Actually, you could work a theoretical pigeon drop with any form of digital currency. It'd be complex in setup, but ultimately easy.
Not just digital currency, pretty much any modern currency. The only things where it's much harder to work is a trade or barter system, and systems where the money is insane, like that mob with the giant stone discs in Micronesia.
A much easier thing to pull off - at least with bitcoin - would be a Thai Gem style con, selling "Software", a big encrypted file or something of the like, which the mark purchases a decryption key for, and of course, either the decryption key or the file itself is useless nonsense - A scam made much easier by the cash-like utility of bitcoin.
Regardless of whether Bitcoin is scamalicous, it can certainly be used by scamalicous people:
"There's a popular discussion happening at the Bitcoin forums about a new browser-based bitcoin miner released today. This lets people mine for bitcoin straight from the browser. There's talk of making an embeddable version. How long until websites start using CPU power from their users to create Bitcoin for their owners?"
Actually, you could work a theoretical pigeon drop with any form of digital currency. It'd be complex in setup, but ultimately easy.
Not just digital currency, pretty much any modern currency. The only things where it's much harder to work is a trade or barter system, and systems where the money is insane, like that mob with the giant stone discs in Micronesia.
Yeah, but I'm talking about making the Bitcoin itself the pigeon.
I love the way all you guys are so fixated on the idea of doing a scam with these when the much easier and obvious answer is to simply break into the computers install a key logger and steal the bitcoins. I mean as long as you're bent on doing something illegal, why choose the complex route? Scams are a thing of physical money (or any funds that require physical access), since it is very, very hard to physically take something without being caught.
When was the last time you heard about someone getting scammed out of their credit card details? Never? And when was the last time you heard about CC detailes being compromised in an attack on some service provider? Like, last week. If bitcoins became popular, the majority of theft would not be centered around scamming people but simply about stealing the coins. Using a botnet to attack the bitcoin netowork? As if! Just get all the bitcoins stored on all the machines in the botnet and you're done!
When was the last time you heard about someone getting scammed out of their credit card details?
It happens all the time, though usually against older people using phone calls or from email phishing attacks.
I'll concede that email phishing is probably a substantial part of CC fraud, and in view of the point I was making I should have said being scammed out of some cash that they had in their wallet. Again, in light of bitcoin and email phishing, attackers will not try to defraud you out of some amount of bitcoins (which is what some people here seem to be fantasizing about), they'll most like just run some malware and take all of them.
To put it bluntly: when your computer becomes your wallet, you better be damn sure you have a secure operating system.
I love the way all you guys are so fixated on the idea of doing a scam with these when the much easier and obvious answer is to simply break into the computers install a key logger and steal the bitcoins. I mean as long as you're bent on doing something illegal, why choose the complex route? Scams are a thing of physical money (or any funds that require physical access), since it is very, very hard to physically take something without being caught.
Because it's fun. If I was coming up with a way to efficiently rob people, it would be quick, simple, relatively low risk and boring - just robbing houses, basically. But if I'm not going to rob houses, and I'm not going to scam people, but I'm going to amuse myself thinking of ways to do it, Then why the fuck am I going to sit around repeating "I'm going to kill the power at the meter, pop the lock on the back door, clean the place out, walk away, fence everything" for every situation, when I can come up with more entertaining scams, instead?
I love how you're crazy defensive of the bitcoin network. Tell me, Timo, How many Bitcoins in your wallet? How many ponzi scheme space dollars does it take to make you so defensive?
When was the last time you heard about someone getting scammed out of their credit card details? Never?
As Rym Noted, pretty much constantly - In fact, a bloke got arrested at a place I used to work for doing just that. He was taking photos of people's credit cards "As a new policy for the store because of a big rise in credit card fraud" and then taking the photos and buying shit online with the cards.
And when was the last time you heard about CC detailes being compromised in an attack on some service provider? Like, last week.
I didn't think you were foolish enough to give me the "Recently" option instead of last week, Since PSN having EXACTLY THAT happen was about three weeks ago.
If bitcoins became popular, the majority of theft would not be centered around scamming people but simply about stealing the coins. Using a botnet to attack the bitcoin netowork? As if! Just get all the bitcoins stored on all the machines in the botnet and you're done!
Yo, Bitcoin Crusader, you want a cape and a logo on your chest? The point of using a botnet to attack the bitcoin network is to take advantage of a vulnerability built straight into the system, to do exactly what you're talking about - Stealing the coins. In the words of the guy who DESIGNED THE FUCKING SYSTEM, "If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins." Scamming people out of bitcoins is viable by design too, and far easier than even botnet attacks, which would be trivial - because of the apparent security of the system when one group doesn't own the majority of the computing power, the easiest way to steal someone's money is to have them just straight up GIVE it to you - and thanks to Bitcoin's supposedly Anonymous nature, Once those coins are in your wallet, too fucking bad for them. It's a P2P network that at this time nobody controls - so who are they gonna complain to? They can tell other people about it in the forums, sure, but anyone smart enough to pull a successful scam like that is smart enough to be able to have enough variations that it would take a long time before it was even difficult to achieve.
I'll concede that email phishing is probably a substantial part of CC fraud, and in view of the point I was making I should have said being scammed out of some cash that they had in their wallet.
I'm not willing to go out and actually do it - I do try to be a good person, after all - but were I to decide tomorrow to do so, I could trivially start living off cash gained by straight up running street cons - I would have to eventually graduate to larger or longer cons, or move about a little more, but it's far from impossible, in fact I'd wager such crimes are not uncommon.
I love how you're crazy defensive of the bitcoin network. Tell me, Timo, How many Bitcoins in your wallet? How many ponzi scheme space dollars does it take to make you so defensive?
I don't know whose posts you are attributing to me. Every post I've written is about how terrible the bitcoin idea is. In fact, I laid out the exact same economic reasons against bitcoin that the post you linked by Adam Cohen contains. And when Rym and Scott back up what I was saying about the technical impossibility of outlawing bitcoin like systems and the technical soundness of the general idea, you tucked your tail:
Huh, Fair enough then. That's what I get for saying something without knowing enough about it.
You do have a point, yeah, I can see where you're coming from. Thanks for setting me straight on that.
Now, I don't care whether you respect me or not. I especially don't care whether you respect me more than Scrym, but selectively agreeing and disagreeing with different people arguing the same point is not a valid strategy in a debate.
I'm sorry if I rained on your's and WUB's heist brainstorming parade, but at least you got me good for using a bad analogy with those credit cards. However if you think that I'm pro bitcoin then I can only assume that a) you didn't read what I wrote, or that b) you are incapable of understanding what I wrote.
Yo, Bitcoin Crusader, you want a cape and a logo on your chest?
Please show me even one context where I said that bitcoin is a good idea.
I don't know whose posts you are attributing to me. Every post I've written is about how terrible the bitcoin idea is. In fact, I laid out the exact same economic reasons against bitcoin that the post you linked by Adam Cohen contains. And when Rym and Scott back up what I was saying about the technical impossibility of outlawing bitcoin like systems and the technical soundness of the general idea, you tucked your tail:
I'm being an ass, because you said this -
I love the way all you guys are so fixated on the idea of doing a scam with these when the much easier and obvious answer is to simply break into the computers install a key logger and steal the bitcoins.
You gotta have some freakish long arms to draw a bow that long. It's a laugh, not a serious analysis, because I'm not someone with sufficient knowledge of technology to make a proper analysis. What I do know, However, is Scams, so that's something I'm happy to talk about in regard to bitcoin. It's just simple mental exercise, because - pay attention, this is a very important point - this is not fucking Ocean's 11, nor any other heist movie you care to name, and we don't need to make plans to actually rip off bitcoin. Hey, here's one - Fly to the states, and take a lead pipe to the founder till he exchanges all his millions of bitcoins for real money, and then gives us the money. Simple and efficient.
And when Rym and Scott back up what I was saying about the technical impossibility of outlawing bitcoin like systems and the technical soundness of the general idea, you tucked your tail:
Oh, Fuck yourself. Here's an idea, if you want, every time they make a good point, I can haul off and just call them cunts or otherwise abuse them, instead of conceding a point so that I don't have to waste the effort getting into a pointless argument with them, again. And of course, You didn't have the balls to quote what that was in response to, where Scott gives his opinion not that it's technologically infeasible, simply pointless, because the value of bitcoins would drop to zero rapidly - at least by his analysis. Also, I repeat again, they guy who designed the system pointed out this vulnerability, and said it's a method of stealing bitcoins - Y'know, like where I directly quoted him saying so, one post above. Or mentioning what Rym said that I responded to, which was about how it would be hard to outlaw them without broad and impossible to enforce laws - something I didn't think of, because I lack knowledge about how US law works, rather than bitcoin itself.
Now, I don't care whether you respect me or not.
A healthy attitude, really. I'm not really someone who has impact on your day to day life.
I especially don't care whether you respect me more than Scrym,
About equally, to be honest.
but selectively agreeing and disagreeing with different people arguing the same point is not a valid strategy in a debate.
And no. Now you're flinging shit to see what sticks. I'm having a go at you, because you took the piss. If you want to take the piss and then kick off because you don't like the response, then all I have to say is Harden the fuck up princess, if you don't like copping it, don't hand it out.
See, If we have the conclusion The sky is blue, and we both say it's the atmosphere that causes it, But one party says it's because of science, and the other party says the same thing but also says this is the case because god made it all that way because god invented science, I'm going to disagree with the latter, despite that on the topic of blue skies, they're both saying something at one point which makes perfect sense.
Also, You've forgotten where I got you good on saying that a botnet attack would be an as if, when they could just mine with them/pull the stored coins from them instead (you directly said the latter, though the latter would also be an intrinsic part of the former, one would think), whereas the guy who invented the whole deal acknowledges it's validity of a method of stealing coins - and in fact, with the built in hard limit on the amount of bitcoins in circulation and the decline in produced coins by mining as the hard limit is approached - as it would if bitcoin became popular - if you're using a botnet, stealing coins by double-spending would be far easier and far more profitable over mining. Consider that bitcoin is highly unlikely to get enough active users to make overwhelming them with one of the large botnets difficult or impossible - It's been going since 2009, and has had decent enough media coverage on and off since then, and I'd bet its userbase total is still only in the tens of thousands(I'm thinking in the 20K range, at best - the only real graph I've seen seemed to indicate about 14-17 K, but it was from January or Febuary this year) which is really only medium sized for a botnet, as best I can tell.
However if you think that I'm pro bitcoin then I can only assume that a) you didn't read what I wrote, or that b) you are incapable of understanding what I wrote.
Assume I'm a giant purple people eater hopping down the street while whistling "I'm fucking Matt Damon" if it pleases you or makes you feel better. I couldn't give less of a fuck about what you assume in regards to me, and it's ability to affect reality is miniscule at best, if you're feeling charitable towards it's chances.
Please show me even one context where I said that bitcoin is a good idea.
I was absolutely taking the piss. If it makes you feel better, I am absolutely willing to colour it the most visually offensive green I can manage, and maybe in future start colour coding every time I take the piss with an equally visually offensive yellow.
Edit - All right, I'm being an arsehole, I need to stop that. I'm not deleting it - I feel that would be a wee bit cowardly, to delete it just because I've made myself look a right dickhead - but I do apologize for being a cock, now that I've had some sleep, nicotine and caffeine, and thus I'm wearing a slightly cooler head.
If that's the kind of friendly jab that gets your goat, then that's all you.
because I'm not someone with sufficient knowledge of technology to make a proper analysis.
If you want someone who gives a fairly layman description you can listen to or read the show notes of Steve Gibson's Security Now podcast episode discussing Bitcoin (mp3, pdf). Now Steve is a total Bitcoin fanboy and I find him slightly irritating, but he does know crypto and he does an OK job of explaining it. Start from about 40 minutes in, which is where they get into the main topic. There is also a follow up episode(mp3, pdf) with listener feedback on the issue, but I haven't listend to it.
If that's the kind of friendly jab that gets your goat, then that's all you.
Nah, I was being a cockhead - I edited that in, but I think I edited that in at the same time you were typing this response, so you and I were both unaware of said edit and post, respectively. My fault entirely, I make no excuses, I've got to cop it sweet - I was being an uptight wanker, and I acted an idiot about it. Again, My apologies, and entirely my fault.
If you want someone who gives a fairly layman description you can listen to or read the show notes of Steve Gibson's Security Now podcast episode discussing Bitcoin (mp3, pdf). Now Steve is a total Bitcoin fanboy and I find him slightly irritating, but he does know crypto and he does an OK job of explaining it. Start from about 40 minutes in, which is where they get into the main topic. There is also a follow up episode(mp3, pdf) with listener feedback on the issue, but I haven't listend to it.
I haven't listened to security now in a long time - I got sick of the constant spinrite plugs - but I've been thinking about getting back onto it, so I'll be sure to download and listen to that.
If you want someone who gives a fairly layman description you can listen to or read the show notes of Steve Gibson's Security Now podcast episode discussing Bitcoin (mp3, pdf). Now Steve is a total Bitcoin fanboy and I find him slightly irritating, but he does know crypto and he does an OK job of explaining it. Start from about 40 minutes in, which is where they get into the main topic. There is also a follow up episode(mp3, pdf) with listener feedback on the issue, but I haven't listend to it.
Steve knows crypto? Oh, I laugh. He only has a slightly better grasp of it than the average layman and he is in fact a laughing stock among the true security experts. There is a very good reason why he never attends any security conferences -- he'd be pwned at the drop of a hat. Spinrite, as annoying as the plugs for it are, is actually a pretty good program -- it's been around and strongly recommended by computer experts for at least 20 years, but I wouldn't trust Steve for anything security related.
Steve knows crypto? Oh, I laugh. He only has a slightly better grasp of it than the average layman and he is in fact a laughing stock among the true security experts. There is a very good reason why he never attends any security conferences -- he'd be pwned at the drop of a hat. Spinrite, as annoying as the plugs for it are, is actually a pretty good program -- it's been around and strongly recommended by computer experts for at least 20 years, but I wouldn't trust Steve for anything security related.
What should I have said? He evidently knows crypto. I didn't say he knows it well. But if you want to play the nitpick game then lets go: Crypto != Security. The fact that you get the two mixed up is laughable.
Cryptography is essentially easy, if you have half a brain, as demonstrated by the ability of Steve to explain things like Diffie-Hellman on an audio podcast. Security is an entirely different beast and crypto is just a small part of it. Indeed often crypto has to be reassessed in the context of it's various real world implementations in security, authentication, etc.
I wouldn't trust Steve for anything security related.
To my knowledge Steve doesn't do security, so there is no possibility for you to trust him with security. As for true security experts laughing at him, that is about as professional and fruitful as laughing at someone who is an anime fanboy and totally into the NarutardBalllZ when you are sitting pretty on Miyazaki/GitS/Eva.
There is a very good reason why he never attends any security conferences -- he'd be pwned at the drop of a hat.
Sigh, I have no doubt that just about anybody can get pwnd at a security conference and unless you are a very insecure person you wouldn't care. I'd love to see you produce evidence for your speculation as to Steve's reason for not going though.
Truth.
Really? I can count at least three logical fallacies in that comment, not including the crypto==security flub.
What should I have said? He evidently knows crypto. I didn't say he knows it well. But if you want to play the nitpick game then lets go: Crypto != Security. The fact that you get the two mixed up is laughable.
Okay, fair enough. He does apparently seem to understand the mathematics and theory behind crypto, so I'll give you that. Most of my opinion on him not knowing crypto as much as he claims to has to do with him coming off as a general know-it-all in areas he probably shouldn't be discussing. I'll give him that he's probably a pretty smart guy, has really good knowledge of how hard disks work, and is probably quite the good x86 assembly programmer (although he's also made some claims about the advantages of assembly programming that are utter crap as well -- but that's another discussion).
Cryptography is essentially easy, if you have half a brain, as demonstrated by the ability of Steve to explain things like Diffie-Hellman on an audio podcast. Security is an entirely different beast and crypto is just a small part of it. Indeed often crypto has to be reassessed in the context of it's various real world implementations in security, authentication, etc.
Point taken.
I wouldn't trust Steve for anything security related.
To my knowledge Steve doesn't do security, so there is no possibility for you to trust him with security. As for true security experts laughing at him, that is about as professional and fruitful as laughing at someone who is an anime fanboy and totally into the NarutardBalllZ when you are sitting pretty on Miyazaki/GitS/Eva.
The problem is that Gibson claims to be an anime fan of the Miyazaki/GitS/Eva sort despite actually being a NarutoballZ fan. He certainly claims to be a security expert on his podcast and his site. He's also made the claim when he "invented" syncookies and predicted that raw socket support in Windows XP would be the end of the Internet as we know it (and somehow his claims managed to convince Microsoft to remove raw socket support from non-server versions of XP). It was these claims that made him the laughing stock among true security experts. About all I can give you is that he doesn't claim to be a professional security researcher.
There is a very good reason why he never attends any security conferences -- he'd be pwned at the drop of a hat.
Sigh, I have no doubt that just about anybody can get pwnd at a security conference and unless you are a very insecure person you wouldn't care. I'd love to see you produce evidence for your speculation as to Steve's reason for not going though.
Okay, I was not stating that as a literal reason why he wouldn't attend. The more precise reason is that he is simply out of his own league at any security conference and is looked upon so poorly by the real security experts.
His podcast does make for a pretty decent weekly security news roundup, but I pretty much always fast forward past the security news stuff when I listen to it.
Well, security researchers generally aren't celebrities... However, here are some of them that I could dig up info on:
Bugtraq is the former name of the mailing list/website now known as Security Focus. This has been considered the top location for security research information and vulnerability discovery/disclosure on the internet for nearly two decades.
Thomas C. Greene is the author of Computer Security for the Home and Small Office. He has published multiple articles on the very well regarded Security Focus website, including one debunking Steve's claims on the Windows WMF vulnerability.
Marc Maiffret is the CEO of eEye Digital Security. He's also the co-founder and discovered some of the very first Microsoft critical security vulnerabilities including the first Microsoft computer worm.
Kurt Östreich is a network security engineer and a developer on the ssh team
Tim Mullen is another writer for the Security Focus website
Fyodor is the author of the nmap port scanning tool
While many of the other names on the list are either little-known pseudonyms or people I couldn't find any info on, the ones I could dig up info on are leading security experts.
It just kind of lost a bit of credibility to me when it quoted "Dan," "Roger," and "Not signed."
Fair enough. I have a feeling this site just collected statements from various security chat rooms, forums, etc., and left them as-is, even ones that have high degrees of anonymity. However, that site has a whole bunch of articles (sadly all several years old -- guess Steve hasn't been tooting his horn as much recently) pointing out just how little Steve knows about security.
Well, the guy at the top of the list, Thomas C Greene, is a Senior Editor for The Register, Marc Mariffret is the CTO of eEye Digital Security and chief security Architect at FireEye, and founder of Invenio Security - who, curiously, was a featured guest on Security Now where he seemed quite pleasant to Steve and Leo, and agreed with Steve on a number of points - there are a couple of different Steve Means I can find, and for relevant ones, it is most likely going to be either a Team Lead Engineer III at IGT, Senior .NET Developer at VerveLife, or Director of Information Technology Services at Planet Data Solutions. I can't really find a Glenn Hunt that seems to fit except for a tech writer, and the only Tim Mullen I can find that seems likely is Dr. Timothy Mullen, CEO of H4RDW4RE.
Admittedly, I'm not digging hard to find out for sure, but that's a lazy five minutes looking.
Other than that, Nobody worth speaking of, credibility wise - and I'd be taking with a grain of salt the opinions of a company who have a large section on their website dedicated to nothing more than bashing Gibson and his company, who just so happen to also be in direct competition with his company - Especially on a list of out-of-context quotes, a large portion of which are from pseudonyms which could relate back to fucking ANYONE, and the people with any grounding in the field who are down on him in their out of context quotes are far outnumbered by people with equal footing who seem give Steve quite positive reviews.
Other than that, Nobody worth speaking of, credibility wise - and I'd be taking with a grain of salt the opinions of a company who have a large section on their website dedicated to nothing more than bashing Gibson and his company, who just so happen to also be in direct competition with his company.
I dunno, I'd say the general point of view of Security Focus/Bugtraq and Fyodor also counts for something in the credibility department. And while I do agree with you that it's a bit much to have a whole section dedicated to bashing Gibson on their site, I disagree that they compete with him. Their one product is a bunch of advanced productivity/file management tools for Windows. Gibson's only real product is Spinrite. They don't compete at all -- and in fact Gibson was a one-time customer of this company.
Of course, that was just the first site that came up on my Google search showing how little Gibson knows about security. Another great example is this old posting of Bruch Schneier's (scroll down a bit to the "DDOS attack against grc.com" section). Schneier is considered one of the top security experts in the world.
Another one is a direct quote from the author of nmap, Fyodor. This is the quote in its entirety, context preserved:
Anyway, it seems that Steve Gibson hasn't seen any of the version of nMap that have raw socket support on Windows. Also, I can't see any reason why a malicious user couldn't just flood a site using UDP sockets.
Steve Gibson is a media slut and should be treated as such. If you look at how he writes up things on his own web site, you can see they're made to look just like how they might in print. In my surveying of what he's done, he's done...well...nothing very exciting. His "nanoprobes" were really lame (a different spin on what nmap does) and if people would just start ignoring him, we'd be much better off.
[ Moderator note: I agree 100% with Darren & Andy. Gibson is a charlatan whose "research" is written for clueless media reporters (for press attention) and the teeming masses of internet newbies (to whom he sells various products). His "findings" are not new, are always filled with massive hyperbole, and are frequently completely false. Instead of presenting evidence to prove his points, he tends to just state them using goofy blue or green fonts as if that somehow adds credibility. We recommend avoiding this guy!
this old posting of Bruch Schneier's (scroll down a bit to the "DDOS attack against grc.com" section). Schneier is considered one of the top security experts in the world.
You should have just posted this. I loves me some Schneier; no arguments here.
You should have just posted this. I loves me some Schneier; no arguments here.
My apologies for not posting it sooner. It took a bit more Googling to find Schneier's article on Gibson whereas the RADSoft link came up first on my particular query.
I dunno, I'd say the general point of view of Security Focus/Bugtraq and Fyodor also counts for something in the credibility department.
Not if you're talking about the credibility of anything Radsoft says. Quoting someone far more credible does not make Radsoft credible, particularly on the issue of speaking on their competitor.
Gibson's only real product is Spinrite.
And SecurAble, ShieldsUp, DNS Benchmark, LeakTest, OptOut(One of the first Adware Removal programs), and a number of other free tools. He's Best known for Spinrite, but it's far from his only real product. Shit, it's far from even being his only popular product.
They don't compete at all -- and in fact Gibson was a one-time customer of this company.
That doesn't actually mean anything, let alone preclude the possibility of being in competition.
Of course, that was just the first site that came up on my Google search showing how little Gibson knows about security. Another great example is this old posting of Bruch Schneier's (scroll down a bit to the "DDOS attack against grc.com" section). Schneier is considered one of the top security experts in the world.
Yeah, I know who Bruce Schneier is, I know his rep. You didn't read that article, did you? The article being from June 2001, I might add. Bruce straight up says
I'm not suprised that Gibson could not defend himself. DDOS attacks are a network problem, not a computer problem.
and in the same paragraph says
Gibson couldn't prevent the attacks because the problem wasn't in anything under his control. It's up to the ISPs to figure out how to stop such things.
So, How does Bruce saying "He spent a lot of effort to try and fight the problem, realized he couldn't, and surrendered, but that's okay, because it's not anything he could control" mean he's decrying Steve Gibson? He's not saying Gibson is shite, if anything, he's kinda agreeing with him and saying there is nothing he could do, even though he tried to do something about it anyway before giving up. Bruce is talking about how that sort of thing had the potential to become a huge problem if something wasn't done, Not about Gibson being incompetent - he agrees with Gibson, Quotes his essays on the problem he's writing about there, and even supports his opinions in some places - So, basically, It's an article where Steve Gibson is being Backed up by one of the top security experts in the world, albeit a decade ago.
I'm not saying Gibson is perfect, But he's nowhere near as bad as these guys are making him out to be. Unless, of course, they'd like to offer some evidence other than their own opinion? On top of that, I'm not surprised - Steve is a vaguely popular Security Expert and/or pundit - and I'd love to be able to say it's horribly uncommon that some people will just shit on someone because they're popular. Basically, the more visible you get, the more likely a small portion of people who do the same thing you do will go out of their way to shit on you, no matter what you do. Some people just love to hate - The kind of people who'd walk around the garden of eden complaining about the lack of mobile reception, or watch nelson mandella go free and say "Isn't Diagnosis Murder on the other side?"
I dunno, I'd say the general point of view of Security Focus/Bugtraq and Fyodor also counts for something in the credibility department.
Not if you're talking about the credibility of anything Radsoft says. Quoting someone far more credible does not make Radsoft credible, particularly on the issue of speaking on their competitor.
Again, I don't see where they are competing. They compete with each other about as much as Adobe competes with Konami -- in that they're both software companies but none of their products directly compete against each other. Besides, I was able to dig up the direct, in-context quote from Fyodor about Gibson. I could probably dig up many of the other original sources Radsoft pulled from (for example, here's Greene's article on Gibson reinventing syncookies badly) when generating their quotes page if given the time.
Gibson's only real product is Spinrite.
And SecurAble, Shieldsup, DNS Benchmark, LeakTest, OptOut(One of the first Adware Removal programs), and a number of free tools. He's Best known for Spinrite, but it's far from his only real product. Shit, it's far from even being his only popular product.
Aren't all these tools, except for Spinrite, free? Spinrite is his one product that he sells.
They don't compete at all -- and in fact Gibson was a one-time customer of this company.
That doesn't actually mean anything, let alone preclude the possibility of being in competition.
True, but even so, you have yet to convince me that they are actually in direct competition.
Of course, that was just the first site that came up on my Google search showing how little Gibson knows about security. Another great example is this old posting of Bruch Schneier's (scroll down a bit to the "DDOS attack against grc.com" section). Schneier is considered one of the top security experts in the world.
Yeah, I know who Bruce Schneier is, I know his rep. You didn't read that article, did you? The article being from June 2001, I might add. Bruce straight up says I'm not suprised that Gibson could not defend himself. DDOS attacks are a network problem, not a computer problem.
and in the same paragraph says
Gibson couldn't prevent the attacks because the problem wasn't in anything under his control. It's up to the ISPs to figure out how to stop such things.
So, How does Bruce saying "He spent a lot of effort to try and fight the problem, realized he couldn't, and surrendered, but that's okay, because it's not anything he could control." He's not saying Gibson is shite, if anything, he's kinda agreeing with him and saying there is nothing he could do, even though he tried to do something about it anyway before giving up. And then he goes on to criticize him for surrendering to a 13 year old and blaming Microsoft for his problems due to the inclusion of raw socket support in XP. He wasn't as harsh as Fyodor, but he did show that Gibson was barking up the wrong tree on this issue and blaming the wrong people for the problem.
I'm not saying Gibson is perfect, But he's nowhere near as bad as these guys are making him out to be. Unless, of course, they'd like to offer some evidence other than their own opinion?
Read Greene's article that I linked above for something other than pure opinion. It is the Register, so it is quite snarky, but he at least does cite the work of the original syncookie authors on the subject.
Granted, Gibson hasn't made any outlandish claims in recent years, which is probably why you haven't seen the same rhetoric coming from any security experts recently. It'll be interesting to see what happens if/when his vaporware product, CryptoLink, is released.
And then he goes on to criticize him for surrendering to a 13 year old and blaming Microsoft for his problems due to the inclusion of raw socket support in XP. He wasn't as harsh as Fyodor, but he did show that Gibson was barking up the wrong tree on this issue and blaming the wrong people for the problem.
The ordinary citizens of the digital world are in thrall to teenage terrorists, and nobody seems to be paying attention. How long will it take before some of these guys figure out they can extort money or other valuable goods with their ambushes? This situation is not going to magically get better. There is no technology waiting in the wings that is going to solve this problem. And as Steve Gibson said in his essay: "We can not have a stable Internet economy while 13-year-old children are free to deny arbitrary Internet services with impunity."
Unfortunately, most of the press about this escapade has centered around Gibson's accusations against Microsoft. He claims that Windows XP will make this much worse, and Microsoft has responded with its typical press propaganda. That's a pity, though, because I think Microsoft is mostly right here. It's just not true that you can't spoof Internet packets with current versions of Windows. It's not easy, but it's not impossible. Yes, Windows XP will make it worse. But as Gibson points out, it's amazingly bad right now.
Steve Gibson has written a fascinating and entertaining essay about his experiences with a distributed denial-of-service attack against his Web server. It had good analysis, conversations with teenage hackers, and general predictions for the future. I strongly urge everyone to read it.
I'm not suprised that Gibson could not defend himself. DDOS attacks are a network problem, not a computer problem.
Gibson couldn't prevent the attacks because the problem wasn't in anything under his control. It's up to the ISPs to figure out how to stop such things.
Yeah, No.
True, but even so, you have yet to convince me that they are actually in direct competition.
XPT duplicates the functionality of many of the tools Steve has released. They are selling a tool which does what one of Steve's products does - at least, if you purchase it - and said product is one of the most popular tools around. Others, he's releasing for free what they're asking you to pay for. Don't bother asking me to click through their shitty website again, though - Radsoft's apparently hasn't been updated since windows 98 was the big thing - Gibson's isn't great, but shit, Radsoft, you need to sort that shit out, it's terrible. I honestly can't even tell if they're actually still selling the product, or if they quit years ago to dedicate themselves to a life of monastic pursuits and hardcore porn. Christ, even their awards page lists nothing since about 2001 or so - and it doesn't help that they seem to be part of a ludicrously small minority of people who are really shitting on Gibson hard and indiscriminate, when the other side seems to be larger, and equally if not more experienced and knowledgeable.
Unfortunately, most of the press about this escapade has centered around Gibson's accusations against Microsoft. He claims that Windows XP will make this much worse, and Microsoft has responded with its typical press propaganda. That's a pity, though, because I think Microsoft is mostly right here. It's just not true that you can't spoof Internet packets with current versions of Windows. It's not easy, but it's not impossible. Yes, Windows XP will make it worse. But as Gibson points out, it's amazingly bad right now.
I don't know... That right there shows to me that Schneier is dubious about Gibson's claims that XP's raw sockets are the end all be all of the problems he's seeing. Granted, he did say that the analysis, etc., in Gibson's article is good, so I'll give you that. Schneier also isn't the type to flame someone for being wrong.
If you want something more recent, how about the fact that he was totally wrong about what Metasploit does. In fact, Attrition.org itself is another reputable security site that seems to think quite poorly of Gibson.
Comments
A much easier thing to pull off - at least with bitcoin - would be a Thai Gem style con, selling "Software", a big encrypted file or something of the like, which the mark purchases a decryption key for, and of course, either the decryption key or the file itself is useless nonsense - A scam made much easier by the cash-like utility of bitcoin.
The Thai Gem has been done, I think.
When was the last time you heard about someone getting scammed out of their credit card details? Never? And when was the last time you heard about CC detailes being compromised in an attack on some service provider? Like, last week. If bitcoins became popular, the majority of theft would not be centered around scamming people but simply about stealing the coins. Using a botnet to attack the bitcoin netowork? As if! Just get all the bitcoins stored on all the machines in the botnet and you're done!
To put it bluntly: when your computer becomes your wallet, you better be damn sure you have a secure operating system.
I love how you're crazy defensive of the bitcoin network. Tell me, Timo, How many Bitcoins in your wallet? How many ponzi scheme space dollars does it take to make you so defensive? As Rym Noted, pretty much constantly - In fact, a bloke got arrested at a place I used to work for doing just that. He was taking photos of people's credit cards "As a new policy for the store because of a big rise in credit card fraud" and then taking the photos and buying shit online with the cards. I didn't think you were foolish enough to give me the "Recently" option instead of last week, Since PSN having EXACTLY THAT happen was about three weeks ago. Yo, Bitcoin Crusader, you want a cape and a logo on your chest?
The point of using a botnet to attack the bitcoin network is to take advantage of a vulnerability built straight into the system, to do exactly what you're talking about - Stealing the coins. In the words of the guy who DESIGNED THE FUCKING SYSTEM, "If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins."
Scamming people out of bitcoins is viable by design too, and far easier than even botnet attacks, which would be trivial - because of the apparent security of the system when one group doesn't own the majority of the computing power, the easiest way to steal someone's money is to have them just straight up GIVE it to you - and thanks to Bitcoin's supposedly Anonymous nature, Once those coins are in your wallet, too fucking bad for them. It's a P2P network that at this time nobody controls - so who are they gonna complain to? They can tell other people about it in the forums, sure, but anyone smart enough to pull a successful scam like that is smart enough to be able to have enough variations that it would take a long time before it was even difficult to achieve. I'm not willing to go out and actually do it - I do try to be a good person, after all - but were I to decide tomorrow to do so, I could trivially start living off cash gained by straight up running street cons - I would have to eventually graduate to larger or longer cons, or move about a little more, but it's far from impossible, in fact I'd wager such crimes are not uncommon.
I'm sorry if I rained on your's and WUB's heist brainstorming parade, but at least you got me good for using a bad analogy with those credit cards. However if you think that I'm pro bitcoin then I can only assume that a) you didn't read what I wrote, or that b) you are incapable of understanding what I wrote. Please show me even one context where I said that bitcoin is a good idea.
See, If we have the conclusion The sky is blue, and we both say it's the atmosphere that causes it, But one party says it's because of science, and the other party says the same thing but also says this is the case because god made it all that way because god invented science, I'm going to disagree with the latter, despite that on the topic of blue skies, they're both saying something at one point which makes perfect sense.
Also, You've forgotten where I got you good on saying that a botnet attack would be an as if, when they could just mine with them/pull the stored coins from them instead (you directly said the latter, though the latter would also be an intrinsic part of the former, one would think), whereas the guy who invented the whole deal acknowledges it's validity of a method of stealing coins - and in fact, with the built in hard limit on the amount of bitcoins in circulation and the decline in produced coins by mining as the hard limit is approached - as it would if bitcoin became popular - if you're using a botnet, stealing coins by double-spending would be far easier and far more profitable over mining. Consider that bitcoin is highly unlikely to get enough active users to make overwhelming them with one of the large botnets difficult or impossible - It's been going since 2009, and has had decent enough media coverage on and off since then, and I'd bet its userbase total is still only in the tens of thousands(I'm thinking in the 20K range, at best - the only real graph I've seen seemed to indicate about 14-17 K, but it was from January or Febuary this year) which is really only medium sized for a botnet, as best I can tell. Assume I'm a giant purple people eater hopping down the street while whistling "I'm fucking Matt Damon" if it pleases you or makes you feel better. I couldn't give less of a fuck about what you assume in regards to me, and it's ability to affect reality is miniscule at best, if you're feeling charitable towards it's chances. I was absolutely taking the piss. If it makes you feel better, I am absolutely willing to colour it the most visually offensive green I can manage, and maybe in future start colour coding every time I take the piss with an equally visually offensive yellow.
Edit - All right, I'm being an arsehole, I need to stop that. I'm not deleting it - I feel that would be a wee bit cowardly, to delete it just because I've made myself look a right dickhead - but I do apologize for being a cock, now that I've had some sleep, nicotine and caffeine, and thus I'm wearing a slightly cooler head.
Cryptography is essentially easy, if you have half a brain, as demonstrated by the ability of Steve to explain things like Diffie-Hellman on an audio podcast. Security is an entirely different beast and crypto is just a small part of it. Indeed often crypto has to be reassessed in the context of it's various real world implementations in security, authentication, etc. To my knowledge Steve doesn't do security, so there is no possibility for you to trust him with security. As for true security experts laughing at him, that is about as professional and fruitful as laughing at someone who is an anime fanboy and totally into the NarutardBalllZ when you are sitting pretty on Miyazaki/GitS/Eva. Sigh, I have no doubt that just about anybody can get pwnd at a security conference and unless you are a very insecure person you wouldn't care. I'd love to see you produce evidence for your speculation as to Steve's reason for not going though. Really? I can count at least three logical fallacies in that comment, not including the crypto==security flub.
His podcast does make for a pretty decent weekly security news roundup, but I pretty much always fast forward past the security news stuff when I listen to it.
Admittedly, I'm not digging hard to find out for sure, but that's a lazy five minutes looking.
Other than that, Nobody worth speaking of, credibility wise - and I'd be taking with a grain of salt the opinions of a company who have a large section on their website dedicated to nothing more than bashing Gibson and his company, who just so happen to also be in direct competition with his company - Especially on a list of out-of-context quotes, a large portion of which are from pseudonyms which could relate back to fucking ANYONE, and the people with any grounding in the field who are down on him in their out of context quotes are far outnumbered by people with equal footing who seem give Steve quite positive reviews.
Of course, that was just the first site that came up on my Google search showing how little Gibson knows about security. Another great example is this old posting of Bruch Schneier's (scroll down a bit to the "DDOS attack against grc.com" section). Schneier is considered one of the top security experts in the world.
Another one is a direct quote from the author of nmap, Fyodor. This is the quote in its entirety, context preserved:
I'm not saying Gibson is perfect, But he's nowhere near as bad as these guys are making him out to be. Unless, of course, they'd like to offer some evidence other than their own opinion?
On top of that, I'm not surprised - Steve is a vaguely popular Security Expert and/or pundit - and I'd love to be able to say it's horribly uncommon that some people will just shit on someone because they're popular. Basically, the more visible you get, the more likely a small portion of people who do the same thing you do will go out of their way to shit on you, no matter what you do. Some people just love to hate - The kind of people who'd walk around the garden of eden complaining about the lack of mobile reception, or watch nelson mandella go free and say "Isn't Diagnosis Murder on the other side?"
And then he goes on to criticize him for surrendering to a 13 year old and blaming Microsoft for his problems due to the inclusion of raw socket support in XP. He wasn't as harsh as Fyodor, but he did show that Gibson was barking up the wrong tree on this issue and blaming the wrong people for the problem. Read Greene's article that I linked above for something other than pure opinion. It is the Register, so it is quite snarky, but he at least does cite the work of the original syncookie authors on the subject.
Granted, Gibson hasn't made any outlandish claims in recent years, which is probably why you haven't seen the same rhetoric coming from any security experts recently. It'll be interesting to see what happens if/when his vaporware product, CryptoLink, is released.
If you want something more recent, how about the fact that he was totally wrong about what Metasploit does. In fact, Attrition.org itself is another reputable security site that seems to think quite poorly of Gibson.