Slashdot Mirror

http://www-building.arct.cam.ac.uk/westc/cl/cl.htm l

The new CompSci building is partly funded by Microsoft, who are also putting an MS Research building on the site.

I'll hopefully be studying there soon, and _AFAIK_ it won't make any difference who it was funded by, though it does make me shudder slightly to think I'll be studying in the "William H Gates building".

As a science steganography is vary old. One of the first book on the subject steganographica was written by Gaspari Schotti in 1665. It has however been a subject of limited public interest until vary recently. This is not to say that various steganographic techniques haven't been used ovar the years. On the contrary, many intelligence agencies have uses steganographic techniques to smuggle secrets our of various countries throughout the cold war and before. One of the best known ancient uses of Steganography was in the book Hypnerotomachia Poliphili published in 1499. The point is, it's been around for a vary long time, there just hasn't been any public interest.

--CTH

has anyone tried to use steganography in mp3 files? it could be distribuited in peer-to-peer softwares and even less noticiable.

some resources:
http://www.cl.cam.ac.uk/~fapp2/steganography/stego _soft.html

- herman fuchs (fux@theend.com.br)

You're a fucking knob:

link

link

link

link

link

Sure the official name is "The X Window System" but many people refer to it as X-Windows. After all, you knew what I was talking about, didn't you?

Ass.....

Fear is for lesser scientists. Next week we're bussing the kids to a local bridge and having them jump in synch.

Quoting http://www.mastercard.com/education/shoppingtips/:

Pay the safest way

Credit cards are generally the best way to pay because you have legal rights to dispute the charges if the product or service is misrepresented or never delivered.

Will payment by credit card still be the safest way if there is a computer on the card? After all, computers don't err, and if the technology makes it harder to use the card unauthorized, it may also become harder to dispute transactions, just because the technology is believed to be secure.

Recommended reading:

• Liability and Computer Security - Nine Principles
• Why Cryptosystems Fail

both by Ross Anderson.

The traditional credit card system may be smarter than the smart card, because it accepts the possibility of failure and distributes the risk over all customers of the card issuer.

Quoting http://www.mastercard.com/education/shoppingtips/:

Pay the safest way

Credit cards are generally the best way to pay because you have legal rights to dispute the charges if the product or service is misrepresented or never delivered.

Will payment by credit card still be the safest way if there is a computer on the card? After all, computers don't err, and if the technology makes it harder to use the card unauthorized, it may also become harder to dispute transactions, just because the technology is believed to be secure.

Recommended reading:

• Liability and Computer Security - Nine Principles
• Why Cryptosystems Fail

both by Ross Anderson.

The traditional credit card system may be smarter than the smart card, because it accepts the possibility of failure and distributes the risk over all customers of the card issuer.

Quoting http://www.mastercard.com/education/shoppingtips/:

Pay the safest way

Credit cards are generally the best way to pay because you have legal rights to dispute the charges if the product or service is misrepresented or never delivered.

Will payment by credit card still be the safest way if there is a computer on the card? After all, computers don't err, and if the technology makes it harder to use the card unauthorized, it may also become harder to dispute transactions, just because the technology is believed to be secure.

Recommended reading:

• Liability and Computer Security - Nine Principles
• Why Cryptosystems Fail

both by Ross Anderson.

The traditional credit card system may be smarter than the smart card, because it accepts the possibility of failure and distributes the risk over all customers of the card issuer.

The most effective way to detect steganographic changes is have the original unmodified picture and comparing it bit by bit to the modified one. So if you use this form of encryption modify vacation photos and not well known pictures like the Mona Lisa.

Here is a cool page about using steganography in mp3 files, source and everything.

It always seemed to us that you need a two-stream system - either sign up for an appointment and have your hand held with the appropriate delay, or just get your hub port reset and be given all the relevant addresses. The IT chap could spend an hour at the start of each day dealing with "fast track" applications, who'd then have to wait until the rush had subsided before they got any more attention if they actually didn't know what they were doing...

I guess they'll need updating now...

It's at http://www.cl.cam.ac.uk/coffee/coffee.html.

A 43 to 50 percent error rate seems to me to be an astonishly poor showing.

Perhaps the %34 efficiency is for only a narrow band of the solar spectrum.

That seems to be it. According to the abstract "these films show photovoltaic response with external quantum efficiencies of >34% near 490 nm." 490 nm is right between blue and green in the visible spectrum.

The first book written on cryptology in English, by John Wilkins in 1641, remarked that `If all those useful Inventions that are liable to abuse, should therefore be concealed, there is not any Art or Science which might be lawfully profest'.

Not quite, although you could be forgiven for believing this. UCS-2 is just a truncated UCS-4, which represents exactly 65536 characters (less a little over 2048 now) and was orginally the same as Unicode. UTF-16 is an encoding which extends the range of possible characters to around 1million, and Unicode has been redefined to be the same as UTF-16. Current versions of Windows use UTF-16, not UCS-2

A good reference for this is theUTF-8 and Unicode FAQ for Unix/Linux

The article's claim that Unicode can only map 65536 characters is fundamentally flawed, since its new definition as being the same as UTF-16 means it can probably map every character ever used, and in fact includes fictional scripts (including Tolkein, and more importantly, Klingon, although I'm not sure of the standardisation status of the latter at this time).

In the biginning there was ASCII. It's a 7 bit code which means you only have room for the common 127 english characters. This didn't do any good for forigners so they made up language specific code pages like Cp437 or the MS Windows Latin-1 encoding Cp1252 that just redefined what codes corresponded to what characters. This was a little ugly because you could not easily use characters from different languages together. So then someone come up with ISO-8859 which was backwards compatible with ASCII, meaning all the lower codes were ASCII. So this was a step in the right direction but the extra 127 characters gained from that extra bit didn't give you much; you still needed language specific versions like ISO-8859-1 is Latin-1 for the US codes, ISO-8859-2 is for Europe, etc. You see, the barrier here is the dependance on fitting character data into an 8 bit byte. Anything more and you really screw up existing kernels, libraries, and programs that depend on a character bing one byte like terminal drivers, strlen, and your ini file parser ...etc. Finally, both ISO and the Unicode consortium, at first independantly, decided to come up with a universal character set. Both standards resulted in what amounts to a set of tables that defined exactly the same codes for all the characters in every language. At first I think they thought they could get away with a 2 byte code. This was called UCS-2, which is the route Microsoft is going and I belive Java as well. Now this expanded the number of possible charaters considerably, however this still didn't solve the existing dependancy on 8 bit character strings. For that they came up with UTF-8. The clever trick here is that they cannobalize the last bit to indicate that another byte gets tacked on. That gives you two bytes to play with. If the first three bits are on in the first byte then there are three bytes to store your large UCS code corresponding to some exotic character. But this still wasn't enough. The characters started push the envelope of two bytes and so they upgraded to UCS-4 which now has 4 bytes and will hold all the characters of every language including the languages of yet-to-be-discovered alien civilizations. But now you have sofware, like from MS, that favors the somewhat more effiecient and practical two byte UCS-2 codeset so you need to extend the UTF-8 concept to give you UTF-16. Well, that's about where we stand and there's a lot I left out.

Interesting?

Read this: http://www.cl.cam.ac.uk/~mgk25/unicode.html

The current permutation of Unicode gives a theoretical maximum of approximately 65,000 characters (actually limited to 49,194 by the standard).

quote: All possible 2^31 UCS codes can be encoded.

http://ban.joh.cam.ac.uk/~adm36/StegFS/
you basically set multiple pwds. each pwd unlocks more directories in the filesystem. essentially allows you to plausably deny the existence of certian files. very cool...

--
(Just adding some visibility to this most interesting post. Please mod up the parent.)

In particular, on page 5 of lecture 11, Maxwell's equations (which describe all of electromagnetism - pretty much the entire basis of modern technology and which were the starting point for Einstein's discovery of relativity) in one simple equation: (triangle)F = J.

There's no mention of this on the official cDc website, so we're still short of technical information. How does this compare to alternatives like Freenet and Mojo Nation, which are designed to avoid the mistakes of Gnutella and Napster? And how much closer does it bring us to the first P2P service proposed, Ross Anderson's Eternity Service, which basically describes all the ideal qualities a P2P could have? I'm looking forward to reading what the CDC themselves have to say about it - it's a shame we hear it from the BBC before we hear it from them...
--

I'm sure there are going to be a lot posts saying things like, "What's the point of this? Why are you bothering? Who needs another programming language? Everything you are doing has already been done better, and it was all useless anyway." I got a lot of that crap when Eidola was Slashdotted recently.

Keep an open mind. If you're not the sort of person who can enjoy new ideas that are cool but may turn out to be useless, just go read another thread.

There's an interesting study about the much-abused field of visual programming languages. The researchers polled programmers who worked with visual and non-visual languages to see which they liked best, and which was most effective. Their main result? Programmers' opinions of a language correlated strongly with how long they'd been using it. In other word, programmers have an overwhelmingly strong bias for the familiar; they are so strongly biased towards what they are used to that they can't really make objective judgements about unfamiliar ideas. Not surprising, but easy to forget!

This bias is a tremendous barrier to new technology. If everyone with an interesting but questionable idea gets shouted down, a lot of useful ideas are lost. Think of the brave souls who installed Linux before it was really usable while everyone was saying "OSes have been done before. Why are you bothering?"...and thank them now.

Then give Mozart and LX a fair hearing. There are some good ideas there; let's help them mature.

Why did Kerchkhoff made such a radical statement? Because over the last, oh roughly 500 years, history has told the sad tale of bold cryptographers who sold their systems as unbreakable, and grossly underestimated the inventiveness of their enemies.

Ciphers (encryption algorithms) need to be designed to withstand the most cunning of oppositions. Who's main method is thinking "out of the box" to come up with diffierental cryptanalysis, timing attacks -- timing how long an encryption takes, differential power analysis -- measuring the power consumption, impossible cryptanalysis -- figuring which differentials aren't possible).

Bruce Schneier at Counterpane Labs and Ross Anderson at Security Group at Cambridge University have several essays about how security systems fail because the enemy "breaks the rules". (Why Cryptosystems Fail, Why Cryptography Is Harder Than It Looks, etc.)

To understand more about how "security through obsurity" does more harm than good, read any one of the dozen accounts about the Engima used during World War II, and the Anglo-American (and Polish) effort which successfully analysed this "unbreakable" system. Like Code Breaking, The Code Breakers, or The Code Book.

Why did Kerchkhoff made such a radical statement? Because over the last, oh roughly 500 years, history has told the sad tale of bold cryptographers who sold their systems as unbreakable, and grossly underestimated the inventiveness of their enemies.

Ciphers (encryption algorithms) need to be designed to withstand the most cunning of oppositions. Who's main method is thinking "out of the box" to come up with diffierental cryptanalysis, timing attacks -- timing how long an encryption takes, differential power analysis -- measuring the power consumption, impossible cryptanalysis -- figuring which differentials aren't possible).

Bruce Schneier at Counterpane Labs and Ross Anderson at Security Group at Cambridge University have several essays about how security systems fail because the enemy "breaks the rules". (Why Cryptosystems Fail, Why Cryptography Is Harder Than It Looks, etc.)

To understand more about how "security through obsurity" does more harm than good, read any one of the dozen accounts about the Engima used during World War II, and the Anglo-American (and Polish) effort which successfully analysed this "unbreakable" system. Like Code Breaking, The Code Breakers, or The Code Book.

Why did Kerchkhoff made such a radical statement? Because over the last, oh roughly 500 years, history has told the sad tale of bold cryptographers who sold their systems as unbreakable, and grossly underestimated the inventiveness of their enemies.

Ciphers (encryption algorithms) need to be designed to withstand the most cunning of oppositions. Who's main method is thinking "out of the box" to come up with diffierental cryptanalysis, timing attacks -- timing how long an encryption takes, differential power analysis -- measuring the power consumption, impossible cryptanalysis -- figuring which differentials aren't possible).

Bruce Schneier at Counterpane Labs and Ross Anderson at Security Group at Cambridge University have several essays about how security systems fail because the enemy "breaks the rules". (Why Cryptosystems Fail, Why Cryptography Is Harder Than It Looks, etc.)

To understand more about how "security through obsurity" does more harm than good, read any one of the dozen accounts about the Engima used during World War II, and the Anglo-American (and Polish) effort which successfully analysed this "unbreakable" system. Like Code Breaking, The Code Breakers, or The Code Book.

No Joy from P2P vets for Sun's Jxta

By: Andrew Orlowski in San Francisco

Posted: 26/04/2001 at 00:52 GMT

Sun wheeled out its Mount Rushmore of cerebral greats - Gage, Joy, Gosling - to herald the unveiling of its Jxta peer-to-peer project today.

Announced by Bill Joy at the O'Reilly P2P conference in February, Jxta (pronounced "Juxta") is now live and we're awash with positioning papers, technical documentation and real downloadable code. But the instant reaction from the peer-to-peer community - who've been at this for a little while longer - was cool.

"It's no good for FreeNet, next to no use for MojoNation or Gnutella, and no good for SETI at home," FreeNet developer Adam Langely told us. "It is buzzword compliant, though."

And Jxta's reliance on XML brought an "Oh my god," from the developer - a contributor to the excellent O'Reilly P2P book, Disruptive Technologies - who's juggling a rewrite of the FreeNet core in C++ whilst studying for his GCSEs.

It's not as if the guest of honour has marched in to the P2P party, wolfed down the free booze and fondled the hostess. Almost, but not quite.

This party doesn't really need a guest of honour it seems, even if it is Sun itself in best-behaviour mode. Bill Joy modestly described Jxta as a project that attempts to define protocols, that's all. Within a year he told us today, we might have enough usable protocols to embed in some real devices.

But watching these billionaire new frontiersmen earnestly describe the problems that P2P networks need to overcome, after we've watched 18 months of very public sweat and anguish from the Gnutella, FreeNet et al networks as they tackle these problems, strikes as the definition of redundancy.

"These networks develop in vertical silos, and they don't interoperate," said Gage in his introduction today. Which is true: "The P2P projects have nothing in common except TCP/IP", agrees Langely. But far from being their weakness, it's really their strength. Gnutella began life as a brute force, quick-and-dirty mechanism for file sharing, and FreeNet as a long term project to build a secure space free from surveillance. To adopt Sun's Jxta plumbing would not only entail throwing away these hard-won lessons, but it would compromise what each network was created to do. For example, FreeNet is inundated with offers of help to turn it into a platform for instant messaging, a global anonymous email gateway, or the new Napster. Take your pick. But as FreeNet luminary Brandon Wiley unfailingly points out - FreeNet is uniquely useful for dissidents in China (it was inspired by Ross Anderson's Eternity service meme) - so please don't mess it up.

The road to hell is paved with good intentions, and indeed, well-though-out but pointlessly blue-sky RFCs, and Sun's error is really in mistaking social spaces for technical problems. This conundrum was best illustrated at the O'Reilly conference when a panel moderator (forgive us, we can't remember which one, and we paraphrase liberally here) asked: "Is there a P2P? Is there a P2P business model? Or will it be like client/server? Will we be sitting around at a client/server conference in a year's time?"

So Sun's Jxta is a technology project looking for social uses, and the P2P networks are social projects looking for technology solutions, and the two seem to be passing each other like the proverbial ships in the night.

But let's get some perspective: it's a benign adventure, and doesn't deserve the rancour that say, a Microsoft P2P 'solution' - let your imaginations run riot here, folks - would attract. We've seen so many such pogroms in the past (Pen Windows, anyone?) that trample over not only optimistic start-ups, but entire business models, and with Jxta being the hesitant Apache-licensed venture that is, comparisons don't stand up to scrutiny.

As if P2P had never happened
We'll go into the technical details when we've had time to digest them (comments welcome), but Jxta's a layered set of protocols tackling not just interoperability but monitoring and performance too.

If you were starting from scratch, then Jxta would be an obvious place to go. The monitoring stuff is nice, as plenty of fringe edge networking gets proscribed by vigilant BOFHs, fearful of congestion at network and disk choke-points. And not just BOFHs, either - any local ISP worth its salt should by now have recognised that P2P is a loyalty/community trump card, too.

Interestingly, Joy is thinking small with Jxta. It could be, he suggested, a way of steering users between the mess of access networks that we'll be faced with pretty soon - between 2.5G GPRS/EDGE packet data, 802.11 networks, and our local LAN or dial-up connections. "Devices are too small to carry ten protocol stacks," said Joy optimistically, without quite convincing us that a Jxta-enabled device would solve the problem. But give the man credit, he's looking for an answer to a problem most folk haven't even recognised yet. Unfortunately, the conversation took a turn into the utterly surreal, as Joy began to explain how embedded IP devices in schoolkids' sneakers could cause havoc for teachers, and how Jxta-enabled sneakers would solve the problem, because of their device recovery and monitoring characteristics. Sensibly, and abruptly, Gage drove the conversation back on to dry land before anyone had time to notice.

Let's kill the geeks
But if the distress in the people's P2P community wasn't enough, the opprobrium unleashed on the P2P meme by a lordly tech press is nothing short of astonishing.

"Bill Joy is catching the tail end of a euphoria that never came into existence," declares the New York Times, grandly.

The CNet/ZDNet conglomerate has outsourced its opinion to Gartner Group analysts, who opine:

"Sun was careful to avoid the term P2P, not wanting to be associated with a technology that appears to be going out of fashion." A fashion created by ... analysts such as Daryl Plummer and David Smith as recently as last August, we seem to remember.

Ouch! Since when were the NYT and CNet such pernickety style mongers, we wonder?

Ever since they had the P2P meme foisted upon them, we suspect, and there's more than a hint of snobbishness at attempting to bury an idea that the geek press had the temerity to name before they did. O'Reilly might not have named P2P - we're not absolutely sure who did, and we really couldn't care less - but the meme left the industry elite gasping for air, and without an industry elite to follow, the industry-led tech press was left experiencing a kind of zero-gravity for the first time. The Fourth Estate marches to a well regulated beat. OK, we'll give you 'Open Source' as a rebranding excercise, you can hear them think, but P2P, that's just too much weird shit...

P2P networks, or whatever they'll be called now, are about to be touted as the saviour of Europe's 3G crisis, for the very simple reason that they're communication rather than content based. And while we don't claim to predict the future, that it's a model that's as sane as anything else on the table.

Check out the Vinny the Vampire comic strip

...another use for StegFS.

(Evil Music Industry Spy): OK you little pirate scum, what's the password?
(Innocent College Student): ********, sir.
(Evil Music Industry Spy): Hmm, only GPL'd software here, no MP3's in here. Let's move on. Sorry to bother you.
(Innocent College Pirate^H^H^H^H^H^H Student): Oh, No Problem (evil grin)

[stuff about writing in Kylix]

Or look at Ada 95 next time you need to design a piece of multithreaded software. Ada has threading capabilities build into the language, and has proper array datatypes so there is no need to fiddle with pointers and worry about checking of boundaries.

Ada rights many of the wrongs of Pascal and has a strong and rich type system build in.

I am amazed that so many insist on staying away from modern languages that make it easy to find bugs at compile time. Oh well.

The GNAT compiler is GPL'ed and available for Win32 and Linux and quite a number of other platforms.

There was already a Word marco virus Caligula that attacked the PGP secret keyring and mails it to codebreakers.org, circa 1998.

You are mainly concerned with your private key ring, since lose or corruption of that would be the most damage. If the public key ring was modified you could alter local trust of a specified key, but it could not sign a public key without the private key.

As others have stated the private key itself is protected by symmetric encryption (e.g. IDEA, TripleDES) and you need the passphrase to unencrypt this encryption. So, a private key protected by a poor passphrase could be brute forced using a fast dictonary search tool, similar to Alex Muffett's crack for Unix passwords.

There are several ways to increase the security without irrating the user, such as using a floppy based key ring, using a smartcard memory card to store your own public/private keys, using a Dallas iButton, a removable PCCard (PCMCIA) storage device, or using a crypto smart card that stores your own private/public key, and does the RSA calculations on the card, designed in a such a manner as the keys cannot be extracted from the card. This gets into Differential Power Analysis (PDA) and tamper resistance attacks.

For a high security application, you could consider a hybrid smartcard and PDA (e.g. Palm), which forms a small trusted computer. Of course most security experts wouldn't call a out of the box Palm and PalmOS a trusted platform, but it's an example of a smartcard with a direct human interface (human input & output), rather than trusting a larger more complicated computer which is also more flexible because it is designed to be general purpose. Some 3G cell phones plan on having similar smartcard interfaces I believe. I think Nokia had a prototype. Of course since there have been some trojan SMS messages already seen in Europe, and with WAP expected to expand its capabilities rather than die, you can expect this to be a more virus friendly platform as cellphones evolve.

While Bruce's Secrets and Lies shows his change of heart from the absolute security through cryptography that he and cypherpunks dreamt of in the early 90's, he now understands that absolute security in a practial system is a myth, and wants readers to think like engineers in weighing of trade-offs, how easy to use verus how secure, and how expensive vs. how secure. It is not a reason to give up on cryptography, but to realise that in designing and working with secure systems you need to look at more than just which neat cryptographic algorithms to use.

A collection of some of the lecture notes is available at:

notes.htm

and "how to listen to a lecture is at":

Lecture.ps

A collection of some of the lecture notes is available at:

notes.htm

and "how to listen to a lecture is at":

Lecture.ps

Don't forget dead trees. Your students - and everyone who's serious about programming - should read the history of numbers, and that's in books. There were a spate around the Millennithingy, due to wierdnesses in publishers' conceptions of the world.

Probably the better of these is Robert Kaplan's The Nothing That Is: A Natural History of Zero. Charles Seife's Zero: The Biography of a Dangerous Idea will give students a hand up in understanding how journalists misunderstand the issues. Your students should read both. And definitely John D Barrow's The Book of Nothing : Vacuums, Voids, and the Latest Ideas About the Origins of the Universe.

Even better, throw them in the deep end with Barrow's Impossibility: The Limits of Science and the Science of Limits (1999).

This is why UTF-8 exists and is used on most unices, and why I consider it a better solution than plain (untrasformed) UNICODE (or UCS-16, if you like).

See this page for further reference.

Can you say prior art? This one is easy. The The coffee cam went live in 1991 and the fish cam shortly after. Now it would be *really* nice if the coffe cam was before April 11. But failing that if the tech was common enough that a coffe cam was being set up there has to be a web server from before that date. They are saying that the coffe cam or any other web page would violate this.
Do I get $10,000 now? :) Now does anybody know what day the coffe cam went live?

COAST has five in it's array. It's first images were made in 1995.

----------------------------

COAST has five in it's array. It's first images were made in 1995.

----------------------------

Makes me long for a time when the web wasn't littered with lawyers.

The coffee pot went missing quite a while ago. Documented at http://ban.joh.cam.ac.uk/~ajp38/science/trojan/Cof fee.htm

No, the problem with the old building was (is) that is was in a tower that was fairly tall and thin, so lots of stair-climbing was required. The new building is nice and flat (3 fairly large floors) in West Cambridge.

However, as someone pointed out, it is The William Gates Building. Microsoft Research were going to take the top floor, but have now decided, due to expansion, that they need their own building next door.

The original plans were quite fun, as the MS Research and Computer Lab parts of the building were completely separated by card-only doors...

Just as a sideline: Daniel Gordon (who maintains the current cam) is also the author of the most retro webpage ever, as mentioned in the most recent quickies.

Wow. Just when you think something has fallen off into relative obscurity, it pops up in comments like the one above.

Unfortunately, Neep was a rather good first try. The last published version is over a year and a half old now, and suffers from several problems:

• The single quote (') and grave accent (`) characters have good, but wrong, intentions. They follow the old and misguided glyph forms ('9'-shaped right quote and backwards-'9'-shaped left quote) perpetuated by otherwise useful programs such as gcc and groff. At the time, i was following the lead of the then-prevalent 'fixed' family of fonts shipped with XFree86. I am sorry for the consequences of my ignorance.

• The fonts are designed for increasingly obsolete 75-dpi displays. When i recently (nine months ago is recently?) switched most of my X displays to default to 100 dpi (and my fontservers to 100 dpi fonts), i discovered that Neep doesn't provide 100 dpi variants. At 1280x1024 on a 17-inch monitor, -*-neep-medium-r-normal-*-*-120-75-75-*-*-iso8859- * is just too small. And i don't like -*-neep-medium-r-normal-*-*-140-75-75-*-*-iso8859- *, even in its unpublished, more legible form. I made that one because other folks wanted it. ;)

• Neep does not come in Unicode/ISO-10646 encoding. It was a mistake for me not to make Neep into a Unicode font to begin with. I apologize for the consequences of my ignorance.[*]

• Related to the above points: Neep is composed of beautiful, legible, hand-tuned bitmaps, and i just plain have kein Bock mehr to make more and bigger sizes, not to mention merging the existing, improved, but unpublished ISO8859-* fonts with Markus Kuhn's[*] UCS-encoded ones. I really wish i had learned how to create and hint TrueType or OpenType fonts instead of making bitmaps, so i could be lazy and simply make two or three fonts instead of fifty-some.

I myself have pretty much stopped using Neep and am using Lucida Console (10 pt, 100 dpi) instead[**] (though i still wish i could find actual bold, italic, and bold-italic variants so that i could use it with nedit).

Regardless, if you must get Neep, please get it from http://www.jmknoble.cx/fonts/ rather than the place that points to. Web pages move easily, but jmknoble.cx is likely to stick around for quite a while.

If someone is interested in maintaining jmk-x11-fonts further, using the improved, unpublished edition, feel free to contact me (address is listed at the bottom of this page). Note, though, that i'm liable to be slightly cranky, and i may not hand these over to just anyone; i'd prefer for the design goals and aesthetic sense to be preserved, since they do have my name on them....

[Sigh.] Success's sword has two edges. (And yes, Brainchild = Jim Knoble).

________________
[*] Markus Kuhn has converted the most recently (year-and-half-old) published version of Neep into Unicode fonts. I'm not sure whether he's published them or not; check here. I have them, though, and (as i mention above) am partway through the process of merging them with subsequent changes in the ISO-8859-* fonts. If enough folks ask (and it's okay with Markus), i suppose i could publish them if they're not available at his site.

[**] I've been through several iterations of "there must be something else out there that has what i want", and i continually come up with this:

• Andale Mono is nice, but it has too much leading (at least, after getting used to the Lucida type family) and its punctuation is too light.
• Lucida Sans Typewriter has the single-quote problem in XFree86-3.3.x, and it's neither TrueType nor UCS-encoded.
• Courier New has too much leading, is too light in normal weight and too heavy in bold weight, and is much too ugly in any weight.
• None of the other easily available monospace fonts look as good or legible to me as Lucida Console.

Wow. Just when you think something has fallen off into relative obscurity, it pops up in comments like the one above.

Unfortunately, Neep was a rather good first try. The last published version is over a year and a half old now, and suffers from several problems:

• The single quote (') and grave accent (`) characters have good, but wrong, intentions. They follow the old and misguided glyph forms ('9'-shaped right quote and backwards-'9'-shaped left quote) perpetuated by otherwise useful programs such as gcc and groff. At the time, i was following the lead of the then-prevalent 'fixed' family of fonts shipped with XFree86. I am sorry for the consequences of my ignorance.

• The fonts are designed for increasingly obsolete 75-dpi displays. When i recently (nine months ago is recently?) switched most of my X displays to default to 100 dpi (and my fontservers to 100 dpi fonts), i discovered that Neep doesn't provide 100 dpi variants. At 1280x1024 on a 17-inch monitor, -*-neep-medium-r-normal-*-*-120-75-75-*-*-iso8859- * is just too small. And i don't like -*-neep-medium-r-normal-*-*-140-75-75-*-*-iso8859- *, even in its unpublished, more legible form. I made that one because other folks wanted it. ;)

• Neep does not come in Unicode/ISO-10646 encoding. It was a mistake for me not to make Neep into a Unicode font to begin with. I apologize for the consequences of my ignorance.[*]

• Related to the above points: Neep is composed of beautiful, legible, hand-tuned bitmaps, and i just plain have kein Bock mehr to make more and bigger sizes, not to mention merging the existing, improved, but unpublished ISO8859-* fonts with Markus Kuhn's[*] UCS-encoded ones. I really wish i had learned how to create and hint TrueType or OpenType fonts instead of making bitmaps, so i could be lazy and simply make two or three fonts instead of fifty-some.

I myself have pretty much stopped using Neep and am using Lucida Console (10 pt, 100 dpi) instead[**] (though i still wish i could find actual bold, italic, and bold-italic variants so that i could use it with nedit).

Regardless, if you must get Neep, please get it from http://www.jmknoble.cx/fonts/ rather than the place that points to. Web pages move easily, but jmknoble.cx is likely to stick around for quite a while.

If someone is interested in maintaining jmk-x11-fonts further, using the improved, unpublished edition, feel free to contact me (address is listed at the bottom of this page). Note, though, that i'm liable to be slightly cranky, and i may not hand these over to just anyone; i'd prefer for the design goals and aesthetic sense to be preserved, since they do have my name on them....

[Sigh.] Success's sword has two edges. (And yes, Brainchild = Jim Knoble).

________________
[*] Markus Kuhn has converted the most recently (year-and-half-old) published version of Neep into Unicode fonts. I'm not sure whether he's published them or not; check here. I have them, though, and (as i mention above) am partway through the process of merging them with subsequent changes in the ISO-8859-* fonts. If enough folks ask (and it's okay with Markus), i suppose i could publish them if they're not available at his site.

[**] I've been through several iterations of "there must be something else out there that has what i want", and i continually come up with this:

• Andale Mono is nice, but it has too much leading (at least, after getting used to the Lucida type family) and its punctuation is too light.
• Lucida Sans Typewriter has the single-quote problem in XFree86-3.3.x, and it's neither TrueType nor UCS-encoded.
• Courier New has too much leading, is too light in normal weight and too heavy in bold weight, and is much too ugly in any weight.
• None of the other easily available monospace fonts look as good or legible to me as Lucida Console.

Soudns great for the apartment complex.... Just the way to store all that illegal porn so if the police arrives your machine is clean, as its on someone elses drive

Isn't that the reason you should use either the RubberHose filesystem or the StegFS filesystem?

In 90% of the applications (especially the kinds of applications that slashdotters are interested in), having a full-scale public key infrastructure and having every public key signed by a signing key would be more susceptible to attack than doing simple unauthenticated public key exchange between peers.

That's because the cost of mounting a man-in-the-middle attack on a specific public key (think of e.g. someone mounting a man-in-the-middle attack against your ssh pubkey when you ssh in to another box), greatly exceeds the payoff. There are cheaper ways to get access to your other box, starting with known exploits, followed by social engineering. Finally, physical access to your box is probably cheaper and safer for the attacker than a man-in-the-middle attack on an unauthenticated public key exchange.

Now look at the other option: what's the cost/payoff matrix for mounting an attack that steals some keys high up in the PKI hierarchy? The cost is whatever it takes to get the keys (history shows[1] that social engineering, being yourself an employee of the organization, or taking advantage of some thoughtless mistake on the part of an employee, seems like the best starting point) and the payoff is huge. You basically get carte blanche on the whole network which trust this particular PKI.

Now I am aware that there are other PKI topologies that are less hierarchical, but basically the most cost-effective solution that gives you the amount of security you need for the amount of effort that you can afford is simple straightforward unauthenticated public key exchange. The universal assumption that the only "truly secure" system is a full-scale PKI is a massive mistake perpetuated by idealistic mathematicians ignorant of the facts on the ground, and greedy PKI execs who dream of being able to extract a tax on every transaction, because they control the root keys.

There are several cheap and easy tricks you can add to unauthenticated PK exchange to make it even more expensive and dangerous for an attacker to interfere, which I would be happy to explain if anyone asks...

Regards,

Zooko

[1] "Why Cryptosystems Fail." Ross Anderson. http://www.cl.cam.ac.uk/users/rja14/wcf.html

College used to have a cluster of Suns, but they gradually became unmaintained and were removed after they were all hacked. As a result, we ended up with a bunch of Windows machines and no UNIX provision. What we ended up doing was designing a net-booting Linux system that required no access to the local hard drive (documentation here) and just used that until the COs finally gave up and made it official. At around the same time, people finally gave up with the university's policy regarding undergraduate access to UNIX systems (ie, the only general provision would be access to the mail server running a heavily limited shell designed for the express purpose of reading email and carrying out various mail-related tasks) and set up a university-wide service with some support from the student union. The SRCF was the result. Of course, both these could probably have gone very differently if the authorities had taken a different view of things (the SRCF was set up after consultation with the university computing service, and our Linux system happened to coincide with a time when the college COs were too busy fighting with each other to give a damn what we did), but even so if you're unhappy with the computing facilities available to you it is worth attempting to do something about it.

..but the reality is that he's selectivly enforcing his invalid trademark (check the trademark db if you don't believe me). And he's doing this enforcement against the product that's **gasp** putting him out of business. If he really wanted to protect the (tm), he would need to go after:

O SSH
TTSSH
NiftySSH
MacSSH
Java-SSH
TGssh
sshCE
An OpenVSM project called just SSH
SSH-OS2
...

and, well, you get the point. He's just going after OpenSSH because they're beating him in the market. And not only does he have no legal leg to stand on, but he's being a real slime by only going after the successfull one. Theo would be right to tell hime where to stick his lawyers.

I remember seeing an article about nano-motors that used vaporised water to move a piston that made a shaft rotate. A friend pointed out it was a steam engine. Just very small.

Now people are talking about fibre optic delay lines as storage devices. Some of the earliest computers stored data as sound waves in mercury and
nickel wires. A speaker injected sound in one end, it was picked up my a microphone at the other, re-shaped and squirted back in.

Same idea, different medium.

I remember seeing an article about nano-motors that used vaporised water to move a piston that made a shaft rotate. A friend pointed out it was a steam engine. Just very small.
Now people are talking about fibre optic delay lines as storage devices. Some of the earliest computers stored data as sound waves in mercury and
nickel wires. A speaker injected sound in one end, it was picked up my a microphone at the other, re-shaped and squirted back in.

Same idea, different medium.