Techdirt is on holiday this Thursday and Friday. We'll be back with our regular posts on the weekend!Hide

allengarvin’s Techdirt Profile


About allengarvin

allengarvin’s Comments comment rss

  • Oct 23rd, 2015 @ 3:06pm

    Re: Don't let strangers in your network (IoT device === stranger)

    "using WPA-2 Enterprise, combined with a RADIUS server would work. (I'm not a network guy, just paranoid enough to learn)"

    Very very few consumer devices support 802.1x. I wish they did. I hate having a single PSK for the devices on my network that are probably the least secure. I isolate them and apply strict ingress and egress rules for traffic to them.

  • Oct 23rd, 2015 @ 2:58pm

    Uh...simple question:

    "If you haven’t configured the kettle, it’s trivially easy for hackers to find your house and take over your kettle," Munro says. ... "I send two commands and it discloses your wireless key in plain text."

    If you haven't configured it yet, how can they get your PSK?

  • May 21st, 2015 @ 10:16am


    It's easy to mix up rules for eating fries dropped on the floor with rules for snooping on people's private communications. Happens nearly daily for me.

  • May 17th, 2015 @ 9:28pm

    Re: Re: Re: Re: Re: Troublesome certificates...

    Yes, abuse of certificate authority is something that's hard to protect against. That's where we rely on the PKI infrastructure to audit CA issuing procedure--it would suck for Verizon if they were caught doing that, and Cybertrust's root CA got revoked. Why would they risk it?

  • May 17th, 2015 @ 10:20am

    Re: Running a CA

    "I'd love to see a protocol somewhere between http and https, that negotiates and encrypts traffic, but doesn't rely on a trust framework."

    It's possible to implement TLS without X.509 PKI infrastructure. In fact, there's an RFC out there that has an alternative, RFC 5081, which allows exchange of OpenPGP keys--this has been allowed since the TLS 1.2 standard (2008 or so); actually the RFC implies other types of cert exchange may be used if it's explicitly negotiated, but 5081 is the only one I know of.

    As far as I know, no one has implemented it yet. There seems to be no interest in it.

  • May 17th, 2015 @ 9:48am

    Re: Re: Re: Troublesome certificates...

    "Verizon does not need the private key since they can use their own private key to encrypt everything again. The only way that you'll notice this is when you check that public key that you've received. "

    No, part of the SSL verification process on the client side is verifying that the domain you're going to matches the domain in an X.509 certificate (the CN in the Subject portion). Unless Verizon managed to acquire a certificate with as the CN, you'll get a cert mismatch error on your browser.

    TLS is well-designed to prevent MITM attacks. Now if the MITM has the private key, that's a different matter. Perfect forward secrecy prevents decrypting after the fact if the session is simply packet-captured. It's not protection against a proxy when the evil party can redirect your traffic through it. And if the cert issuing process is compromised, that's another problem. But people people notice when a CA can't be trusted.

  • May 15th, 2015 @ 8:20pm

    There are lots of great arguments but...

    It remains costlier to scale because of the additional computational overheard of TLS. That's still a fact in 2015. It's not necessarily prohibitive, but it has to be taken into account. Load balancers acting as SSL proxies may need additional licensing, or a lot more cpu resources. CDNs charge more for it. And, worse, if you're making that money back in ad revenue, advertising services can pay less when forced to use ssl (or, you might have to skip some sources because they don't serve ssl ads and you don't want one of those "some elements of this page are insecure" messages on your site).

  • Nov 25th, 2014 @ 1:21pm

    Re: What the heck were they thinking?

    It's probably important to note these are "disaster recovery tapes", not email archive tapes. As such, they're probably full disk or LUN image backups, probably taken at regular intervals (month? quarter?). A fragment of data is not particularly useful in a DR situation. So I can easily imagine that recovering email over several years requires examination of a bunch of tapes, especially if there's a regular purge going on, on the servers. DR tapes aren't going to have space-saving measures like incremental diffs or dedupe. You want to dump a full image and bring it up as fast as possible.

    (Also, as for size, I have 9 years of email from a previous job, from 2005 to 2014, exported as PSTs, converted to mbox format and exported to timestamped individual files. The median size is 12k [ls -l | awk '{print $5}' | sort -n | sed -n "$(($(echo * | wc -w)/2))p"], but the average size is a much larger 180k [46k messages totalling 8.1G], and I know I would frequently delete mails with big attachments that I didn't want to save).

  • Sep 20th, 2014 @ 9:08am

    American Spectator has journalistic integrity?

    The magazine that introduced America to theories that Vince Foster was murdered by Clinton to suppress stories about him ordering state troopers to kidnap women and carry them to his boudoir?

    Ok, they don't seem as crazy as they did 20 years ago, but does anyone pay attention to them?

  • Sep 4th, 2014 @ 9:45am

    You're arguing with the Puffington Host!

    This is only a small step above sending a letter to the Daily Mail saying they got some facts wrong.

  • Aug 31st, 2014 @ 6:18pm

    Lock my mailbox?

    I do pretty much 100% of my financial transactions online (with the single exception of tax documents mailed at the start of the year). Lock my mail box? Bah, I'd love for thieves to get into it, and still the bulk junk advertisements that fill it up every week.

    (Apparently no one else needs it either. A week in, it doesn't have a single solitary contribution)

  • Jul 28th, 2014 @ 9:09am

    Re: Re: Re: Erm..

    Yes, it's the switch to https. If you click past the 'don't go here' you won't even get the site. I explained elsewhere that akamai's "edgesuite" network which serves 80 is a completely different set of servers than those that serve 443 (which they used to call "edgekey" but now are branded something silly). When you go to https on edgesuite, you're connecting to their netstorage service. You get this with *every* akamai customer that's on their edgesuite network.

  • Jul 24th, 2014 @ 8:12pm

    Re: Re:

    Akamai is a good way to mitigate attacks, but it's an expensive one. I've just seen this particular error before, because my last company had a pretty deal with Akamai--we got around 7 cents a gig transferred. Not necessarily good compared to other CDNs but pretty good for Akamai. We would see this error because we'd get customers on Akamai, and then they'd do a security scan, it would come back highlighting that the SSL cert didn't match, and asked to fix it. Then, we'd say, ok, just pay for an Akamaized SSL site, which will cost you 5 times as much, plus you have to use Akamai as your SSL vendor, which makes netsol look cheap, and then they'd come back and say "no thanks".

    I found some other sites that will give you the same error:

    You can tell which sites are on the Akamai SSL network by seeing what they're CNAME'd to. If it's, it'll give a cert error. If it's, it's good:

    [agarvin@atg-home logs]$ dig +short
    [agarvin@atg-home logs]$ dig +short
    Note this domain:
    [agarvin@atg-home logs]$ dig +short

    Look at the cert with openssl s_client and you'll see the CN is for

  • Jul 24th, 2014 @ 10:27am

    (untitled comment)

    Eh, I've set up a lot of Akamaized sites in the past 15 years. That's not a real problem: it's someone who went to an akamaized http site through https. You have to pay extra money to get their SSL versions, and then you have to CNAME your domain to another set of servers, their special SSL servers.

    If you put https in front of any site CNAME'd to Akamai that isn't paying for the extra SSL, you'll get basically the same error, because it sends you through their old edge network--it supports SSL, but it's for serving individual assets like images or swfs.

    It's probably historically related to the way they rolled out different offerings. Basically, for this site, they didn't want to spend a few thousand extra a month for SSL offerings.

  • Jul 13th, 2014 @ 4:18am


    "Most major companies now have a chief corporate security officer tasked with assessing and mitigating "threats" of all sorts -- including from nonprofit organizations."

    Wat?? The scare quotes, the weasel words "of all sorts", the addition of "including nonprofits!": This is the silliest, fake-scariest description of the CSO position that I've ever seen.

  • Jun 26th, 2014 @ 8:21pm

    (untitled comment)

    Personally, I'm beginning to doubt whether the technology exists, fuzzy logic or not, that is able to cook a frozen burrito or chinese noodle box where one part is a fraction of a degree away from initiating nuclear fusion, and the next bite is cold enough to enable superconduction.

  • Jun 17th, 2014 @ 10:32am

    Is it safe?

    You'll be losing that side B-pillar, or at least its connection to the frame. Can it stand up to side-impact collisions? There might also be some structural issues in roll-overs, though I guess no worse than convertibles currently face.

  • Jun 4th, 2014 @ 8:17pm

    I remember being taught cursive in 2nd grade

    I was terrible at it. I had mostly taught myself writing sometime around age 4-5. When I got to 2nd grade, I held my pen "wrong", and I was absolutely terrible at writing cursive. As a consequence of my inability to write cursive and illegible handwriting, I was placed in the "slow-track" classes in 3rd, 4th, and 5th grade. All that time I considered myself one of the slower, dumb students. Then came 6th grade, where students got classified by standardized test scores, and I got placed in the smart classes, and also the accelerated learning, because I had the highest math scores in the district. In 7th grade, I went back to printing my letters, and ever since, I've been highly skeptical of cursive and any kind of tracked education placement--both kinds I encountered were so arbitrary.

    Cursive should have been ditched with the ballpoint pen. Or the fountain pen. It only has real advantage with true dip pens. Speed is more a matter of practice. Even though I write very little by hand these days, I have such instinctive muscle memory that if needed, I can totally zip out hand-written "printed" notes at impressive rates.

    (OK, I remain totally jealous of an elegant italic hand, but I know I'll never master it)

  • Mar 27th, 2014 @ 8:59pm

    (untitled comment)

    Go look at the article it links to. The main reason it was denied because they weren't trying to brand any potatoes. There's not a single potato in the application. Note this part: "The application doesn’t appear to have anything to do with actual potatoes. The rejection notes that the applicant applied for the trademark to market “entertainment services” and all sorts of merchandise, from clothing to trading cards."

    It got denied mainly because it could be confusingly similar to the Washington Redskins team trademark.

  • Mar 27th, 2014 @ 8:54pm

    Re: Re: But...

    Except the application was for gift wrap and some clothing. There were no actual potatoes being branded. It was potato-related items.

More comments from allengarvin >>