecting keys from tampering"

HTTPS did not follow his requiremnts and got what they deserved

anyone using PGP ( or by extension x.509 certificates ) should generate their own keypair and sign any certificate that is used in a critical system. it should be noted that MSFT already does this for critical security bulletins .

the IT industry again is guilty of glossing over a critical requirement in favor of convenience

getting hacked ain't gonna be convenient

remember what Geo Orwell taught us:

"The Greate Enemy of Clear Language is INSINCERITY

lookup the International Covenant on Civil and Political Rights

Freedom of expression is subject to the following restrictions:

these shall only be such as are provided by law and are necessary:

1. For respect of the rights or reputations of others;

2. For the protection of national security or of public order (ordre public), or of public health or morals

it is obviously easy for a tyrant to bend the meaning of the above

as far as MSFT v Linus goes MSFT is its own enemy while Linus has an unlimited pool of allies generating Open Source Software.

The result: MSFT attempting to cram their style onto us (and make us pay for their stuff); Linus offering Freedom as the alternative at n/c

how will this play?

I think MSFT is retreating to the mobil and gaming area, leaving the desk workstations to Linus -- which various versions of Linux have already won the field for servers

as MSFT pushes into the mobil/gaming field they will face Google and Android on their other flank though...

"Half a league, Half a League, Half a League, onward ...

AppArmor

the thing Android needs is AppArmor for every App.

put an end to apps messing around where they should not be messing.

she faces the Fundamental Internet Battle head on: Privacy v Advertising and Market Research

Google and Amazon have good models. social is a bad model and will soon be generally disdained

Fragments: Entertainment | Industry

IMHO ( which is free ) the industry is fragmenting,-- with the entertainment and business sectors going separate ways.

Win8 is going into the entertainment & Gaming business.

Canonical/Linux will pick up business computing.

why?

Windows is a hacker's paradise that is beyond repair.

NEXTEL Refugee

as a NEXTEL refugee we looked at Sprint and then switched to T-Mobil. Sprint basically bought up NEXTEL -- and then wrecked it. The NEXTEL phones were better and so was the old iDEN net.

understanding the "cloud"

=" Music and other content are easier to move, but still painful."

ah, --understanding!! the "cloud" wants to own your entertainment properties and just lease the use of them to you

cloud must be resisted at every juncture.

cloud ain't "whats happening" it is a method of control that the industry is attempting to foist upon consumers

new music and video model

notes

it seems there are elements of the 'net that would love to inventory every computer attached to the 'net

particularly MUSIC and VIDEO libraries

it appears this business is in a state of flux,... it appears the New Model is: you don't own any copies. Copies are to be kept in Cloud Libraries operated by licensed vendors. when you establish an account your will be placed on the Access List and given access to those assets you have paid the access fee for...

in this model if you have any titles on YOUR computer you are ipso facto a pirate

think about it

i only noticed this recently when Amazon changed their download procedures...

SQL Injection

SQL Injection is an old, known attack. the defense is (1) use only stored procedures and (2) sanitize input data.

getting hacked via SQL Injection is simple negligence on the part of the system operations staff. they should incur the $$$ liability for this.

hopefully they also have a contract burning bonfire

Anon Computer Group

this morning I'm playing some Joan Baez music and have renamed my file for the Anon Computer Group

UEFI

this is a critical move and a very good one. if we can design a mechanism that can verify the initial load of the o/s then the o/s should be able to check itself as it finishes loading.

the danger remains in the attacker possibly being able to flash the bios or somehow modify the firmware used in the initial process. attackers have always preferred to inject their un-authorized programming into the system at the lowest level

of course if the O/S is secure -- and it receives a BIOS update signed by the OEM -- then it would be expected that it would be safe to accept the update. but if the O/S were compromised, uuuugh

all of which goes back to the note that security is like a balloon: 1 pin-prick and POP! it's gone.

bug?

yeah, whatever

my i 305 did that

a patent that allows folks to isolate data such as phone numbers in emails and then call the number.

??

my i 305 does that and i've had it for 5 years

marketing muscle

marketing in the courts

apple is a RICO and that should come up in court