Posts by Charles 9

Re: Not for Fanbois.

"Looking at that the other way around: I live is a city-(non)state far smaller than Illinois though with a goodly fraction of the same population. (It's called London). Why can't I have gigabit networking to my house for UD$20/month?"

Simple. You live in an OLD city. South Korea's infrastructure is pretty modern: its age measured in decades, while good old London has infrastructure dating back centuries (yes, some of it got bombed and subject to fires, but a lot of the stuff, especially underground, survived). And if there's one thing New York and London have in common, it's that it's hard putting up new infrastructure when old stuff's in the way.

Put simply. Infrastructure is much easier to install in a new city (or one forced to rebuild due to war or disaster) than in an old city.

Re: Proprietarty

As a number of exploits recently have shown, this trust issue is not limited to proprietary software, since we as humans lack the ability to be eternally vigilant in everything we do; otherwise, we'd never trust anyone and nothing would get done. Makes you wonder if you wake up tomorrow and realize you and everyone else in the world is essentially living under the Sword of Damocles.

Re: What Freaks Me Out...

Using them for everything won't work. The state has the resources to keep a quantum computer in a black project, store everything since the advent of the PC, and probably even be working on a way to break lattice and other post-quantum encryption. And you can't stop them OR convince them to stop since EVERY state and state leader behaves like Damocles: as if under perpetual existential threat. Under such an environment, NOTHING is taboo since the one that can destroy you can come from ANYWHERE at ANYTIME.

Re: Almost did to me...

Maybe not Red Bull, but in the US there have been some cases where a caffeine/alcohol combination was at least partially to blame for a number of deaths: mostly from the consumption of Jagerbombs or those tall cans of alcohol+caffeine like Four Loko. They knew it was a factor because the conflicting buzzes meant the body couldn't warn the drinker they were overdoing it. Hard to deal with the Jagerbombs since they're mixed on site, but they basically told the Four Loko and the like to ease up on the caffeine so that drinkers can at least get some kind of warning buzz.

How well do dictionary attacks do against passphrases containing more than 2 words? Each one multiplies the potential complexity by the size of the dictionary. Six words and a million-word dictionary, assuming no semantics, results in (10^9)^6, or 10^54 possible phrases, and if even one of those words is intentionally misspelled...

Re: Be careful what you wish for...

Which would you rather have? The corrupt King Cobras or the relentless Army Ants? You're dead either way. Even if we tried to make our own mesh, that would take electricity, which means we're beholden to the power companies.

Re: Time to reinvent the wheel...

But cash CAN be stolen...or counterfeited...

Re: "...a skilled hacker will alway get in..."

"1) Fire the employees?

2) Reassign them to non-driving jobs?

3) Train them to drive better?

4) Put bigger bumpers on the vehicles?"

You can't do (1) because they're probably in positions of trust. Fire them and you run the very real risk of retaliatory sabotage, and their position of trust means they can leave secret backdoors in their wake. (2)'s out because they're not stupid. ANY kind of relegation may as well equate to a firing. And they may not be willing to undergo (3). So what happens when you're caught between Scylla and Charybdis: caught with an employee already in a position of trust but now found to not be trustworthy?

"Yes, I'm saying Schneier is wrong on this, and that puts me on the wrong side of a lot of people. But I feel he is. Can we make something 100% "secure"? Probably not. But we always need to try. And we can't take the totally full-a**ed attempts we've been making at something pathetically called "security" and say, "See? It doesn't work!"."

But what happens when the openings come from UP TOP? Plus how do we convince people to care when they'd rather put their effort into deflecting the damage, a la a professional slacker?

I'd hate to be the one to enforce a no-Apple policy when the board uses iPads...

Re: Simple solution @Psyx

"Can they publish a story about not being able to publish a story about not being able to publish a story about X, or is the law recursive?"

I think the law is rather all-encompassing. It prohibits MENTIONING that you can't mention the banned item, meaning any form of recursion is already covered because you have to mention that you can't mention the banned item in order to mention that you can't mention that you can't mention the banned item.

Re: Both correct

But as Tim noted, security is computationally-intensive, and recall what the top of the line was in 1990: the 80486, about as big a leap FROM the 6502 as it is TO today's tech. And if this was top end, imagine what else was still in use. Now imagine always-on security in such a world...

As for secure communications, you hit a snag when you have the competing needs of secure communications and efficient communications. Efficiency necessarily leaves telltale trails that can be analyzed (so it's easy to trace something like a video stream since it's time-sensitive) while secure communications necessarily introduces false trails or "chaff" that cost bandwidth and in turn electricity (that's one reason why Freenet's so slow). Plus there's still the matter of subverting endpoints outside the secure network, a practically-intractable problem as long as computers are available to the public. Furthermore, the average user can't be trusted to be perfectly vigilant, which leaves plenty of other openings and instances of being locked out.

Re: Alarming

Bet the next step will be making alarms too inconvenient by finding ways to "invisibly" trip repeated false alarms all over the place. Alarms won't be able to do much when they cry wolf all the time.

Re: Epic misunderstanding of email there...

To a point, you are correct. However, the recipient's credentials can be sniffed since POP3 is normally a cleartext connection that requires a login. That's why most ISPs are adding in the STARTTLS extension which allows for transitioning to a secured connection before authentication occurs.

Re: Anti-spam-iotics

No, more like the flu. You can try to wipe it out but it adapts too quickly. You say UNIX and Win7 are pretty secure...until someone combines a toehold exploit with a privilege escalation and BOOM, you're dead meat again. The thing about this security business is you have to be lucky all the time, they only have to be lucky once. And they have millions of targets (and growing) to choose from.

Re: Virus?

Perhaps, but by most accounts that better describes a Trojan Horse (a malicious payload disguised as a legit program but not a legit program in and of itself). For it to be a virus, it has to piggyback on a legitimate third-party program or medium the way the flu does.

Re: Spotting the problem is easy.

"So what other solutions are there? Altruistic approaches don't scale beyond small communities as they violate the basics of human nature, communism is far too prone to mismanagement and corruption. Labor-driven free-market economics may be an ultimately self-destructive approach, and require the unhealthy habits of consumerism to function in an age of automation, but it seems to be the only one we have."

What about the unspeakable admission that there are simply too many people for the system to maintain itself and that what's needed is some degree of population reduction?

Re: End to end encryption changes nothing.

And if the very act of getting that warrant tips the crooks off?

Re: DOUBLE-BLIND-TEST

But how are we to distinguish if what the person perceives as difference is really difference and not placebo effect (here's a challenge: can the person tell between 'recognize speech" and "wreck a nice beach")? That's why you need multiple people, to average out any bias inherent to an individual.

"Well, all the broadcasters and their roadmaps at IBC involve HEVC. There is equipment available for them that can handle it, and the amount of that will increase quite substantially over the coming years. TV makers are already rolling out HEVC kit (yes, of variable quality in some cases), but it's coming."

OK, so HEVC does have a head start with content and hardware providers. That's significant since it means Google may be late to the party again unless they can steal a march on MPEG-LA (which is still possible, forcing the content providers to scramble), but it would mean Google convincing chip makers to implement VP9 in silicon in volume on both the encoding and decoding end. And hardware is not exactly Google's strong suit. Unlike companies like Apple, Google isn't well-known for dictating exacting hardware terms.

@Charlie Clark: Trouble is, while Android does dominate the mobile market, most of that market is towards the lower end of videos which are still the domain of AVC. Furthermore, a sizeable chunk of that market is still held by Apple, who would sooner see Hell freeze than support The Enemy with their codec because it's Bad For Business, and Apple still has significant pull with content providers. HEVC is going to be, at least at first, primarily used for high-resolution content where mobile data would struggle. This would leave high-speed home networks, which means the playback device will likely be the TV or an STB hooked to it. And the TV end of the market happens to be where HEVC is focusing right now, particularly with content providers and chipset makers.

Re: What laws?

And if the concrete evidence is in HOSTILE TERRITORY?

Re: Dummy

"I was under the impression that the 'separation' by NAT routers was kinda a byproduct, and can easily be worked into a 6 only router* by just blocking anything coming in over the WAN interface by default, allowing port forwarding much the same as IPv4 + NAT, but just not requiring the IP address MAPPING, as in instead of "anything coming in on the WAN on port 80, map to port 6680 of 192.168.1.230" you'd simply say "Anything coming in on 3D8B:0004:773A:FB01:: port 80, route straight through" ?"

A byproduct, maybe, but a welcomed one, because local net addresses are just that: they're not meant to be exposed to the Internet, and most network stacks will interpret this as such. If not, some link in the chain is likely to realize, "Hey, this isn't a proper internet address" and reject the connection. IOW, odds are if you tried to use a local net address to connect to a LAN address behind a firewall, odds are the firewall won't even be aware of it.

Sometimes, the best defense is stealth, as in making it look as if your machine doesn't exist. Think of it like a hotel or hospital where the rooms can't be direct-dialed from the outside (room-to-room calling is unaffected) but have to go through the front desk first. The front desk is the NAT firewall in this case even if outgoing calls are being routed automatically. If you tried to direct-dial a room, odds are the number is invalid and the phone company will block you, not even reaching the front desk.

Re: Ban the voice!

"It's about time that the myth was busted over safety concerns. If there was *EVER* the possibility that a PED could have downed an aircraft, they would *NEVER* have been permitted on board. They would have been confiscated at security."

But unlike other things, the PED has several factors that make wholesale confiscation thorny.

1. They're ubiquitous, meaning most passengers have them. The wholesale confiscation of something most passengers have can be ornerous, especially when...

2. They're not easily replaced. People grumble about the liquids bit, but that's offset because one can usually just resupply at their destination. About the only people who have a problem are those with large quantity of prescription fluids. In which case, they'll have to go into checked luggage. But...

3. They're sensitive to temperature extremes AND contain Lithium. Since there's no guarantee a luggage hold will be climate-controlled, the PED might be exposed to damaging temperature extremes and such. Furthermore, lithium is a fire risk (prone to spontaneous combustion), which is why it's banned in luggage holds (at least in a carry-on it can be pulled out in an emergency).

4. They're considered an essential accessory to many: a link back to base. Meaning if they can't take the PED, they're not going. That puts a financial pressure on the airlines catching them between Scylla and Charybdis. If they cave, the PED might down the plane, but if they don't, the lack of passengers might torpedo the business.

Re: It is not my own government I am most worried about.

You'll never convince the software makers to loosen their terms since many of them have captive markets with no honest competition, especially in the professional field. Let's face it. Except for the most basic of things, GIMP is no Photoshop, and I still haven't found anything that approaches the level of features in Premiere or After Effects. All the software maker has to do to (which many are transitioning anyway) is to render all of their transactions leases or subscriptions. At which point, all the buyer can do is accept the limits of the agreement or go without.

When the town only has one well (and practically no way to make another), do you dehydrate yourself to spite its owner?

I think the article notes however that domains cost real money and are generally held for a decent length of time (say at least one year), so there's an incentive to reuse the domains, just not right away. IOW, a malcontent wanting to maximize the RoI on the domain will want to figure out how long to lay the domain low before using it again.

Furthermore, the algorithm used to generate the domain names has to be portable since the malware has to know the code, too. This requirement also reduces the odds of changing the algorithm in mid-flight since doing so requires a way to pass along the new technique to the botnet, some nodes of which may fall out of the loop before being updated.

Re: Smartphone vulnerability?

"Cyanogen 11.2

/system/xbin/bash."

This appears to be specific to custom ROMs. Mine's a lightly-touched TouchWiz job, and bash is missing from it. Which lends credence to my supposition that most Android installs lack bash and are thus safe for now.