Re: choices
And if they're the ONLY supplier of something due to exclusive contract?
16605 publicly visible posts • joined 10 Jun 2009
But it doesn't really use JavaScript. The page itself is passive. It uses the bog-standard forms and such (though I may take issue with the way the icons are done; the old way was safer), and I don't have much issue with that. But live-update stuff like Discus and Lyvewire? Whole other story.
No, I believe an Interactive Web is inherently bad. Why don't we push for moving it to a protocol designed for interactivity such as X or VNC? This would also put the onus back on the servers to keep their systems clean because now THEY have to run the code or they can't function.
Interactivity was NOT an intended design of the Web, though. That's something best left for proper protocols like X over SSH or VNC. So I refuse to consider it not an option. It's ALWAYS an option. In fact, taking the Web passive again should be the ONLY option to save the Internet as we know it.
"Because anyone who suggests that you don't use Javascript in a website is in reality denial. I can count on the fingers of one ear sites that don't. Good luck explaining to your customer why NONE of the things they want, work."
Simple. "Due to the nature of the technologies involved being actively used to infect and take over computers all throughout the Internet, we cannot in good conscience require the use of these enabling technologies. HTML 1.0 was a passive technology, and separate protocols and external programs were the solution to interactivity in the past; therefore, we have no choice but to revert to technologies like VNC to provide interactivity."
"And yes, everything should be constantly patched and updated."
What if the patch is usurped with spyware? Or worse, hijacked to inject malware?
"The only solution is for it to be fixed at source: for the libs to be secure and the version number to become irrelevant: no local copies and the CDN always serves up the latest version which is *always* backwardly compatible."
Single point of failure. The hackers hijack the developer accounts and inject the malware into the sources, and since they took over the DEV accounts, they also have access to the signing keys.
"There is no solution: you are lumbered with the insecurities."
Well, we could always abandon the Internet and go back to the Sears catalog. Oh, wait, the telephone networks can be pwned, too...
"If we just scrapped browser support for JavaScript, then created a plugin to enable rich content without the need to be downloading snippets of insecure script from untrustworthy sources."
Serious question. What do you propose as an alternative to interactive websites? Anything else you propose is likely to be holier than a wheel of Emmentaler, given we tried this approach in the past. Remember RealPlayer?
You don't use EVERYTHING because someone can exploit one of those somethings to get around others (to use cybersecurity parlance, pwn one layer of security and then use it to bypass others). Use ONLY what you need. Plus you have to consider that more hoops to jump irks users who reach their limits and then start creating (exploitable) shortcuts.
"If they are doing that you have other problems a firewall won't protect you from."
And that alone is enough of a threat since they can be coerced by the law. Remember, trust no one.
With routing, you don't NEED to NAT. You GO AROUND it. If you really, REALLY wanted to protect your intranet, don't use NAT. Use a proxy.
PS. ISP's aren't SUPPOSED to route RFC1918 addresses, but many still do. If you take a very close look at a connection log, you'll probably run into some of them at some point.
The Culture (capitalized) is a novel series by Iain M. Banks. Been writing them since 1987, and his latest is pretty recent (The Hydrogen Sonata, 2012). The title refers to a pretty loose and liberal society of the future (it's post-scarcity, so basic needs are ubiquitous and there's little real "need"). This society includes mechanical entities. Those rating at least 1.0 are considered equal to humans in status. SC refers to Special Circumstances, basically the black ops arm that deals with the most troublesome aspects of Culture-outside relations.
In The Culture, a "knife missile" is a sci-fi smart weapon. It's more than a ballistic knife that you launch and it flies forward. No, knife missiles can act on their own, float in the air, and cut very rapidly using both itself and projected force fields, among other things (equipment varies, but that's the basic function). It's an autonomous device so it's technically a citizen in the Culture. It rates well over 1.0, though, as it's designed specifically for use with Special Circumstances.
ONLY five. Many have enough memory to go back at least ten, by which time you've probably lost track of your original password. And some go even further by not allowing any PARTS of an original password (blocking Password0 -> Password1 as "Password" is in both).
Like I said, there's at least a valid reason to have a change policy: to close or expose undetected breaches.
If you're forced to allow JavaScript to log onto a site, the malware writers will pwn you with a JavaScript injection attack. Increasing numbers of people want future HTML to be LESS rather than MORE complicated: more passive, with media tasks shunted back to dedicated apps.
"This scheme does _not_ protect against other hazards; hackers can, for example, intercept the hashed password and send it to log into that particular site (i.e., you still need HTTPS) and can keylog, shoulder-surf, etc. I don't see any panaceas. You need complex passwords, salted and hashed so they can't be easily deciphered, limits on how many password attempts are allowed in a particular time interval, 2FA, and HTTPS... even though no one or two of these alone are sufficient."
Except if you make things TOO complicated, you force people to create shortcuts that malcontents can exploit. You need a solution that's strong enough to block anything short of an insider or state yet simple enough that even the dullest drone can and will do it nigh-automatically.
Um, how else can they deal with unknown hacked accounts, then? Forced password changes either close those doors (the hacked details aren't valid anymore) or draw them into the open (because the hacker is forced to changed the particulars and the real user gets locked out).
"I tell people get something like a verse from your favorite song, favorite bible verse, something a comedian said like "why do you have a hot water heater, you need a cold water heater". Get the point."
Now try repeating that about 100 times or so because you need a different one for EACH site, or when ONE site gets hacked, ALL the ones that used the same password are fair game. And you also have to deal with people with poor memories.
"Remember the hacker unlike War Games does not know anything about the password, including the key and that it was base64 encoded."
But he may know enough about you to find ways to get at that password, perhaps by hacking your home machine or other stuff.
No, poor memory. As in "CorrectHorseBatteryStaple" turns into "DonkeyEnginePaperclipWrong" one day and "CrankMaybePinMule" the next. Some people's memories are THAT bad (or worse, you have to keep telling them THE SAME THING every single day).
"If you haven't already guessed, I use those questions as another layer of password, don't answer them correctly, and keep them in a file like I do the passwords themselves and other data like the account name or whatever."
So what happens WHEN (not if) they pwn your local machine with a drive-by and steal your special file?
The hackers ALREADY have the solution for that: they hack your LIVE session, meaning they get the envelope while it's open. That's the current most-intractable problem with encrypted content: it must be DEcrypted to be useful; hackers just wait until then. The only way around that is to have crypto-chips in our brains a la Ghost in the Shell, and I think Shirow Masamune's timetable for that world was all too optimistic.
Then we're at an impasse because he's saying that anything LESS is crackable within reasonable time. Basically, combining your statement and his, the MINIMUM reasonable standard for security is BEYOND the capability of the average human. Meaning we're basically screwed. And as the saying goes, the hackers only have to be lucky ONCE. That one entry lets them gain enough information to hack other accounts and go from there.
"With respect to the mic, just don't talk to yourself - I know it's hard but you could try."
Not really. Many of us do it on reflex: SUBconsciously, meaning we talk without even realizing we're talking. And what about people who talk in their sleep but have to keep their computers on for overnight jobs?
"Only when they are prepared and would like to take the extra steps to protect themselves online that we introduce security practice. Otherwise, there's no privacy. You normal people didn't put the effort into getting it. Deal with it."
What if no effort that can be exerted by man is sufficient. What if this is the Global Village now where everything can be read by everyone, even if it was ten years ago, and there's nothing you can do to stop it?
Owen Bytheway, this is stretching beyond the Internet, too. Ubiquitous cameras, microphones, aerial and satellite surveillance that's increasingly able to see through things. Heck, even the idea of "dead drops" is becoming riskier because there's always a chance (and growing) someone or something's there to observe the drops, linking you to it. Let's see you try to keep your privacy in THIS.
"With the threats consumers face growing everyday, I don't see how encrypting everything can be avoided. It's the only thing that provides the most basic level of security."
Until you realize you can be pwned on the hardware that would be needed to do the encryption. Imagine pwned CPUs, network chips, etc. And the level of technical knowledge (not to mention real, legitimate patents) needed to roll you own silicon puts you in No Man's Land. The ONLY people capable of building the chips that run your machine aren't trustworthy. Heck, even beyond computers, can you trust your letter carriers, postal employees, and so on? Heck, remember village gossips?
Let's face it. Privacy as we know it was a fleeting thing to begin with. And now the global village has caught up.
"The article does give one good piece of advice: keep everything updated. No matter what type of device, OS or applications, keep applying the updates (and ignore those saying to stick with older OS versions)."
But what happens when the updates cripple functions, install spyware, or (worst case) are hijacked and are used to install malware instead?
"Taken to the extreme logical conclusion, yes, there'll be a few families who own everything and everything will be 100% automated. So who is left to buy the products and keep the super rich rich?"
Each other. As long as there are at least two such families and each can provide something the other can't, there can be an agreement between them.
Otherwise, the families become self-sufficient and don't need anyone else. Their robots will be strictly for themselves and they won't need to engage in commerce anymore.
Except they're ALL we have to work with. Of 535 congresspeople there's (what?) one or two independents in there (and they caucus with the Democrats in any event)? And the whole election system's rigged so badly we'd sooner have a coup d'etat than a peaceful changeover of power to a third party.
Basically, we have to cut this tree down, but the only tools at our disposal are a length of cheap rope and a plastic toy saw. What do we do?
Then the Democrats simply need to play one of the Republicans' own cards against them. Make the whole deal into a "with us or against us" up-or-down kind of deal, perhaps by adding a sense of urgency or a threat of a Cyber 9/11 so that any attempt to forestall or delay would be painted as itself threatening national security and just as bad as a "no" vote.
This kind of tactic is one reason Republicans are having trouble replacing Obamacare: because it's way too easy for Democrats to cite explicit cases of people who literally depend on Obamacare just to live. Take away Obamacare and people DIE...which won't sit well come midterms (plus there's the risk a law on the books will allow bereaved families to SUE).