Slashdot Mirror

A long time ago, I proposed a solution, but no one listens to me. My take is that there are three problems: 1) copyright term is so long that the intended benefit to the commons is rendered moot 2) different types of work (such as software and books) and even different works within a single medium have radically different periods over which they reap the rewards for their creators 3) copyright holders aren't artists and artists are largely screwed over by the copyright holders.

Any plan that solves for those three problems will bring a world of benefit.

There are a ton of Google services. I think the ones that would
surprise most people are:

• Google Health
• Google Trends
• The Google Pack
• Aardvark

Then of course, there's their non-Web site features. For example,
they have a VC group called Google Ventures; a whole series of public
policy and government-related initiatives such as their work with enabling
public Q&A and CitizenTube, YouTube's public
policy blog about "developing trends in the use of YouTube by news
organizations, activists, politicians, and governments."

They're also a major developer of FOSS. Sometimes this takes the form
of giant systems like Android or Chromium, but just as often, it's
little things like their new Image format, WEBP (my
analysis of WEBP for screenshots, here).

Google does so much that they really do have to mercilessly kill
things like Wave and GOOG-411 when their either outlive their planned
purpose (like the latter) or don't achieve critical mass (like the
former). Otherwise they'd be buried under an avalanche of
half-finished products.

Most likely there's an error in the summary. It is more likely:

"An extra charge for Verizon to provide an Exchange server for you."

Yep. I have a Droid, and paying no extra fees, I sync to work mail and calendar via exchange.

There are things to like and dislike about the Droid, but this article is hopelessly inaccurate.

Rubbish.

This would eliminate most of the negative aspects of patents while preserving their key redeeming feature.

People shouldn't have to waste money patenting every trivial little
thing that they do in the course of their work.

I have no problem with this statement, other than "Rubbish" which carries no semantic value, here.

If 3 companies can "invent" the same thing, one of those companies should not be able
to interfere with the rest for merely filing a patent.

By that measure, The telephone would not have been patented, and I will take great exception to anyone who makes the claim that the patent system wasn't designed to protect such inventions.

Patents are meant to ENCOURAGE innovation, not STIFLE it.

Quite true. However, not allowing someone to patent a revolutionary idea, even if, in retrospect it seems obvious, isn't the solution to that.

This is not 1870 anymore. We don't have 17 years to wait for patents to expire.

In some cases I think this is a valid statement. In some it's absurd. The problem is that the patent system was designed to cover one specific kind of industry (manufacturing) and today covers quite a lot more (pharma to software to manufacturing to materials to business process to services and so on).

Each has its own measure of what obsolescence means. In the drug world, for example, there's no such thing as obsolescence in the traditional sense, just a tapering off in marketability. What's more, you can just trivially modify a compound and the only hardship in re-patenting is going through FDA approval for the "new" drug. This is fundamentally broken.

In the software world, 3-10 years is the obsolescence window, so a span of 17-20 years for a patent is absurd.

In materials, obsolescence can be as fast as software or literally impossible. I've proposed an approach to copyright reform previously that I think applies with some changes to patents as well. A sliding window of renewals could be applied to patents (e.g. requiring them to be renewed every 5 years).

Along with that, yes, I agree we need stricter standards on what is patentable, but to suggest that only a handful of patents should be given out per year seems impossibly harsh, and impossible to reconcile with the original intent of the system.

It's not Google that needs to be reigned in here, it's copyright.

Your right, and copyright reform isn't nearly as hard as one might think. The problem is pushing companies like Disney and Time/Warner (these companies because they are some of the largest lobbyists for copyright "protections" being increased) into accepting that copyright reform is actually good for their businesses.

If you want to follow the story behind wow, can I suggest WoWWIki? It's got just about everything about the WoW lore all in one place. Good places to start are outlined in a recent post on my blog about WoW lore and what to browse through on WoWwiki.

If what you want is positional weighting on commonly used sub-strings, just add that to your algorithm. No need for special cases. This is exactly how my random name generator works.

a variety of contextual, site, geographic and demographic targeting options to ensure the ads reach relevant users with precision and scale.

And all that's apparently missing is ensuring the surfer has Flash installed.

Personally I detest Flash ads and for this reason keep renaming the NPSWF32.dll file as NPSWF32.dllfsdfsd (while I don't have an instance of Firefox open

Of course, on real systems you use a decent hashing algorithm that can handle a much larger space.

If you're interested in generating random, but secure passwords, I recommend my mkpasswd program, which can securely generate random passwords, or generate very insecure passwords, and the entire spectrum in-between. It uses a regular-expression-like syntax for describing a possible password, and then generates random passwords that fit the pattern. For example, you can tell it that you want 10 completely random characters, or you can tell it that you want a nine-letter pseudo-word (something that's pronounceable as if it were English, but is not a valid word) followed by a random character. Obviously the second example is much less random than the first, and thus less secure against attacks. There are many, many knobs, as well as a large number of default patterns that can be randomly selected from if you're lazy (at the cost of some security, of course).

I have updated this information and put it on my wiki. See my World of Warcraft for Fedora Linux page if you have a Fedora Core 5 or later system that you are trying to get to work with World of Warcraft. Good luck!

That's not a bad system, but suffers from the problem that the passwords are all written down. In some environments this is fine, in some it's tragic. Granted, your scheme still has a secondary key, but given your primary key only (the cheat card), writing code to search every simple word as transformed by the matrix would be easy. Again, your system is better than most.

The real pain comes in when you need to generate passwords for people in advance and, for whatever reason, the "change it the first time you use it" suggestion isn't enforcable (e.g. they're using a system that can do so, but don't use that feature or the system is incapable of that feature).

When this happens, I use http://www.ajs.com/~ajs/mkpasswd. I also use it to generate my own passwords. You can use it to generate passwords that are impossible to crack other than by brute force (mkpasswd -r --strict, which is a random sequence, but filtered for dictionary words); a password that is a simple dictionary word (mkpasswd -p 'W8-12') and just about any level security/memorability trade-off in between. By default (mkpasswd -r -5 --max 12 --non-word) a set of pre-defined password patterns are consulted. After permutation of various parameters, there are about 270 patterns to choose from, each producing a fairly reasonable number of possible passwords, though some patterns are better than others. This is not the strength of the program, however.

The strength of the program lies in the fact that it is capable of parsing a pattern provided by the user which defines their desired password in whatever way they like. One such description might be "x3-5n2WJ4n1" which translates as: "a 3-5 letter pseudo-word (pronouncable random letters), a 2-digit number, a 4 character "join word" (two dictionary words that overlap, forming a 4 character result) and a single digit". If I were to hand out passwords to all of my users of this form, it would be a tragically weak scheme (the search space is very small), but if one of my users chooses this as the scheme for their current password, the result would be quite reasonable.

The program has some experimental features too, like the "--easy" flag which tells the program to find a password that alternates sides of the keyboard for each keystroke (QWERTY only). This currently only works for most of the pattern types, but as an example, it does a great job on mkpasswd -5 -p 'xT9-12' --easy

Oh, and since you bring up the Nike logo (which is the pathalogical best case for SVG), that comes to 741 bytes, uncompressed!

There's another space/bandwidth-saving feature of SVG that we haven't considered yet. Very often a Web site will need to show a graphic or stylized text at many resolutions. While you can serve the same image everywhere and set width/height in the HTML, that scaling is usually pretty ugly.

With SVG, you can do this much more reasonably, and it will always look ideal. Thus, you serve up one document everywhere, cutting your bandwidth costs even further!

> http://images.slashdot.org/title.gif

That's not a logo.

> http://images.slashdot.org/title.gif

That's not a logo.

Shame that my Firefox 1.06 fails to displau it.
[Looks for clues]
$ GET -UuSsed http://www.ajs.com/~ajs/slashdot.svg
GET http://www.ajs.com/~ajs/slashdot.svg
User-Agent: lwp-request/2.06

GET http://www.ajs.com/~ajs/slashdot.svg --> 200 OK
Connection: close
Date: Thu, 18 Aug 2005 06:53:03 GMT
Accept-Ranges: bytes
ETag: "76dc6-cb7-f7f7ed00"
Server: Apache/2.0.53 (Fedora)
Content-Length: 3255
Content-Type: text/xml
Last-Modified: Thu, 18 Aug 2005 03:40:04 GMT
Client-Date: Thu, 18 Aug 2005 06:53:57 GMT
Client-Peer: 24.61.76.204:80
Client-Response-Num: 1

Hmmm... bad Content-Type possibly?
This is where IE does what IMHO is a good job of double guessing the content type based on the file extension and "upgrades" the content type.

Sam

Shame that my Firefox 1.06 fails to displau it.
[Looks for clues]
$ GET -UuSsed http://www.ajs.com/~ajs/slashdot.svg
GET http://www.ajs.com/~ajs/slashdot.svg
User-Agent: lwp-request/2.06

GET http://www.ajs.com/~ajs/slashdot.svg --> 200 OK
Connection: close
Date: Thu, 18 Aug 2005 06:53:03 GMT
Accept-Ranges: bytes
ETag: "76dc6-cb7-f7f7ed00"
Server: Apache/2.0.53 (Fedora)
Content-Length: 3255
Content-Type: text/xml
Last-Modified: Thu, 18 Aug 2005 03:40:04 GMT
Client-Date: Thu, 18 Aug 2005 06:53:57 GMT
Client-Peer: 24.61.76.204:80
Client-Response-Num: 1

Hmmm... bad Content-Type possibly?
This is where IE does what IMHO is a good job of double guessing the content type based on the file extension and "upgrades" the content type.

Sam

Shame that my Firefox 1.06 fails to displau it.
[Looks for clues]
$ GET -UuSsed http://www.ajs.com/~ajs/slashdot.svg
GET http://www.ajs.com/~ajs/slashdot.svg
User-Agent: lwp-request/2.06

GET http://www.ajs.com/~ajs/slashdot.svg --> 200 OK
Connection: close
Date: Thu, 18 Aug 2005 06:53:03 GMT
Accept-Ranges: bytes
ETag: "76dc6-cb7-f7f7ed00"
Server: Apache/2.0.53 (Fedora)
Content-Length: 3255
Content-Type: text/xml
Last-Modified: Thu, 18 Aug 2005 03:40:04 GMT
Client-Date: Thu, 18 Aug 2005 06:53:57 GMT
Client-Peer: 24.61.76.204:80
Client-Response-Num: 1

Hmmm... bad Content-Type possibly?
This is where IE does what IMHO is a good job of double guessing the content type based on the file extension and "upgrades" the content type.

Sam

The logo at the top of your screen is here: http://images.slashdot.org/title.gif.

It is 3473 bytes. As an SVG, it would be something like this (really awful, off the cuff) example: http://www.ajs.com/~ajs/slashdot.svg which is 3255 bytes uncompressed and I'm sure that that's wasteful in several ways because I'm an SVG newbie. Given compressed HTTP bodies by default, the SVG would save Slashot quite a bit in bandwidth every month.

SVG is a lot smaller than you think....

Better, your browser could do the right thing and let you select that text, even though it's rendered as pretty graphics. Accessibility software could READ the text to you (HUGE WIN). etc.

mkpasswd -r -n 10 -5 -X 12 --non-word

mkpasswd -r -5 --max 10 -n 20

mkpasswd --man

I don't trust people looking like this.

For an account name, apg is fine. For passwords, I've created a far more flexible system which I distribute with documentation describing password generation from my site.

The key to good password generation is allowing the user to describe how it's to be done. This increases the ability to memorize passwords and makes it harder for an attacker to guess.

To that end, I have created a sort of reverse regular expression syntax where you describe the password to the program using general patterns. Try it out.

I have one password that I use for generic stuff I don't care about someone cracking.

Then I have my PIN for bank stuff.

Then there's my home, work and high-security passwords.

The last three I use a program that I wrote to generate. It's available from my home site, but I haven't really fully released it yet (this is just an alpha version). Eventually, I'll upload it to CPAN.

You can now download this program in a pre-alpha state. You will have to use your own word-list until I have a place to upload the wordlist without too much pain.

Here's the link to mkpasswd.

$apr1$csnj7...$nL1o7MtxR9x9kbbfuUOeW0

I'm not sure where that comes from, but I replaced my red hat under Red Hat early on (I like pictures of mushrooms, you see), and I didn't have to be root to do it. I can't remember what I did, but I think it involved creating a new "foot" menu and specifying the icon to use. Took 2 seconds and a mouse, no keyboard required.

I am FAR more worried that the person I ran into at the bar last night will go home, and use hotmail, and send poorly formed HTML-only email, or mail via a relay that happens to have been obnoxiously picked up by SORBS or NJABL, or maybe they just used too many lines of ALL CAPS...will erroneously get picked up by my spam filter

Ah and that's exactly why you need a system that analyzes mail from many different directions. SpamAssassin is one such example, but there are other efforts that make the effort to step outside of a limited box of knee-jerk testing and weight the probabilities in a controled way.

Over the time that I've used SA it has become far more powerful than I could have imagined a mail filter being, and while it's still not perfect, it IS the reason that being ajs@ajs.com is not the electronic equivalent of a death sentence.

"What I'd prefer is for the e-mail servers to generate a separate PGP or GPG key for each user for signing the e-mail and signing only those e-mail sent by an authenticated user on the machine."

I hate to say it, but why use crypto at this level? Crypto is available for several purposes in TLS, if you want it, what you really need is verification, which is NOT a crypto problem in this case.

I am in the very, very preliminary stages of thinking about an alternate protocol where you can contact a domain and say "did you send message X to entit(y/ies) Y from entit(y/ies) Z?". It's a short question with a simple answer. Even using something as lame as Message-IDs as the key in this scheme is acceptable, since it's just a unique cookie that you combine with envelope from / header from / header to in order to validate the message. For a spammer to fake it, they would have to send a message to joe@example.com with the same message ID and from address that was just used to send joe@example.com a legitimate message.

While this is possible (e.g. because you're on the same mailing list as the spammer), I have a solution for replays (a counter and the inclusion of envelope RCPT in the protocol, not used for validation, but used for counting purposes) that I'm going to be adding. Mail that uses replays of mailing list traffic will be marked as such (since it's either a forgery or just a duplicate, and either way filters should probably gun it).

The only big change needed to support this is a protocol to use for verification (of mail) and authentication (of remote clients which wish to "forge" mail legitimatly). Finding that service is the interesting part of mailack. The protocol uses the domain's A record addresses and MX server addresses as an entry point, and can then direct a querying system to a mailack server (probably your primary outgoing mail server), or just answer the question.

So your conversation might go like this, "hi 192.168.0.1, you're the A record address for example.com, can you verify this mail?", "nope, I'm just a dumb incoming mail server and have no clue", "hi 192.168.0.2, you're the primary MX record address for example.com, can you verify this mail?", "nope, but I can tell you that 192.168.0.3 and 192.168.0.4 are the real mailack servers for example.com", "hi 192.168.0.3, you're a designated mailack server for example.com, can you verify this mail?", "I can verify that that mail is forged. I never sent it. Burn it lest your innocent users become tainted by its lies!"

And you're all set. A database of mail sent needs to be kept, but it's fairly small, as it only requires 3 header fields per message, and can be expired after several days.

SPF/SRS have serious problems including the inability to hop through more that 1-2 relays before the from address becomes a problematic amount of data (multiple cryptographic hashes).

SPF is about overloading existing slots in RFC2822 and DNS in order to cram authentication data into the protocols. The link above cites an alternative that is about replacing the existing protocols with brand new ones.

Both are, IMHO, poor solutions and DomainKeys might just be the correctl long-term solution.

Personally, I was working on a proposal for a way to use existing headers by adding a slightly out-of-band channel for authenticating mail, but if DomainKeys beats me to it, sounds fine to me.

It looks like you took your image from the JPEG that NASA put up on the Web. Bad idea, of course. At first, I just wrote it off as an artifact, but it does exist in the original image (a 48MB TIFF file from the Mars gallery).

I have put up a crop of the original which you can feel free to stare at. Yes, it does appear to be some sort of round object with two large protrusions. It could easily be a rock of volcanic origin, but my bet is on its being some piece of the lander itself.

Yeah, I should help out. Problem is I have a full time job and two major hobbies... sigh.

interesting site, but this doesn't look like a mushroom, and worst of all, it looks PAINFUL.

He uses a classification of 256 particular 2D autometa for a lot of the examples in the book that's kind of interesting. I took the time to write some code for it to explore the various permutations. It's CGI-based and it generates a png or jpeg image, so just throw it in your cgi-bin and check it out. The comments list the various options you can send it.

PGP only goes so far. If you only use encryption for sensitive material, you flag it as such.

To solve for this, I'm writing a specification for transparent encryption of email using standard MUAs. Please feel free to check out the PPS homepage, which will be moving to SourceForge sometime RSN (basically, I'm just waiting to get over the learning curve at my new company). The nice things about PSS are that it does not require that a user know their email is being encrypted and that it does not require a specific encryption back-end (it's design assumes something PGP-like, but you could easily adapt any public-key system).

Let me know what you think, and send me email if you have any questions at all. Thanks!

If he sent encrypted email, it would look like he had something to hide.

This is because we do not encrypt all email, and GWB should be concerned about this. This is why he should be using PPS.

Of course, until I and any volunteers write implementations of the spec, that'll be a little hard ;-)

This seems like a horribly contrived lead-in, but I can't resist. I've been planning the announcement of the Passive Privacy System proposed specification for a week or so, but we seem to have a window.

PPS is a propposed way of getting everyone to exchange public keys and passivlely encrypt email without a) burdoning the average user with the details of cryptography or b) providing enough impact on the average non-PPS user to matter.

It requires a great deal of work, both on the spec side and the coding side to come up with plugins for MUAs. But, in the end I think that the world will benefit from the resulting increase in passive key exchange and encryption.

Please, feel free to send mail about PPS to me.

Thanks.

• Da Gub'mint decides that <insert sub-culture group here> are evil and we must have a "war on <insert subculture group here>". I belong to a few subcultures, so this worries me (when they come for the people who write crypto in Perl, I'll be the first against the wall).
• I really don't want my application for a home loan getting turned down because I happen to be a Linux user, and they default on loans .0002 percent more often than the baseline.
• I worry about just how much of my life will be on that piece of paper the guy across the table is holding in a job interview.

Raging seems to be heavily influenced by Google. I wonder if there was a deal between the two that fell through, or if AltaVista simply wanted some of the "all we want is a search engine" market....

Either way, google is just want I need, and all I have on my home page.

An only slightly off-topic rant:

I have a PDA (a Handspring Visor) and use AvantGo to view Web pages on my way to work after syncing up first thing in the morning. My commute is 1+1/2 hours on public transportation, so I have plenty of time to read.

Ideally I would like to read Slashdot, but all of the AvantGo-channel-ready Slashdot hacks out there only show the articles, not the talkback. I tried setting up my own page through some CGI that parsed the rdf, and created links to the Slashdot-FAQ-suggested version of the pages, but even with threshold=4, plain=1 and boxes=0, the HTML is way to long in many cases, and it's certainly too ugly on the PDA screen.

Well, I'm a coder, I got around it, but I don't like the fact that I had to parse the feedback page in order to do it. Slashdot should have support for such browsing. I would even happily download the banner-ad, if it meant getting a VERY simple HTML version of the page.

If you want my solution, grab sd and sdforum. Put them in your cgi-bin directory and rename them so that they have a .cgi extension (sd finds sdforum only if it's in the same directory and called sdforum.cgi). You will need Perl, and you will need the CPAN modules libwww-perl and XML::RSS. Now open your Web-browser and visit sd.cgi. You should see a bullet-list of articles. You can then click on any one to see a VERY cut-down version of the feedback page. If that works, you're on to the next step.

If you use AvantGo, they give you a nifty little javascript-button that will set the current page in your list. Use that on sd and you're done. If you use Pendragon Browser, use their user interface to add the URL to sd. For other off-line browsing applications your milage may vary.

Please, even if you manage to find where I keep sd on my system, don't use it from there. I don't have great bandwidth, and I don't want to be in the business of being a Slashdot-for-PDA mirror (I'm not even sure of the legalities). If I have to move it to stop people from using it, I will.

An only slightly off-topic rant:

I have a PDA (a Handspring Visor) and use AvantGo to view Web pages on my way to work after syncing up first thing in the morning. My commute is 1+1/2 hours on public transportation, so I have plenty of time to read.

Ideally I would like to read Slashdot, but all of the AvantGo-channel-ready Slashdot hacks out there only show the articles, not the talkback. I tried setting up my own page through some CGI that parsed the rdf, and created links to the Slashdot-FAQ-suggested version of the pages, but even with threshold=4, plain=1 and boxes=0, the HTML is way to long in many cases, and it's certainly too ugly on the PDA screen.

Well, I'm a coder, I got around it, but I don't like the fact that I had to parse the feedback page in order to do it. Slashdot should have support for such browsing. I would even happily download the banner-ad, if it meant getting a VERY simple HTML version of the page.

If you want my solution, grab sd and sdforum. Put them in your cgi-bin directory and rename them so that they have a .cgi extension (sd finds sdforum only if it's in the same directory and called sdforum.cgi). You will need Perl, and you will need the CPAN modules libwww-perl and XML::RSS. Now open your Web-browser and visit sd.cgi. You should see a bullet-list of articles. You can then click on any one to see a VERY cut-down version of the feedback page. If that works, you're on to the next step.

If you use AvantGo, they give you a nifty little javascript-button that will set the current page in your list. Use that on sd and you're done. If you use Pendragon Browser, use their user interface to add the URL to sd. For other off-line browsing applications your milage may vary.

Please, even if you manage to find where I keep sd on my system, don't use it from there. I don't have great bandwidth, and I don't want to be in the business of being a Slashdot-for-PDA mirror (I'm not even sure of the legalities). If I have to move it to stop people from using it, I will.

Hackers tend to use two categories of drugs: stimulants and what I call relaxers. Stimulants are obvious: caffeine, crystal meth, dexadrine, etc. Fairly obvious why - their use tends be be tied usually to their favorite activity (hacking).

The relaxers - alcohol, pot, maybe some low-level psycho-tromatics like 'shrooms - tend to be used exactly for that reason: as a break/vacation from hacking, or as a social thing to do with friends over for the evening.

1. They specifically chose a RAID controler that comes with Linux drivers bearing the warning "Not tested for performance". They would almost certainly been better off tossing the fancy RAID hardware and doing software RAID over the standard SCSI hardware. It's kind of hard to claim that such "tuning" info is hard to find, when it's the disclaimer on the specialized driver that you have to install by hand....
   
   
2. Also, as has been pointed out elsewhere, the Apache settings were exactly wrong for an SMP box (where Linux 2.1.x and 2.2.x have been working quite well for a couple of years, thank you very much).
   
   
3. Also, they chose to use a hardware platform, which while very... impressively pricetagged, has much less bang for the buck than, say, an Ultra SPARC or Alpha. But then, they'd be comparing NT on a PC to a real server, and that wasn't the point was it...
   
   
4. Also, I would have re-compiled everything but the kernel with "egcs -mpentium -O3 -s", or perhaps looked into pentiumgcc, which is supposed to be even better than basic egcs, which in turn is much more pentium-tuned than gcc.
   
   
5. All things considered, they did right by their client, which was almost certainly exactly what was paid for.