A iq option recusou a execução da ordem
But youl d still be looking at many times that in launch costs. 4000USD Kg of total weight on the pad, plus a heap of other fees, licences, duty etc. However the sprites NanoSats are around 30g, you still have the launch and deployment hardware to consider. But a casset style launcher, or even heaven forbid one that works like a light weight clay pidgen launcher could be made with well under a Kg of materials. So you could be looking at launching a sprite or NanoSat for as little as 200USD each, if you know how to avoid the other fees.
Which kind of makes student satellite projects viable. Indeed, that no virtualization yet was one reason. Gerard van Vooren. Another reason which is at least very highly likely, is that the gov. like pretty much always see e. After all, it would be rather strange when the worst of all eavesdropper and cracker of all, the state, would provide real security to it s citizens.
And why should he. Most seem to be perfectly happy with some theater and feeling safe. Re texting walkers I m not a fan of texting and I avoid it whenever possible. tsa doesn t want or at least not provide real security but rather security theater; it s not about security but about making people feel secure. Voice can communicate more information in a very short time. I found that some social engineering can reduce the amount of BS texting by not responding immediately, if at all.
The advantage of having text data on ones phone can be useful, but is overshadowed by LE IC love affair with having all that data in machine-readable form. Note Caution might be required if the textor is your loving partner spouse. You might try just for laffs carrying one of those compressed-air-powered horns that sailors use. They can be quite small, but -really- loud.
In my case, there d be the Devil to pay, so to speak. You could rig it inside a bag, so it s invisible to others. It needs to be made for daylight use, that is, extremely bright. Another possibility is a hat with a forward-facing flashing light. was this posted last weekend. it s quite a story. I knew that Thorp was in Boston on the MIT campus at some point maybe because one of his coauthors was therebut I missed the fact that he rubbed shoulders with Shannon, Feynman and Buffett, until last week.
There was a good book about the kids from MIT who taped wads of 100 bills to their bodies to fly to Vegas. That was much more recent than Thorp s work, but clearly part of the same intellectual lineage. I must have missed the discussion of Taft in 2015, because I would have offered two books by Thomas A. Bass, The Eudaemonic Pie and The Predictors I remember both being entertaining reads, even though I read the first about 25 years ago and the second about 10 years ago.
Just say no to 8u1154it Not sure why I think that I ve mentioned those books before. It could have been under my previous names. I think that there were only two that evolved, John Galt III and John Galt IV, which I eventually abbreviated. It will be easy to see that I ve become somewhat less rabid in recent years. There is little to worry about the boomers rioting over health care and pension a iq option recusou a execução da ordem, because the firehoses are so effective at knocking over wheelchairs.
How hard would it be to make a cell phone that won t work while in motion. If it detects you walking it stops working. IF the GPS senses motion it stops working. Instead of laws to stop stupid behaviors make the tech to make it impossible. Suddenly the streets are safer for pedestrians and other drivers. No longer dependent on political morons to fix the tech, we all can get back to playing Paranoia.
You can easily sell this to capitalism by explaining they are losing valued customers with the death of every cell phoney. I see some have noticed that D T watched a lot of Moussolini newsreels for pointers on body language and gestures. albert, Rachel, Clive Robinson. one of those compressed-air-powered horns hat with a forward-facing flashing light.
For a lot less weight to carry around, trail hikers use little whistles that can be heard for miles if blown hard. Besides their come-rescue-me primary purpose, they make great anti-rape whistles that can stop a big, strong attacker without violating weapons laws. Blown more gently, they might say Look up from your fondleslab and get out of Clive s way. tyr, Clive Robinson. Enforce rather than delegate or regulate. I m an advocate of that. Isn t gonna happen, though.
Bass, The Eudaemonic Pie and The Predictors I remember both being entertaining reads. No rule that says you can t post to old squid threads; I do that all the time. Well, you could still do that. Taft s book is really fascinating. A recommended read. The engineering problems he faced and solved are impressive software, hardware, control systems, RF and antennas, digital and analog I may read the other books you recommended, just not sure when. Thorp s research is based on a single deck that s randomly shuffled.
His work was extended to multi-decks. However, nowadays the shuffle is anything but random. Basic strategy won t work. Card counting won t produce the expected results either unless you are part of a very well funded team with replenishsble bankrolls that can sustain protracted heavy losses. Even then, winning isn t guaranteed.
It s not like the designers of these shufflers don t know about basic strategy and card counting. They employed some very sophisticated algorithms that. Besides, there are other secrets. Perhaps I ll share one day. Running a Tor Relay on an Apple computer is relatively straight forward. Yes this will probably attract scrutiny, but so might searching for the word tor, visiting or reading a linux journal, or visiting schneier.
After Trump was elected, I figured this is the least I could do. With China and perhaps Russia banning tor and VPNs and the Snooper s Charter in the UK, etc.things are trending down. modifications to torrc; use at your own risk ORPort 9001 ExitPolicy reject no exits allowed Nickname ididntedittheconfig Log notice syslog Log notice stderr RelayBandwidthRate 400 KBytes Throttle traffic RelayBandwidthBurst 400 KBytes Throttle bursts AccountingMax 20 GBytes each way per period AccountingStart day 00 00 day period starts at midnight SOCKSPORT 0 relay only.
not the brightest bulb July 30, 2017 9 38 PM. usage tends to be about 4 Gig in and 4 Gig out per day with the above settings; around 240 Gig Month total. Finally, allow incoming connections to tor through your firewall, if prompted. As standard user tor watch Terminal feedback and Activity Monitor feedback periodically titrate by doubling or halfing Bandwidth also adjust AccountingMax based on your ISP plan; you may find actual usage is fairly linear within a range optional use computer or network for other stuff too, of course.
I think Tor says this themselves, so I don t see the point of the argument Thru some identifying stages if you re really good, you can avoid even this for most part, but I think it s impossible to not show up on some radar these days, too much surveillanceyou should be able to get yourself to a point that you can make a connection to the internet that s mostly devoid of PII. Whatever you use anonymity for, hopefully it s a good purpose, not scummy.
My main purpose was escaping grasps of attackers terrorizing my life, for brief periods of time. Unfortunately these discussions involve little evidence and devolve into name-calling bar-room brawl-type talk. Most of my security and homebrew projects I post fully online. I don t really have a use for it anymore, like any truly secure workstation it had to be ever-changing, mobile and under the control of a truly paranoid being. Anyway, draft, as-is, instructions for a tor relay neither exit node nor bridge on a MacIntosh from the command line.
I want employers to see my paid work to show them what I can do but can t. It s conceptually simple but practically hard, very hard, and there is no way to make it reliable in action in human terms. Such a product exists and is called a pedometer. To see why invert the premise and make the operating function a counter. Untill recently there was no point in cheating a pedometer because there was no value in doing so. However insurance companies have changed the game and there is now value in cheating a pedometer by way of reduced normally way over priced health care policies.
With the advent of an incentive to cheat a pedometer lots of inventive minds have got to work. In effect the insurance companies have stupidly invented an arms race they can not win. RE tor discussion As we ve discussed a million times, just using some tool won t be a magical silver bullet. People will think up simple ways to cheat those pedometers, the insurance companies will think up counter measures to catch the cheaters and so that loop goes around each time some cheaters will find a method to beat the counter measures.
We ve seen this before with ECM ECCM ECCCM and commercialy with the subscription service Sky Satellite Broadcasting. Mean while the insurance companies get locked into a second ECM war with other insurance companies playing follow the leader. Worse by legislation Obama Care every citizan has to have health care insurance You can see where that is going to go, as was said in the film, the only sensible move is not to play.
Flipping the premise back up you will see that if their is wriggle room then people will cheat the system because they see value in doing so. But worse still if only one company put in an anti-walk-n-talk option it would quickly go out of business because such a feature has negative value for a purchaser. Thus the only way to attempt to get it would be by legislation, which will fail as reliable technology does not yet exist.
Which as we know with Smart Guns legislation is likely to have a perverse effect on the manufacturers. The problem is there is two much wriggle room, and two or more types of movment detection required thus there will be not just edge cases but corner cases, and each attempt to improve detection will double up at minimum the number of courner cases and more for the edge cases.
That is they will find ways to ensure the idea never becomes reliable, so never gets put on the market to become a legislative market killer. The two current movment detectors are tuning fork gyroscopes and satellite position fixing GPS. Neither is reliable or even suitable for the application. You could average out by integration but to tell the difference between ordinary hand body movment whilst sitting or standing will require a long integration time. GPS is slow and has an inacuracy margin short term greater than you would get with walking or dancing.
Likewise the gyroscopes have a sensitivity issue in that they are band pass detectors and will not detect absolute position, as movment above a certain speed or below a certain speed will either not register or will register inaccurately. password It makes perfect sense to anyone alive, why dragon is a popular password for 2016.
I don t even watch television and I can tell you about a cultural phenomena known as Game of Thrones. I could go on at further length but I think you both know enough to fill in the rest for yourself. I forgot to say that The Eudaemonic Pie tells the story of a group of students who built wearable computers to beat the casinos at roulette. They put a lot of work into the effort, but only transiently made money. Later some of them went on to found The Prediction Company, which used pattern extraction recognition to beat the markets.
I have the impression that Wall Street in the 1990 s hired the best and brightest of a generation of physicists to build adaptive systems for computer trading. Today most of the stock volume is the descendants of their machines arbitraging frctions of a penny per share. High frequency trading is part of the mix. The machines practice system identification on each other and on the humans, by spoofing bids to measure the response.
The machines have to adapt to each other and to what is left of the human market. The first time that I remember realizing that you could do system ID on humans was in the late 80 s or early 90 s when I noticed that some prices in the grocery store seemed to change randomly over time. Google s new program to track shoppers sparks a federal privacy complaint WaPo. The WaPo link for the article. WaPo s initial article on the subject was in May with more details.
I think Tor says this themselves, so I don t see the point of the argument. The nail on the head. It has already been pointed out a million times both by myself and others, on this forum and in other places that Tor will NOT protect you from resourceful nation state actors because of a whole series of defects and shortcomings. Even the Tor people themselves have never ever said otherwise.
It is just one of many free tools that allows you to surf the web in a somewhat more anonymous way than standard browsers do. The elevated degree of protection it offers against ubiquitous data collection to me in itself is already enough reason to use it. Still there are those who for reasons I just can t fathom keep flogging the dead horse. Giving people concerned with privacy and anonymity a choice between just giving up and reverting to Safari Internet Explorer, or rolling your own CLI browser in ADA and running it on Plan9 IMO is a pointless and entirely useless argumentation that is not helping anyone.
Besides the fact that I wouldn t consider Plan9 as secure. It seems to me that you overlook four points. Since this is in the US, one needs to opt-out not to share his her information. a Here we are in a security blog and hence our perspective is quite different from any Jane and Joe site where I wouldn t engage in saying what I think about tor. b Joe and Jane, when wishing to enhance their situation won t say I ll brush up my math and learn a whole lot to make an informed decision nope, they ll act based upon what the next best magazine is telling them, which more often than not will come down to sth.
like cubeos is a magical silver bullet and so is tor. c The danger of erroneously thinking one is secure. It s always better to know the reality even if it s ugly and frightening. erroneously believing to be secure when using xyz is making things worse, not better. d Your mainboard is rotten e. tpm, amtyour OS is rotten, your libraries are rotten, your browser is rotten and the same goes for the endpoint at the other side as well as the nodes en route and you seriously think that putting rotten tor on top of that somehow enhances safety and security.
My advice apply Amdahls law, with a slightly changed perspective for security rather than performance. I made a reply to Figureitout around 2AM blog time. I v just noticed it s not hear. Did it get caught or have I posted to the wrong place. Clive, two identical comments addressed to tyr, Wael were posted one after the other. I don t see a reply to Figureitout. ab praeceptis, Dirk Praet. There is a point zero you ve left out.
0, Humans are born helpless. Mankind is unusual for the type of creature we are, our offspring are born capable of very little, and spend the rest of their lives if they are sensible learning. I ve been known to take an absolutist view on security in the past and in some respects I still do. However even though I myself take security precautions others would consider totally over the top if not paranoid. I still know I m lazy in many OpSec respects.
Moreover, using tor can wake up sleeping dogs, paint a target on your, and generally turn against you. Thus I accept that it s an exceptional person who can live like that for even short periods of time even with extensive training and aclimatisation experience. Whilst I would not want people to give up in despair, I recognise the experience curve whilst starting gradually can appear vertical at times. So not insurmountable but requires training and equipment etc.
The problem is it s difficult even for someone who is close to clinical paranoia to live at high OpSec levels without crashing and burning or worse going over the edge into full scale psychosis 1. Further I also know from long experiance that the level of OpSec security required varies depending on situational requirments. When things do go wrong is when there is a mismatch between situational requirments and OpSec security employed. Interestingly many do not realise that being over secure and employing to much OpSec actually is more harmfull in the short term than to little that tends to be harmfull in the long term.
Thus I would rather people start gently and take their time developing their skills than try and jump in at the deep end flounder and drown. Rome was not built in a day nor did it die suddenly, it s partial demise was due to the inability of those in charge to change to changing situational requirments. However some did learn which is why we have the likes of the Holy Roman Empire. 1 I use the dictionary definition of. psychosis A severe mental disorder in which thought and emotions are so impaired that contact is lost with external reality.
I m not sure if it is definitive. i have read an autobiography of one of the MIT Vegas savants. Methods in the book have been altered to prevent the author getting killed by the crew he used to roll with. From memory its largely interesting by detailing the social engineering employed by both casinos particularly when they start feeling nervous about certain patrons, and by the gang themselves being clever alone will get you deaded pretty quickly, in that world clever must be wrapped in something.
It s in a Çatch Me If You Can vein. It doesn t get technical at all. The story tapers out with the author succumbing to horrific levels of gambling addiction and ends up in recovery groups broke and soul less. I am sure Clive would make similar observations for anyone considering such a career. I m sure you ve got more useful things to read although it will be interesting for some with specific interests I suppose There have been a few intriguing characters in that world though.
I recall one who won serious sums of money,but no one quite knew who he was. the various investigators employed by the casinos sought him around the world for a long time and became interested when it appeared he had dropped some fragmented PII. after many more months of investigation and piecing it together said PII was of a famous gambler from over 100 years prior.
at which point they realised it was hopeless. Let s just say, Not easy. A question that you should consider is, How hard would it be to sell a cell phone that won t work while in motion. citizen There s been a car crash in front of my house. 911 operator Is anyone hurt. citizen I don t know it just happened. Six and seven years ago I experienced distracted walking countless times per day, every day, while cycling for exercise on a local MUP multi-use path.
Read mixed, pedestrian fast-mover traffic. By far the root cause of the threat to pedestrians was their own lack of situational awareness. Plant ear buds; select play list; mentally go to la-la land and ignore their surroundings. After a pedestrian pulled a fast U-turn without looking, putting herself into the path of an overtaking cyclist and getting knocked to the ground, the town put its foot down.
Pressure pedestrians to share responsibility for their safety. No, not a word about that. Impose a speed limit. I don t ride there anymore. I get your point and agree. My question is not whether Jane and Joe are somehow huilty; I m not a judge. As far as I m concerned, they may well type their stuff in ms office and send it by email, possibly protected by zip-passwording it. Unlike Jane and Joe security projects should be held to good standards and accountable.
They should frankly say that the very best their stuff can hope to achieve is to be a ridiculously tiny bit more secure and, importantly that, due i. to poor software design, spec, implementation, the end result for Jane and Joe might well be less security. My interest is driven by the question a iq option recusou a execução da ordem we can really achieve safer and more secure systems and communications. In that sense I not only forgive Jane and Joe but even pity them seeing BS being spread here or in other security circles, however, makes me furious.
Frankly, there are plenty computer magazines, fora, and blogs that spread BS and fairy tales like cubeos or tor significantly enhancing security. We don t need any more of that here. I mentioned Amdahls law because, while originally looking at performance, it s quite simple and can make statements about security as well. And it does so in a quite clear way. What s the performance enhancement in the original version for us is the safety security or even just reliability enhancement.
Considering AL as one of diminishing returns we also discover that a non-neglegibly small enhancement of safety security can only be achieved by considerably enhancing RSS reliability, safety, security of major parts of the software stack. It seems quite evident to me that this directly leads us to the question languages and formal methods which is why I push that issue again and again. Another very strong hint is empirical crypto very rarely gets broken; it s simply circumvented by ab using some of the utterly rich set of weaknesses and vulnerabilities.
Which can be directly translated to the effective security gain by indeed excellent crypto frighteningly often equates to null. Reason No matter how good your doorlock is if your door is built into a house made of wobbly paper. There is nothing wrong with taking an absolutist view on security, especially with your astounding knowledge and expertise. Imposing such a view on others that don t even know where to begin is an entirely different cup of tea.
Here we are in a security blog and hence our perspective is quite different from any Jane and Joe. Not every visitor of this blog is a subject matter expert. It s called Schneier on Securitynot Schneier on Security Certified Experts Only. Joe and Jane ll act based upon what the next best magazine is telling them. If we keep this blog accessible for Jane and Joe too, then perhaps they ll learn what are the correct tools for what particular purpose instead of blindly relying on whatever some glossy magazine or other media source is telling them.
No argument there. Educate people. And the exact reason why it doesn t make any sense to preach an absolutist view. Get them from A to B in a way they can comprehend. And then further. Not from A to Z in a way they can t either understand or execute. you seriously think that putting rotten tor on top of that somehow enhances safety and security. As long as you take that absolutist view, then everything is futile and no one but yourself, Clive, Thoth, Nick P, Figureitout and a few others have any business here.
I m not convinced if that s really what Bruce had in mind when he started this forum. Try to read Taft s book. You ll find out what happened to him when he got caught more than once, including a security related airport incident long before TSA There is also a fascinating story about what he did in Atlantic City. I believe this would make a movie better than the MIT crew story one Brining the house down which I only watched the first few minutes of. It was full of nonsense, that s why I lost interest.
My main interest in the topic is this How can gaming regulators get away with this. What type of testing was done to assess fairness. My assessment is the system is rigged and not only corrupted to the bone 1 it s bad to the bone-marrow. And that s assuming the RNG is absolutely fair. be QqejB3Nk1RA I ll queue messing with the lyrics for another topic in the future.
Hmm sounds like a fat finger problem at my end. I m under the impression that you are politically driven. I will put my memory cap on and see if I can recreate my comment a little later it s rush hour in London currently, or strap hanging time depending on your prefrence. While I do see the good intention behind that, I also have a simple question. Why not simply telling Jane and Joe the truth.
I take you from A to B and recommending, say, tor is largely a lie. As you yourself say, tor will not protect against a resourceful opponent. So against whom shall Jane and Joe be protected. Against their neighbour. Against the village police officers. The truth would be more like I take you from A to B with A being 1. 5 light years away from security and B being 0. 00035 light years closer plus, of course, it will open you other risks. Again, I do understand your good intentions.
But I also see the reality and the unpleasant fact that that very attitude has played a major role in bringing us into the swamp we re in. Presumably good intentions and people trusting it in jail or at least in serious trouble. But the weirdness doesn t stop there. Take the example of selinux and other security enhancements that come right from some of the worst adversaries. Pardon me, but in my minds eye that s sheer idiocy. Once more, I do understand your good intentions. The problem, however, is of a kind that needs much more and quite different to be solved.
The good intentions, coming down to meaning well and then repeating the cardinal error of unprofessional fumbling that created the nightmare in the first place reminds me of einsteins famous idiocy dictum. Also keep in mind that some opponents do the right thing. microsoft invested heavily in designing and implementing verifiably safe software. darpa and other voldemoort agencies did projects, too.
There is only one way. We must create better software and systems. OpenBSD, doubtlessly amongst the finest C coders in this galaxy, have failed; plain and simple. If those people fail then it should be utterly obvious that we need a better approach, one that makes it feasible for good developers to create RSS software. As for you and me, you ll probably continue your way; no problem.
But kindly accept that I continue mine, too and I have plenty arguments in my favour. Cash it is for me for most of my purchases. With relation to the four points overlooked by Dirk Praet. I completely agree with your points a up to c we are in a security blog so our point of view has to be highly technical and critical, it would be a shame if it isn t; we should not assume a technology is secure just because it is the cool technology of the month, and of course we should not believe Joe and Jane will understand how compromised our current technology is.
I cannot, however, agree about point d. There are somewhat secure operating systems out there, some of these operating systems are either too expensive or too specialized as to be useful as general purpose ones, but others OpenBSD are doing a good work. I do not say our computing infraestructure is perfect, it isn t, nor it is the computing infraestructure used by the intelligence community either.
The key is not saying all is lost, there is nothing we can do but trying hard to improve the world. I agree, however, the endpoint at the other side is a key a iq option recusou a execução da ordem here, but it is fixable too. With relation to the intermediate nodes the best we can do is using strong encryption, as strong and mathematically sound as possible. I understand the problem with hardware itself.
It is certainly the right target for an intelligence agency that wants to mass compromising our technology. But it seems fixable too, or at least we can and must. try our best to improve the current status. Some manufacturers, e. ab praeceptis, Dirk Praet and anyone that wants to participate. Dell, allow workstations and servers to be configured without Intel vPro technology; it is a logical first step. You can try mitigating the impact of a rogue vPro technology.
Here I have suggested two approaches in the past, 1 using PCI network cards that are not supported by Intel AMT, there is no magic inside the Intel firmware so it cannot work with all NICs ever manufactured, and 2 blocking communication with from AMT ports 623, 664 and 16992 up to 16995, both tcp and udp and filtering traffic at our firewalls by means of strict rule sets both egress and ingresse. The technology is not perfect but we must try to fix it and suggest approaches instead of saying there is no hope.
If there is really no hope what are we doing in this forum. Are we wasting our time talking about a theoretical and impossible to solve problem. It would be sad if it is this way. My goal is not building the perfect computing infrastructure, but something good enough. I prefer thinking technology is fixable, even if it is a continuous process that will never end. In my humble opinion, each step in the right direction is a win.
I don t think it is hopeless on a technical level otherwise why are we here discussing. The main point is whatever we discussed and pointed out, the same mistakes are applied repeatedly and fanboism does occur. Even QC is not 100 foolproof or really unhackable until someone finds a way around it in the future. We point out problems and point out methods to fix or remedy the situation but you should notice the type of tone and attitude we received.
TOR is imperfect and so are many protocols. I don t think this is any good for us if we try to point out problems and there are some that do not appreciate but go about calling us Govt snitches whenever we try to point out the problems i. calling me, Clive Robinson, ab praeceptis et. snitches for pointing out on problems with TOR.
In fact, I did work for the local Govt s Def-Sci sector and more specifically the local COMSEC dept which is how I got into more serious ITSec i. Anyway, I don t think much is appreciated and our advises goes to waste and get called out as Govt snitches. I have also decided to remove some of my open source repositories since it s not useful anyway. Now that China and Russia have mandated that VPN and such surveillance circumvention tools including TOR as illegal, this will spread even further and the whole World would be affected which would include the once open and libre European countries and US which would likely follow suite.
Good luck with trying to setup usable and somewhat reasonable assurance security with shaky foundations and anti-privacy laws closing in. There is nothing much to be said anymore. There are some problems with your approach. A major one is consumers don t care a fly sh t. encryption in the first place but knowing the environment as it is, I refused the offer to lengthen my stay which is pretty rare that the employer will offer and left for other jobs.
Just look at consumer mainboards a relatively techie component. I mean it; look at them. Design that s what you ll find as major differentiator. high-tech and or futuristic design of mainboard cooling elements, controllable light colour of the LEDs everywhere. Or look at smartphones and tablets. Design again. Plus ease of use. If you have a nice logo and lots of marketing they ll by second hand cat poop in cans with security.
printed on them. The vast majority runs windows for no particular reason; it just happens to come along with the hardware which Jane and Jane translate as it s free. The second large group of desktop or table users has apple. Two major arguments surprise. Design and coolness. Which leaves us with some 3 to 5 of the market besides windows and apple. With those the pattern repeats. Some 95 or so run linux, of which again ease of use is ruling e.
Another, quite small, group is the BSDs of which OpenBSD is but a small fraction. ubuntu, mint. As sales figures of snakeoil vendors like anti-virus amply demonstrate, the logic of about 95 of consumers hardly even contains the item securityand if it does they usually mean something that a can be click click installed and b is socially established, either by peer group or by printed toilet paper 95 of IT magazines.
That s one and a very unimportant one btw reason why I address professionals, in particular developers. They at least vaguely understand the field and, more importantly, they are the ones who can make the difference and enhance RSS in a major way. Btw You agree or not to my point d above. What makes you believe that e. It s a fact, however; maybe a very unpleasant one but a fact.
linux somehow magically becomes secure just because it s in a 50. 000 device in a rack and with a brand label on the box. The advice given in this forum is excellent and I am sure lots of readers appreciate it. I am one of these readers that really appreciate each good tip given here, even if it shows a problem with OpenBSD the only operating system I use on my computers or other supposedly secure tools. As an example, on the last year I only used smartcards to access my own infrastructure and will continue this way.
Smartcards are just a small step in the right direction, but they are a highly welcomed technology. Tor is a good and clever design, but it does have its own weaknesses and it is obviously being targeted by powerful adversaries that take advantage of these weak points usually the relays. Is it a NSA-proof technology. Obviuosly not. But it may be a security layer for a journalist or someone that wants some privacy.
I certainly would not trust on Tor if my life depends on being hidden, but it is the best lots of non-technical people can use to protect themselves. What makes you believe that I think that linux on a 50. 000 USD device is secure. I am a developer on an important security-related software project and understand technology better than a lot of people thinks. No, linux is not the right foundation for a secure communications and or computing infrastructure.
The leaks from the IC in the last years show that there is nothing revolutionary on it, they are people like anyone on this forum not magicians. There are known weaknesses, bugs and backdoors in software and we suspect there are ones in hardware too. The key here is understanding that technology is not perfect in fact, it may had been compromised for years but that trying to fix it is more productive that saying all is lost. Our best bet is working hard to fix them instead of shout out it is a lost battle.
Or look at the OS side. My suggestions to lock vPro are not so bad. I think they deserve some merit and consideration. Of course there are risks, like the one of having some sort of antennae on our chipsets that allows WAN communications with, we say, cell sites. But I believe that if this technology exists and it is so widely deployed we should know about it right now. IC is not exactly good at keeping secrets. Recently a sort of NFC antenna has been found on the new Intel Core i9 processors, so there is people looking at it.
I have confidence there is not that sort of communication channel on our devices, however the risk of an unknown and surprising widely deployed surveillance technologies exists, this is the reason our work should be a process that will never end. What you are preaching is theoretical security for the 0. 001 up against targeted attacks by nation state actors. What I am talking about is security and privacy mitigation for the rest of the world against everyone else snooping friends and family members, your boss, script kiddies, cybercriminals, the local sheriff, corporate and state sponsored mass surveillance.
Which either seem to be of no concern to you or should also be defended against with theoretical or self-developed HA solutions that would be massive overkill for their purpose. Granted we indeed need to move in the direction you re advocating, but it s not going to happen overnight and, meanwhile, we have a choice to either use imperfect tools we try our best to understand the weaknesses of, or do nothing at all.
I also find it quite telling that countries like China and Russia are trying to ban VPNs and Tor, which unless this is all a massive psy-op would seem to indicate that at least some authorities are struggling with them. I hope you re not counting me among those who do. And unless I have missed something, I have never seen either you or Clive being called a snitch or a government agent for either bashing or pointing out Tor defects.
I will put my memory cap on and see if I can recreate my comment a little later it s supper time in London currently. Plain wrong. What I preach if one wants to call it so is to finally design and implement ALL halfway critical software properly. This includes bios, OS, drivers, important libraries, authentication tools for all users e. password storeand more. Moreover I personally do not care much about top-teams from the agencies of a few states being able or not to hack my system.
In other words No, the very top 0,001 of adversaries are not a significant concern of mine i. because those adversaries would find other means to get what they want. snooping friends and family members, your boss, script kiddies. In case you care somewhat about reality Those adversaries do not succeed because, oh, we just used aes-128 and not aes-256, implemented in Ada.
Nope, they succeed for two reasons a utterly poor opsec and b utterly poor everything, starting with plastic boxen running linux over poor OSs to poorly created applications and connecting to poorly created servers. You know what could change that. Properly designed and implemented software, which again would mean that it s created using better languages and tools. I also find it quite telling that countries like China and Russia are trying to ban VPNs and Tor.
What Russia prohibits is VPNs being used to go around blocks of illegal sites and to communicate secretely with terrorists etc. How snarky boring. They ban it if and when used to do illegal things. Who would ve thought that. Just like plenty of western lighthouse democracies do, too. And just like A gun must not be used to do something illegal. Or like printers must not be used to create fake currency or drivers licences.
How astonishing. I want to make a confession. But sure, despotic Russian dictator Putin found new way to terrorize insert poor little victim always works. Some have wondered why I m against foss not really but it s OK if you understand it that wayagainst linux, etc. I like OpenBSD and btw. other BSDs, too. What I dispise and reject is gpl fanatism.
But that s also not the main point today. The main point is this. Software is quite a bit more complex that pretty any other engineering field. I also like quite many other foss projects. I know, because that s why I chose it some decades ago. And please, pretty please, note the word ENGINEERING. Would you like to drive your car with your family in it over a bridge that was built by some clueless hobbyists.
How about putting your family in an airplane designed and built by hobbyists and air control managed by some 14 year old weed smoking boys. You don t like that. Strange because you seem to have no qualms with that model wrt. And again properly designing and building bridges or airplanes isn t more complicated than designing and implementing software; if there is a difference, building software is even more complex and harder. The situation we are in can be roughly described like this.
slaves with a product manager befallen by featuritis breathing on their neck. THAT is by far the single largest reason for the lousy situation we are in with all that insecure software. NO, it s not even the languages and tools. We did have most of the math needed 50 years ago. We did have excellent engineers and the know-how to build excellent tools.
And we had the necessity to do so but, granted, we hadn t the insight yet, we were still too fascinated by all the things we could suddenly do. But there were warning voices, e. The vast majority of software a iq option recusou a execução da ordem designed and built by more or less clueless hybbyists or by corp. I personally and subjectively happen too think that linus torvalds is an extremely dangerous man because he opened the box of Pandora.
He put the then utterly unreflected and now known to be false idea into the heads of millions that just about everybody can, together with a couple of pals, create an OS. Now, before you say but linux is an OS. yes, you are right and not. It is insofar as it more or less does what an OS is supposed to do. And it is not because it doesn t do those things in the way they should be done by an OS. You see, if Paul 14 decides to create an app to manage some hobby of his, just like linus torvalds did for his diving hobby, I don t care.
If his app fails, so what. But if Paul and some pals mistakenly create an OS that some decades later happens to drive major infrastructure we have a problem. A serious one. To be fair, there is another very major culprit, namely the mindless, insane, profit greed driven commercial software field well, very major parts of it. But and that s an important but that alone could be handled and taken care off.
The everybody can hack some cool software virus, however, is by far more dangerous because it pulls the very basis of software engineering out. It creates a situation similar to everybody with a knife can do surgery if he likes to. I of course know that this post is going to bring up many against me. And, please feel free to call me a damn a hole or whatever cools you down. But if you have some, even just a minor, interest in a world where nsa, cia, and many other structures, and, to be fair, even your drunk neighbour can not hack and eavesdrop on you to their liking with you being at their mercy, you might want to think a moment before going against me.
Perhaps the answer is not banning open source and or free software but giving the teams that develop the highest quality open source and free software projects financial support so best developers can work full time on writing code. As I see it, OpenBSD is by far more secure than any Linux distribution. I see your point. Linux itself is more secure than Windows, OS X, iOS, Cisco s IOS and even Linux-based operating systems developed by corporations like Google.
So there is something wrong on the development model followed by corporations. What about the bugs found recently in AMT. The real issue here is the huge amount of low quality projects that plague this world most coming from the free software branch, sometimes more interested in public notoriety than on writing something really useful. It is a shame for a community whose major difference to corporations is that they donate their work to the world for free.
Projects like OpenBSD do not obey the market rule that says the paying customer who usually have just the money, but a complete lack of knowledge about how writing correct software decides the evolution of a software product. It is a project whose evolution is on the hand of knowledgeable developers. Can you imagine a corporation rejecting the advice of a customer that signed a multi-million contract with them. On this blog we are talking about security. This concept does not match well with closed source, unauditable to all except governments, written by careless corporations that sometimes develop odd relations with governments e.
Apple, A iq option recusou a execução da ordem and Microsoft joining the PRISM program. I think open source, and sometimes free software too, are the way to go on a world where trust is a key value. If you think open source is ok but customers never read and fix the code I invite you to read the OpenBSD forums. You will see a lot of careful reviews of code, patches and suggestions by really clever users.
Thoth, who has a well earned and deserved good reputation, made me think quite a bit. Properly, well reflected, and well designed. It must be differentiated; some relatively few projects are good and at least led by a professional. No, I do not think that foss is the way to go. The vast majority, however, is crap; that s OK for diving management and other unimportant hobby stuff but we must get Pandora back into the box, we must make it understood that an OS, a core library e.
can not properly be done by hobbyists. To be honest, I didn t think a lot about making the world better; that s just not how I tick. But it seems to me that we must establish certain, ideally de jure but at least de facto, standards to separate the wheat from the chaff. It seems to me that formal methods are a good way engineers will at least understand their necessity or even like it while all the hobbyists will howl and fail to pass the barrier. In a next step one can make laws that demand that e.
This might also be good for another reason applied to the commercial world it will also separate the wheat from the chaff. accounting or banking software must be properly specified, modelled, and verified or else. No matter what and how, we just must stop the bleeding created by the opened Pandora box and the mindless, merciless greed of many companies.
Bob Dylan s Forked Tounge July 31, 2017 6 34 PM. What all of this discussion overlooks is that for a small subset of people it really is Tor or nothing. We keep bashing those who use Tor for bad reasons but they are the vanguard. If the pedo or the drug dealer isn t safe then none of us are safe because our privacy depends only on the goodwill of the Russian spook or the FBI lawman and I don t know about you but I don t trust their goodwill at all.
That is a divide and conquer bullshit argument. It is based on the false premise that the only thing that state actors care about is catching the crook or the terrorist and if we just let the authorities have the bad guys they will leave the rest of us alone in peace. Total bullshit. The mass collection of metadata, the use of that meta data for propaganda purposes, the secret courts all are evidence of a different outlook any excuse will serve a tyrant.
The terrorist and the drug dealer is just the most recent excuse. Throw them under the bus and the next thing you know if will be your turn to be thrown under the bus. Russia isn t banning Tor and VPNs for just the bad guysit is doing it for everyone. If one cares about online privacy then you are sleeping in the same bed as the pedo, the drug dealer, and money launderer, and the terrorist. I keep hearing a line of argument that goes, we shouldn t care about the tiny minority of bad people who use Tor because Tor is really great for the ordinary person who is trying to hide his PII.
Encryption protects the good, the bad, and the ambiguous with equal aplomb. Tor s problems are everyone s problems. So I don t want hear these arguments that go Tor is weak and well, shrug, it s not really my problem it is a problem for somebody else. Privacy doesn t know any morality. There is either a culture of security or there isn t.
There are either effective tools that protect data at rest, in transit, and at the end points or there are not. Compromise on these issues is an admission of defeat because the other side has no interest in compromise the laws of math are to be suspended in Australia or else. Compromise on these issues is an admission of defeat because the math itself is uncompromising. Compromise on these issues is an admission of defeat because it says that even though we might be right as a matter of fact we don t really have the will to win.
So shut up about Tor being broken and if you have the skills go help Roger fix it. Shut up about how the USA is trashing privacy with their vulnerability hoarding and if you have the skills go help fix them. Shut up about how the legal systems of the US and UK is making mincemeat about people s rights and if you have the skills go to court and fight them. Stop kvetching and get to work. In other words No, the very top 0,001 of adversaries are not a significant concern of mine.
Either you did not understand what I wrote or you are spinning my words. I was not talking about the 0. 001 of adversaries, but of targeted victims by resourceful state actors. And you seemingly not being concerned by the mitigation of security and privacy of the 99. 999 others, most of which DO in fact benefit from correctly using where appropriate all the utterly useless systems and software you so loathe. The approach to software development you are advocating however well-meant in practice would lead to a corporate controlled monopoly, the scarcely available licensed developers being folks with expensive university degrees that can be afforded by big companies only.
It would kill FOSS, stifle innovation and creativity, make prices sky-rocket and be the wet dream of both corporate snoopers and authoritarian regimes that would be the only parties able to review or audit actual source code. Whilst I agree that we are in a huge security mess today and for the exact reasons you are describing, your solution would perhaps improve security, but create an even worse situation from a surveillance and control vantage. Security is a means to an end, not an end in itself.
And which is a typical engineer thing. They ban it because it can do illegal things, i. prevent or make more difficult nation state mass surveillance. Which is the exact thing you are denying. Good ol standard potatoes were great for like 250 years till they got a bug and all the Irishmen starved. Microsoft can t even impose 90 uniformity. Let s go for 100. We re tired of adapting our devastating sabotage malware to lots of different operating systems.
However right you may be about the technical aspect, you re totally ignoring the macro-economic, political and societal aspects of your approach. Let s make them uniform by law. And when you re an aspiring authoritarian, you can t help but muse out loud about the patterns you ll decree. Bob Dylan s Forked Tounge yet another nick. Cute engaged bla bla. We keep bashing those who use Tor for bad reasons. I don t know anyone around here who bashes tor users.
Yeah, standardize it, that s the ticket. Just btw Who are you to tell us what to do and what are the rules. When all you ve got is authoritarianism, the solution to every problem includes a healthy dose of goose-stepping. Sorry but I don t see much more than rather arbitrary assertions, some of which are even provable false. I ll pick out an important one lead to a corporate controlled monopoly, the scarcely available licensed developers being folks with expensive university degrees that can be afforded by big companies only.
What a weird conglomerate of BS. Not only could one also make a law demanding that all work done paid by tax money in research and state agencies must be oss available but also what, please, would keep those, oh so unaffordable developers away from doing what they do now, too, namely to write oss. It s quite simple All I suggest is that certain sensitive stuff must be done in a demonstrably proper way.
The 95 unimportant stuff can be done by hobbyists like now. And btw, they would profit, too, from my system because they d have reliable good quality libraries available. You those who think like you have had plenty chances and room. We can see and suffer from the utterly poor results, including btw. rather grave social damage; or how would you describe it when pretty everyones privacy and communications is, or can at will be made, transparent.
It s time to step aside, social warriors, and to let engineers work be done by engineers. And it s time also to create responsibility and to hold the greedy corps accountable at least in some areas where it really counts. Dirk Praet, ab praeceptis. It s not about you. You can scroll all the way up the top of the page and you will see them by certain people. A search might reveal more on other forum post. I sometimes wonder why I made the choice to give up good pay and job stability in the Govt Def-Sci area when they nicely offered me the job and I simply refuse this rare ooportunity and prefer to research, discuss and implememt higher assurance stuff in the open knowing that it will not create much returns instead of being bounded by Govt contracts by working for them and creating designs that will never see the light of day but as an exchange for a very comfortable and stable life.
You previoisly mentioned about the Enigma Bridge project and they have a topic on Unchaining the JavaCard platform by implementing crypto not supported on COTS JC systems and API. I was surprised that one of the presenters actually knew of my traditional Diffie-Hellman KEX implementation for JC. But if you want a discussion you will have to have arguments. Example Currently we can not hold companies responsible. We have to ruler along which to measure. I suggest a ruler, namely, a formal approach.
How to break that down into some levels and whom and what to keep to what level can be discussed. One might, for example, demand that software in certain fields of certain kind must meet this or that level. A lower level might, for example, be that the whole software must be statically typed and must compile without error. That shouldn t even be expensive or burdensome; that can easily be met. A high level might be that the full software must be, or consist of subelements meeting that spec, fully formally spec d and that both, spec and implementation must be provably correct.
That would be much harder, yes, but it would handsomely pay of and moreover we would quite probably have more smaller companies specializing in some libraries in some field rather than the corp. behemoths we have today. Finally What else could be a better ruler for measuring. Formal methods are objective and fair and we have lots of good experience with similar models in bridge building, railways, aircraft, etc.
Dirk Praet It is just one of many free tools that allows you to surf the web in a somewhat more anonymous way than standard browsers do. Yep, and there s basically no other free tool that comes close; so it gets the brunt of all kinds of attacks. Any security project here comes under that scrutiny and attack would fold eventually I bet.
It s dirty fighting, where they don t get legally punished for otherwise committing crimes like B E, stalking, intimidation, etc.
Coments:08.02.2020 : 14:03 Daikazahn:
Would you like to drive your car with your family in it over a bridge that was built by some clueless hobbyists.
02.02.2020 : 02:10 Shakabei:
Is that the file.