Re: End to end is a myth
"Now IF your two machines can communicate via the ISP router then something else is happening."
Like perhaps LEOs are getting involved. Consider THAT.
10819 posts • joined 10 Jun 2009
"Now IF your two machines can communicate via the ISP router then something else is happening."
Like perhaps LEOs are getting involved. Consider THAT.
You don't use EVERYTHING because someone can exploit one of those somethings to get around others (to use cybersecurity parlance, pwn one layer of security and then use it to bypass others). Use ONLY what you need. Plus you have to consider that more hoops to jump irks users who reach their limits and then start creating (exploitable) shortcuts.
"If they are doing that you have other problems a firewall won't protect you from."
And that alone is enough of a threat since they can be coerced by the law. Remember, trust no one.
With routing, you don't NEED to NAT. You GO AROUND it. If you really, REALLY wanted to protect your intranet, don't use NAT. Use a proxy.
PS. ISP's aren't SUPPOSED to route RFC1918 addresses, but many still do. If you take a very close look at a connection log, you'll probably run into some of them at some point.
Serious question. What do you propose as an alternative to interactive websites? Anything else you propose is likely to be holier than a wheel of Emmentaler, given we tried this approach in the past. Remember RealPlayer?
How do you do that when the manufacturer can do a fly-by-night? Or is not based in a country subject to your laws and thus has sovereign protection?
"So, if the primary purpose is to prevent a child/assailant from using your weapon. Wouldn't a simple key combination be sufficient."
Not if the child's precocious enough to figure out the combination AND keep that knowledge that he knows from his parents.
The Culture (capitalized) is a novel series by Iain M. Banks. Been writing them since 1987, and his latest is pretty recent (The Hydrogen Sonata, 2012). The title refers to a pretty loose and liberal society of the future (it's post-scarcity, so basic needs are ubiquitous and there's little real "need"). This society includes mechanical entities. Those rating at least 1.0 are considered equal to humans in status. SC refers to Special Circumstances, basically the black ops arm that deals with the most troublesome aspects of Culture-outside relations.
In The Culture, a "knife missile" is a sci-fi smart weapon. It's more than a ballistic knife that you launch and it flies forward. No, knife missiles can act on their own, float in the air, and cut very rapidly using both itself and projected force fields, among other things (equipment varies, but that's the basic function). It's an autonomous device so it's technically a citizen in the Culture. It rates well over 1.0, though, as it's designed specifically for use with Special Circumstances.
ONLY five. Many have enough memory to go back at least ten, by which time you've probably lost track of your original password. And some go even further by not allowing any PARTS of an original password (blocking Password0 -> Password1 as "Password" is in both).
Like I said, there's at least a valid reason to have a change policy: to close or expose undetected breaches.
"This scheme does _not_ protect against other hazards; hackers can, for example, intercept the hashed password and send it to log into that particular site (i.e., you still need HTTPS) and can keylog, shoulder-surf, etc. I don't see any panaceas. You need complex passwords, salted and hashed so they can't be easily deciphered, limits on how many password attempts are allowed in a particular time interval, 2FA, and HTTPS... even though no one or two of these alone are sufficient."
Except if you make things TOO complicated, you force people to create shortcuts that malcontents can exploit. You need a solution that's strong enough to block anything short of an insider or state yet simple enough that even the dullest drone can and will do it nigh-automatically.
Like hackers simply attack the extension. Hackers already attack the browsers directly.
Unless, of course, they downloaded the password database and are cracking it in their own machines, much like a robber managing to take the whole safe with them.
Um, how else can they deal with unknown hacked accounts, then? Forced password changes either close those doors (the hacked details aren't valid anymore) or draw them into the open (because the hacker is forced to changed the particulars and the real user gets locked out).
"I tell people get something like a verse from your favorite song, favorite bible verse, something a comedian said like "why do you have a hot water heater, you need a cold water heater". Get the point."
Now try repeating that about 100 times or so because you need a different one for EACH site, or when ONE site gets hacked, ALL the ones that used the same password are fair game. And you also have to deal with people with poor memories.
"Remember the hacker unlike War Games does not know anything about the password, including the key and that it was base64 encoded."
But he may know enough about you to find ways to get at that password, perhaps by hacking your home machine or other stuff.
With a little practice, I'd say less than ten seconds. Longer if there are caps and punctuation.
Oh, so hackers figure it out, start posing as you, and either slander your image or engage in social engineering attacks?
No, poor memory. As in "CorrectHorseBatteryStaple" turns into "DonkeyEnginePaperclipWrong" one day and "CrankMaybePinMule" the next. Some people's memories are THAT bad (or worse, you have to keep telling them THE SAME THING every single day).
If they set up a keylogger, they can just record the strokes no matter how obscure they are.
And what if you lose THAT?
"If you haven't already guessed, I use those questions as another layer of password, don't answer them correctly, and keep them in a file like I do the passwords themselves and other data like the account name or whatever."
So what happens WHEN (not if) they pwn your local machine with a drive-by and steal your special file?
Except people will just keep using the same one because trying to remember a bunch of them will have people trying to remember correcthorsebatterystaple and instead recall donkeyenginepaperclipwrong. Our memories get muddled and we mess up.
Most people don't provide fake information. Some even verify it or record your IP which can be enough of a clue to get more information.
Even the best encryption in the world is useless if you just wait until it's DEcrypted as a matter of course.
The hackers ALREADY have the solution for that: they hack your LIVE session, meaning they get the envelope while it's open. That's the current most-intractable problem with encrypted content: it must be DEcrypted to be useful; hackers just wait until then. The only way around that is to have crypto-chips in our brains a la Ghost in the Shell, and I think Shirow Masamune's timetable for that world was all too optimistic.
Then we're at an impasse because he's saying that anything LESS is crackable within reasonable time. Basically, combining your statement and his, the MINIMUM reasonable standard for security is BEYOND the capability of the average human. Meaning we're basically screwed. And as the saying goes, the hackers only have to be lucky ONCE. That one entry lets them gain enough information to hack other accounts and go from there.
I don't think that will work, either, as the hackers will simply find faster ways to do the hashes. It's basically an intractable siege problem: the besiegers always have the edge against the besieged because the former isn't locked down.
"We need to give up trying to make people to care about password strength for stupid stuff like online forums. They don't. They shouldn't. Stress that it only matters for really important stuff like online banking, and to stop caring if your Twitter account password is insecure unless you have hundreds of thousands of followers."
You forget that hackers can break into the weak stuff to glean information to use in social engineering attacks to get at the stronger sites. IOW, weak passwords of any sort become gateways. So you must treat the most innocuous site just as much as your most secure one since one can open the way to the other, making the strongest site only as strong as the weakest one.
"This might look like a random title for a comment on this story, but it is an example of a memorable password that I made up for a comment on the story Human memory, or the lack of it, is the biggest security bug on the 'net. Even though I only wrote it once, and that was over a month ago, I can still remember it (though admittedly it is probably too long to be a sensible password)"
Good for you. What about those with POOR memories, or who have to go through hundreds of them in a given month?
"Yes, anything you care about should be protected by a strong 2nd factor - but it's supposed to be precisely that a second factor. Something you know, and something you have. So the password is still very relevant."
But what if you don't HAVE a second factor: not even a cell phone, because you keep LOSING things? Or you don't trust cell phones? And as for those fobs, what was that RSA hack about again?
"With respect to the mic, just don't talk to yourself - I know it's hard but you could try."
Not really. Many of us do it on reflex: SUBconsciously, meaning we talk without even realizing we're talking. And what about people who talk in their sleep but have to keep their computers on for overnight jobs?
No because I normally also kick ass. Problem is I usually run out of bubblegum beforehand.
And even that isn't always sufficient if recent government leaks are any indication, as it seems clear states covet zero-days for any and all OS's in operation.
But it's NOT chuckle-worthy. If it's eat a moose turd pie or DIE, guess what happens?
Offer an EMACIATED starving man a moose-turd pie and watch him scarf it down. If you can't be sure of your next meal, anything to stave off starvarion. You see it all the time in animals.
"Only when they are prepared and would like to take the extra steps to protect themselves online that we introduce security practice. Otherwise, there's no privacy. You normal people didn't put the effort into getting it. Deal with it."
What if no effort that can be exerted by man is sufficient. What if this is the Global Village now where everything can be read by everyone, even if it was ten years ago, and there's nothing you can do to stop it?
Owen Bytheway, this is stretching beyond the Internet, too. Ubiquitous cameras, microphones, aerial and satellite surveillance that's increasingly able to see through things. Heck, even the idea of "dead drops" is becoming riskier because there's always a chance (and growing) someone or something's there to observe the drops, linking you to it. Let's see you try to keep your privacy in THIS.
"With the threats consumers face growing everyday, I don't see how encrypting everything can be avoided. It's the only thing that provides the most basic level of security."
Until you realize you can be pwned on the hardware that would be needed to do the encryption. Imagine pwned CPUs, network chips, etc. And the level of technical knowledge (not to mention real, legitimate patents) needed to roll you own silicon puts you in No Man's Land. The ONLY people capable of building the chips that run your machine aren't trustworthy. Heck, even beyond computers, can you trust your letter carriers, postal employees, and so on? Heck, remember village gossips?
Let's face it. Privacy as we know it was a fleeting thing to begin with. And now the global village has caught up.
"The article does give one good piece of advice: keep everything updated. No matter what type of device, OS or applications, keep applying the updates (and ignore those saying to stick with older OS versions)."
But what happens when the updates cripple functions, install spyware, or (worst case) are hijacked and are used to install malware instead?
How long before BAD USB is improved to attack USG as well?
And then the complaints will start flying when those kill switches trigger spontaneously...
"Taken to the extreme logical conclusion, yes, there'll be a few families who own everything and everything will be 100% automated. So who is left to buy the products and keep the super rich rich?"
Each other. As long as there are at least two such families and each can provide something the other can't, there can be an agreement between them.
Otherwise, the families become self-sufficient and don't need anyone else. Their robots will be strictly for themselves and they won't need to engage in commerce anymore.
No, they'll be worse. And note this entry was posted AFTER Inauguration Day, so there actually IS an Administration in place. AND in many ways it's worse than anticipated.
Except they're ALL we have to work with. Of 535 congresspeople there's (what?) one or two independents in there (and they caucus with the Democrats in any event)? And the whole election system's rigged so badly we'd sooner have a coup d'etat than a peaceful changeover of power to a third party.
Basically, we have to cut this tree down, but the only tools at our disposal are a length of cheap rope and a plastic toy saw. What do we do?
Then the Democrats simply need to play one of the Republicans' own cards against them. Make the whole deal into a "with us or against us" up-or-down kind of deal, perhaps by adding a sense of urgency or a threat of a Cyber 9/11 so that any attempt to forestall or delay would be painted as itself threatening national security and just as bad as a "no" vote.
This kind of tactic is one reason Republicans are having trouble replacing Obamacare: because it's way too easy for Democrats to cite explicit cases of people who literally depend on Obamacare just to live. Take away Obamacare and people DIE...which won't sit well come midterms (plus there's the risk a law on the books will allow bereaved families to SUE).
That assumes you get a choice in the matter...
HIPAA is non-waivable much as ADA isn't, but this Act will create loopholes.
"Remind me again - the Republicans are the party that believes an individual should be free to live their life without interference from the state?"
And they're REMOVING state interference. They're doing nothing about PRIVATE interference, though.
And is that why RTS can't lie, because at some point the AP has to know the real MAC and there's no way in the spec to prevent it asking early?
While even a class A network has the same 24-bit subnet limit, consider the Birthday Problem.
Is there a reason RTS isn't spoofed? Is there some requirement for this in wireless certification?
"I remember Adobe giving away Photoshop with breakfast cereals (almost) to ensure their market share and put down Digital Darkroom. IT doesn't seem to have done them any harm."
Are we talking the same Adobe whose key software is now subscribed instead of sold? Much like Office is now subscribed instead of sold? Sounds like what I've said: a movement from selling to leasing.
"The only way it could work is if the content delivery company encrypts a video feed to a secure monitor and that is not going to happen."
Have you tried looking up HDCP 2.0? The requirements for 4K BluRay players? Both require end-to-end encryption (from player to monitor), and PCs are completely locked out of this loop (exactly BECAUSE users have control of them). Plus, last I checked, trying to capture a raw 4Kx2K screen in realtime involves a pretty intense amount of bandwidth.
Biting the hand that feeds IT © 1998–2017