Save us both some time, and just send it to me...
So now giving someone who is unemployed a job
Right you are. Being on the SoftImage side, that chronology is fuzzier to me.
Still have an Indigo R4400 Elan here, under the desk...
You guys are miscommunicating.
You're assuming a MITM server, the GP you're replying to doesn't realize that you can use a server in the middle, an SSL proxy, and that is how you can sign any cert.
The person you're responding to thinks that having a root CA distributed still means you would have to hack twitters website with your cert in order for your users to trust it, when you and I both know that we don't need to hack twitter, we just need a nice transparent SSL proxy to do it for us.
You are anal, but ANAL for sure and shouldn't be giving out such advice, you don't even understand the situation clearly.
It stopped being fraud when you agreed to the terms of joining the computer network, you know all that paperwork you filled out when you started school there or got a job? Yea, buried in that, you agreed to their rules if your using their network. No fraud committed.
Ignorance on your part is not fraud on their part unless they intentionally deceived you.
Someone who just doesn't bother to read the contract wasn't deceived, they were just stupid, and thats not fraud.
Sounds like you really don't understand CAs either. You install the root CA's public key on computers so that keys signed with it are trusted implicitly. There are 2 typical examples of it. NTActiveDirectory which ALWAYS distribute their own built in root CA to all machines on the network. So if you've used a machine on an active directory network, you've used a machine in this sort of setup. It gets used by ALL SORTS of shit within windows to provide encryption via SSL/TLS without having to buy a cert for EVERY server you own. Hell, I had a contract for a 5 man company that had over 100 certs total due to their requirements (legal and outside their control)
Like wise, the second example for non-windows shops is to use your own self signed certs internally for your mail servers and such that don't need public keys, you distribute the root CA cert to everyone, so they don't get prompted every time about an invalid certificate.
Every network I've been on in the last 10 years has had their own CA.
I assure you that companies like Google, Facebook, Twitter, Microsoft and their relation ALL do the EXACT SAME THING. Well, okay, Microsoft doesn't because they put their root CA into IE by default (they cheat as part of being the author of the software
Its not a political problem no matter how hard you try to turn it into one.
And all that is well and good
Next time, read all the shit you sign and/or click next next next finish on.
1) They don't, but its useful
2) It doesn't, why are you trying to make this is a political problem?
3) They don't give unrestrained access, they filter, which is part of the reason they do SSL MITM on EVERY SSL CONNECTION.
4) Why do you keep trying to make this about politics, it isn't.
Staff browsing whatever they please has nothing to do with politics and everything to do with someone who's not doing their job and should be fired. Why is it that someone like you always has to come along and try to act like its perfectly acceptable for you to do whatever the fuck you feel like doing on someone else's time and resources?
Use your own fucking network if you want to make a political statement.
Really? Then why is it a built in standard feature of Windows NT domains and ActiveDirectory that not a single person in Europe has ever mentioned turning off, nor can I find anything that indicates its a common question as to HOW to turn it off. And since I'm looking at a K build of Windows right now
So I call bullshit on your silly little 'we get way more privacy protections than you' bullshit. You might think you get way more protections, doesn't make it actually true when it comes to testing those protections, does it?
Most popular small business server software in the world
And lets be realistic, your entire continent is pretty willy nilly about what it picks to have the moral high ground on, you know how Europeans think about Americans most of the time? Yea, thats how the rest of the world feels about Europeans when you guys get that retarded high and mighty 'well in Europe we do it better' shit going on. You do realize pretty much the entire rest of the world has kicked your ass at one time or another, right?
Get off your fucking high horse asshole. Most European countries wouldn't exist if everyone did things like Europe does. You'd all be speaking Japanese or Russian, if not German.
First, a school network is not a public network and it can run any policy it wants
Public has nothing to do with it. Public networks can run any policy they want as well, even public as in government funded ones since those are the only ones that are truly 'public networks'.
Second, regarding danger. The danger is exactly equivalent of the lowest security among the machine(s) that have a copy of the school root certificate (the private key part). If any of them gets compromised and the attacker gets a copy, he can do everything the school does, including interception and manipulation of traffic.
No, it isn't. You utterly fail to understand whats going on here or how SSL and PKI in general works.
The PCs have a copy of the schools PUBLIC CERTIFICATE AUTHORITY KEY installed on them, they DO NOT HAVE THE PRIVATE KEY, and there is no reason any PC should ever hold the root CA private key on a hard disk. I keep mine on USB drives physically disconnected from any computer unless I'm signing a batch of certs. You distribute (and this school did this) the PUBLIC portion of the key, so that when you send data signed with the private key, the public key can be used to verify it came from the holder of the private key. They aren't distributing their own private key, there is no reason why you would think that other than sheer ignorance on the subject, which means you shouldn't have commented at all.
If any PC with the CA cert gets compromised they can
The school is merely adding to the existing root certificate store on your PC, which contains the root certificates from companies like Versign and Thawte
Just for the record, you get a copy of this same key, that is being installed, that you think gives the person the ability to impersonate the school
EVERY WEBSITE IN THE WORLD DISTRIBUTES THESE KEYS ARE PART OF EVERY SSL REQUEST. So even if you don't have the key, just visiting a website that is signed by the key will more than likely get you a copy of the key as its part of the 'certificate chain'.
which OS/Web-browser is so insecure that it accepts a root certificate from the network like this?
All of them? Or none of them, depending on your perspective. You can't just install a root cert over the network. It requires machine admin approval, which is implicit if you've joined a NT domain, or requires you to go through a certificate wizard to add the new root cert to your list of root certs.
The organization is having people add the certificate to their trusted root certificate store manually. This is not automated from a website, though it happens automatically to every machine on an NT domain.
Adding the certificate to your root certificate store, then allows your browser to trust these certs. The point is that what is happening here is that the organization is telling you tell your browser to trust the organizations certificates completely. At which point your browser does what you've asked it to do.
The browser is functioning EXACTLY as its supposed to, its just being asked to trust these people when it doesn't by default, thats the point of the entire article.
I've never been in a large organization that didn't use their own root CA cert, and I've certainly made sure it was done everywhere I've worked.
Has nothing to do with pulling a MITM on you. You aren't worth the fucking time and effort, get over yourself, you aren't special, no one cares what you're doing.
Its more likely they just didn't want to spend several thousand dollars making certs for everything that needs an SSL cert because none of the registered root CAs will let you sign your own domain certs
Yep, we could have MITM any of those people.
Guess what, it would be easier and less suspicious to use a virus rather than a MITM. A MITM takes work, you have to setup the relay to be the actual MITM. Viruses to steal data are point click next a few time, select some options, click finish - with the current level of virus toolkits you can buy.
So, back to my original point.
Interesting, your take on SoftImage as related to the games world. XSI was after my folks were all driven away by the 3.x taper...
SoftImage was king. Alias Wavefront was a powerful contender, with different strengths and weaknesses.
Microsoft bought SoftImage, as a part of the effort to displace high-end Unix workstations with PC's running NT. It was all over, but the shouting. Alias transformed Wavefront into Maya in roughly this timeframe, while MS starved out "dot release" life support on SoftImage...
He also abhorred the violent creation of the Israeli nation, and was actively anti-Zionist.
Yet his work has been captured by the Hebrew University, and is used to glorify a nation who's creation he saw as tragic, and who's establishment he repudiated.