bell-labs.com · Domains · Slashdot Mirror

Re:Show me the money by Eli+Gottlieb · 2007-12-30 10:38 · Score: 1 · on Long Live Closed-Source Software?

http://cm.bell-labs.com/plan9/

See? There have been innovations.

Secure communications prerequisite for business by SgtChaireBourne · 2007-12-18 04:21 · Score: 1 · on More Details Emerge On Domestic Spying Programs

Secure communications are not just a Constitutionally protected right, they are a prerequisite for business.

Your observation is underappreciated in too many circles. Though the EC also recognizes the need and called upon member states to get their act together, very little has actually happened on either side of the pond despite widely available, easy to use encryption technologies.

(Links and bold are added for emphasis)

on the existence of a global system for the interception of private and commercial communications (ECHELON interception system) (2001/2098(INI))
29. Urges the Commission and Member States to devise appropriate measures to promote, develop and manufacture European encryption technology and software and above all to support projects aimed at developing user-friendly open-source encryption software;
. 30. Calls on the Commission and Member States to promote software projects whose source text is made public (open-source software), as this is the only way of guaranteeing that no backdoors are built into programmes;
. 31. Calls on the Commission to lay down a standard for the level of security of e-mail software packages, placing those packages whose source code has not been made public in the "least reliable" category;
. 32. Calls on the European institutions and the public administrations of the Member States systematically to encrypt e-mails, so that ultimately encryption becomes the norm;

Further, what's kind of funny is that though businesses make all kinds of noise and bluster about security, many go ahead and put business plans and meeting minutes on servers which (not counting holes and back doors) explicitly sign over access to their competitor(s). However, see if M$ makes it easy for businesses to see what their so-called tech support is agreeing to.

Re:Given the known problems of Dual_EC_DRBG by jc42 · 2007-12-18 03:54 · Score: 1 · on New Vista Random Numbers to Include NSA Backdoor?

They have no way of knowing that the source the can review actually matches any binaries provided via Windows Update.

This is one of the standard points in any meaningful security guidelines.

Brief summary: You don't run any binaries from anyone else. If you don't have the source, you don't run the software. You have people that can study and analyze the source. And you compile it all yourself. With a compiler from a different vendor.

Then there's Ken Thompson's famous (in some circles) Reflections on Trusting Trust article, which is required reading for anyone with serious security interests. It gives you some ideas about how to deal with the compiler itself. Actually, it mainly gives you some good questions, which you might want to try answering, just for the experience of dealing with an infinite regress of trust.

Most of Microsoft's customers will simply use the binary code. In an organization that does this, there's no point whatsoever in discussing the possibility of a backdoor. The management has already demonstrated that they don't care, because their security is only for show.

(Note that this isn't Microsoft bashing. The same applies to any system, including one that's open source. If you run a binary from an outside source, you have no idea what's in it, and you have to meaningful security. People have on several occasions managed to sneak backdoors into releases of linux and other open-source systems. Granted, they might have been caught quickly and fixed, but this tells you nothing about that binary that you're downloading right now.)

Re:Remember AT&T Unix by John+Sokol · 2007-12-10 07:18 · Score: 1 · on Copy That Floppy, Lose Your Computer

http://www.krsaborio.net/research/1990s/92/920311.htm

We have been billed more than US$40,000 just for the legal services we
have used to ensure that our code will is technically and legally free
from AT&T/USL trade secrets. Rob Kolstad

BTW: in that same page search for "Sokol"

Get the History Straight, Heck I was there.
We were all labeled as Hackers, not just the stylistic fools that flaunted it.

>> by the 1990's The BSD's from Berkley were in full swing by then.

Not without a great fight, we all look a large risk and many paid a heavy price.

http://en.wikipedia.org/wiki/USL_v._BSDi
http://findarticles.com/p/articles/mi_m0SMG/is_n14_v12/ai_12737915
http://cm.bell-labs.com/cm/cs/who/dmr/bsdi/930303.ruling.txt

http://www.atrust.com/articles/berkeley

Recent publicity for Linux as an open source operating system has tended to obscure the fact that AT&T was a major contributor to the success of Linux by virtue of its legal actions against BSD. This artificial weakening of the major competitor was an important prerequisite of early Linux success.

Re:Unlikely by Anonymous Coward · 2007-12-02 05:38 · Score: 0 · on Is Comcast Heading the Way of the Dinosaur?

DOCSIS 3.0 is just an interim solution that allows copper networks to survive a little bit longer. Fiber is currently estimated to have a maximum bandwidth ceiling of 150Tbps http://cm.bell-labs.com/who/nuzman/papers/nuz_wid_infocom06.pdf the true potential of fiber optics has yet to be realized. Cable companies are investing in better compression algorithms and modulation methods to better utilize their existing network and do not want to foot the bill to build an FTTP network although they could. Most FTTP systems like FIOS are running on BPON (622Mbps down 155Mbps up / 32 customers between the customer and the central office) and they are currently testing GPON networks which provide (2.488Gbps down to customer and 1.244Gbps from customer to internet / 32 customers ( CO to home))the fiber itself does not have to be changed out only the connecting equipment in the central office and at the customer's home. These estimates are based off of technology available today. Think about the future and what will be available then. Remember that compression is used only to reduce the bandwidth required to something that naturally has large bandwidth requirements. Less Compression = Higher quality. Why do you think cable technologies like HDMI have no compression? With the popularity of internet vidoes, web applications and the like increasing what technology do you believe is more prepared for the future?

You Trust Who? by not_hylas(+) · 2007-11-15 16:52 · Score: 1 · on New NSA-Approved Encryption Standard May Contain Backdoor

Countering "Trusting Trust":

"It's interesting: the "trusting trust" attack has actually gotten easier over time, because compilers have gotten increasingly complex, giving attackers more places to hide their attacks."
January 23, 2006

http://www.schneier.com/blog/archives/2006/01/countering_trus.html

Ref.

Reflections on Trusting Trust:

http://cm.bell-labs.com/who/ken/trust.html

Truly, ALL your base is belonging, not just a little.
[firmware]

Re:Ummm, parent is right. by EveLibertine · 2007-11-15 08:58 · Score: 1 · on New NSA-Approved Encryption Standard May Contain Backdoor

Well, no I haven't. At first I thought you were talking about Robert Morris the Financier, and I thought, "What the hell does he have to do with cryptography? Did he encrypt some secret data into the Declaration of Independence or something?"

Your Robert Morris, I must admit, is a little more exciting.

Re:Will the OSS & CSS Community Borrow More Fr by Organic+User · 2007-11-13 11:13 · Score: 1 · on MIT Releases the Source of MULTICS, Father of UNIX

If they want some usefull stuff they might as well get them from Plan 9. The "successor of Unix." It has been open source since 2000 AFAIK.

Re:Right idea, wrong request by Hatta · 2007-11-13 10:00 · Score: 1 · on All Fifty States May Face Voting Machine Lawsuit

Individual voters can log into a website and ensure that their vote was recorded correctly (and yes, this is done in such a way that nobody can prove to another party which way they voted).

If I can log into a website after the fact and display who I voted for, my boss can stand over my shoulder while I do so to make sure I voted the way he wants me to. Your voting DRM is just as vulnerable to the analog hole as music or videos.

Anyone can get a list of the people who actually voted, so they can check that nobody voted twice and that every voter was valid.

And you can't do that with paper? Why?

Each of the candidates can independently and programatically verify that the tallying was done correctly (again, without exposing any one specific ballot).

This would be a nice feature, granted. But I'm skeptical that this would provide more than a false sense of security. Would the system be secure against attacks such as this?

Re:Software freedom is the cure. by Anonymous Coward · 2007-11-09 06:49 · Score: 0 · on AntiPiracy Macrovision Bug is Actually Six Years Old

How can an operating system be considered "secure" if it has proprietary software installed? It can't. Proprietary software security is unverifiable by anyone you can trust and therefore unworthy of being considered secure. [...] The cure is simple: install nothing but free software on your computer. Give yourself the freedom to inspect, change, and share the software, hire someone else to do it for you, or leverage the talent of a community of hackers improving free software all the time. This is not about making everyone a programmer, it's about giving people the freedom to control their computers while building a society of cooperation and social solidarity. Proprietary software denies you your software freedom, so deny proprietary software a place on your computer.

Wrong. See Reflections on Trusting Trust. Most people just download the binaries of FOSS, because compiling yourself is pretty inconvenient. How do you know that the binary was produced from that source? Even if you download the source and compile it yourself, how do you know there wasn't a backdoor hidden in your compiler? Let's say you wrote your own compiler. Well, you either had to compile that compiler you wrote (in which case you're exactly in the same situation as before), or you had to run the your code through an interpreter, which may be a software VM style interpreter, or at the very least, if you wrote the code in machine code, had to be interpreted by the CPU. How do you know there isn't a backdoor hidden in the interpreter? You'd have to either write your own interpreter in software (which either has to be compiled or interpreted, which brings you back to the same problem), or you'd have to build your own hardware-interpreters (aka your own CPUs) from components.

In other words, you're trading security for convenience. Maybe there exists some people who care enough about security that they'd build their own CPUs from scratch. Most people don't have the skills or are too lazy. Maybe of those people, some care enough about security to write their own interpreter/compiler software. But most of them are too lazy or don't have the skills. Of that latter subset, maybe some of them care enough about security that they'll actually read the source code. But most of that subset is too lazy or don't have the skills. Of this even smaller subset, maybe some of them care enough about security that they'll have a policy of only using FOSS, and depend on the community to verify the source code for them. Others will be too inconvenienced to do even that. Of those, maybe some will be willing to use a mix of open and proprietary software, balancing convenience versus security. And yet again, there exist people too lazy to do that, and who just use whatever software came with their computer.

Re:No, it's not trademarked by CptnHarlock · 2007-11-03 22:59 · Score: 1 · on Is a Domain Name an Automatic Trademark?

And since they're not in the same "trade" the submiter should be in the clear. See also Unix firextinguisher and more.

Cheers...

Re:Professional troll by npsimons · 2007-10-26 02:43 · Score: 1 · on Forbes' Dan Lyons Hates Groklaw, Wants to Be BFF with Linux

The really significant part of the story, is that in order for a tech journalist to remain publicly relevant, they have to at least appear to know, understand and 'like' Linux.

Consider the enormous change that has been achieved in terms of acceptability and mind share. Linux is now recognized as being the future universal operating system, to not recognize and acknowledge that, leaves a tech journalist marginalized and redundant in the tech communities public eye.

So regardless of whether or not he is sincere, he is at least accepting and acknowledging the truth of Linux as THE operating system of the twenty first century ;).

In some ways, this is disappointing. Don't get me wrong: I love Linux (see my sig). I use it for everything. But I don't think it's right for everyone. I don't think anyone should be forced to use it, and I don't think you should have to know, understand or like Linux to be a tech journalist. If people like Linux for anything, it should be on it's own merits, not what market share it has, or because it's required for the job.

Should you know Linux if you are writing about it or something related to it? That goes without saying. But if you are, say, developing an operating system orthogonal to Linux you shouldn't have to be an expert in Linux. Or if you are writing for Mac world, you probably don't need to know what Linux is.

I hope Linux never turns into the next Windows, and not just in the sense that the UI is similar. I don't ever want to hear the phrase "nobody was ever fired for going with Linux". As a matter of fact, I don't ever want to hear any variation of "nobody was ever fired for buying IBM"; I want to hear that phrase replaced with a sincere "we evaluated all our options and chose Linux for it's superior stability, security, technology and low TCO".

Re:Line of sight only by Thundersnatch · 2007-10-23 03:31 · Score: 1 · on Wireless Video Transfers 100X Faster Than WiFi

This is a rather ignorant and VERY Microsoft-centric world-view... Use any other operating system, and you can start playing the video while it's being transferred.

Huh? Windows Media player starts playing most media file types as they download. It's been like that for years, at least as far back as I can remember Windows Media Player existing (Win 98?). I just verified it with an mpeg demo file at this link.

Plan9 by mrbill1234 · 2007-10-22 09:14 · Score: 1 · on VMware, Cisco Plan Data Center OS

This sounds strangely like Plan9

http://plan9.bell-labs.com/plan9/

Re:And replace it with what? by DrSkwid · 2007-10-07 10:13 · Score: 1 · on Logfiles Made Interesting with glTail

Those mechanisms are for RPC, you can choose whatever method you like when your whole IP stack is SSL encrypted, like mine.

I'm constantly surprised at what people will plod along with!

Re:Common knowledge...firefox? by DrSkwid · 2007-10-05 10:46 · Score: 1 · on Chinese Security Site Under New Kind of Attack

even Linux ! say it aint so.

Eventually your malware will overwrite your snapshots or the binary that restores them.

That said, the OS I use has daily snapshots (or as often as you like) to a central server (thus enabling coalescing of data blocks i.e. repeated blocks of data are stored only once). The choice of which snapshot to use is per process, so, for instance, you can compile yesterday's code in one window and last weeks in another and see what changed. Or boot any terminal into last month's state of any other etc. etc.

Re:He'd be safer with HDMI by Chris+Shannon · 2007-10-04 05:29 · Score: 1 · on James Randi Posts $1M Award On Speaker Cables

Claude Shannon explains everything you've ever wanted to know about digital communication in A Mathematical Theory of Communication.

"If the channel is noisy it is not in general possible to reconstruct the original message or the transmitted signal with certainty by any operation on the received signal E. There are, however, ways of transmitting the information which are optimal in combating noise.... It is possible to send information at the rate C (the channel's capacity) through the channel with as small a frequency of errors or equivocation as desired by proper encoding."

For audio, the channel capacity of cheap cables are many orders of magnitude greater than the information rate of an audio signal. That allows for a great deal of redundancy and a negligible (but not necessarily zero) error rate.

Re:why I like open arch/code by dancin_mitch · 2007-10-02 14:25 · Score: 1 · on VM-Based Rootkits Proved Easily Detectable

yo i just read this,
http://cm.bell-labs.com/who/ken/trust.html

the best bit.
"In college, before video games, we would amuse ourselves by posing programming exercises."

i think he is one to something here...

Re:why I like open arch/code by evanbd · 2007-10-01 22:04 · Score: 3, Interesting · on VM-Based Rootkits Proved Easily Detectable

Of course, this basic problem was described quite eloquently by Ken Thompson. He went after the compiler, but the problem of proving that the binary you have matches the source you have is a tricky one no matter what.

There actually are some very clever solutions to try to catch cheating compilers like this, but none of them are trivial. It's a cat and mouse game, and there are actually proofs that winning either side completely is impossible.

Re:Don't mess with the 80% profit margin or else! by CortoMaltese · 2007-09-20 03:41 · Score: 1 · on Don't Take Notes In the Bookstore

What I found funny was that some Chinese students were smuggling international editions in and selling them for $10-20 after they were done with them. I bought my copy of The C Programming Language from a Chinese girl years ago. She had a whole bag of them, all new ones. I was suspicious at first, but since then I've learned to regard it as a treasure, both the content and the size, which is smaller than the original. Check out the nice cover of the Chinese edition.

No Microsoft compiler should ever be used by SpaceLifeForm · 2007-09-17 16:52 · Score: 1 · on GCC Compiler Finally Supplanted by PCC?

Reflections on Trusting Trust
Ken Thompson

Link