Slashdot Mirror

...if you distribute modified versions of TrueCrypt, you cannot charge for copies. That is non-free...
...nothing in the license constitutes a promise not to sue for copyright infringement. Our counsel advises that a plain reading of this indicates that if Fedora complies with all the requirements of the TrueCrypt license, we would nonetheless have no assurance that TrueCrypt will not sue me for my acts of copying, distribution, creation of derivative works, and so forth...
TrueCrypt seems to be reserving the right to sue any licensee for copyright infringement, no matter whether they comply with the conditions of the license or not. Based on this, our counsel advised that above and beyond being non-free, software under this license is not safe to use...
Our counsel advised us that this license has the appearance of being full of clever traps, which make the license appear to be a sham (and non-free).

Given all of this, plus the problems with TrueCrypt authorship etc. I think the best course of action is replacing with a free implementation, maybe starting with something like this?

I think it is? http://tsd.dlink.com.tw/downloads2008detailgo.asp
Someone commented on another website with this link: https://gist.github.com/ccpz/6960941 which shows
the backdoor string being defined in some config.

It needs a killer game that can't be open source so that it can't be ported to other platforms. Of course if it's not open source, Linux users won't touch it.

It's not terribly important that games are open source, as they are individual works of art. The need for open source is much higher for operating systems and general purpose software. Then again, as id Software has shown, publishing the source code after few years of release, doesn't really hurt a game company either...

The author of the bzip2 decompression code seems to have gotten a little bored writing the comments.

Right now there are some large DNS amplification attacks going on. Set up a PC as a DMZ and run ethereal as others suggested, and see if it is excessive UDP traffic on port 53. If it is, it is probably botnets attempting to leverage a DNS server or forwarder on your network to flood their target. Of course, the botnets do not care whether or not you are actually running a public DNS; since it costs the operators nothing to fuck with your connection they are indiscriminate, and ISPs seem to not care about the issue.

DNS amplification: https://www.us-cert.gov/ncas/alerts/TA13-088A

The problem is while you can mitigate it somewhat by not serving up root DNS requests, DNS servers will still send a 16-byte NXDOMAIN response, not completely ignore the requests. To add to the problem you can't really block the requests (short of capturing the packets and reading them yourself) since the packets are spoofed; what appears to be the source is the client IP, which is actually their target. You can use either iptables or DNS rate limiting to limit the traffic you are sending out to their clients, but the incoming requests will still be coming in and there is no real way to stop that (they'll still be hitting either your router or DNS server). Here is a list of the iptables rules to drop the packets for these attacks:

https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

The list is updated regularly but again the packets will keep hitting your IP; the best you can do is implement those rules to not compound the problem.

um, they link to their github account from about -> resources page :

https://github.com/bikeindex

So in other words, no you have no reasonable way to prevent someone from breaking into your house, or even making it difficult to do so. You could just admit you were wrong instead of acting more and more of an asshole with each post.

A lock on the front door works well enough for my own purposes. What I have seen in a case where a church kept having their televisions stolen by gang members, they got a steal door for the storage room and lined the entire inside of the room with a cage made of rebar. BTW I didn't say the security measures had to cost less than $10k, that's probably where you got confused.

Your interesting signature references beautiful open source code. Do you know how we get beautiful open source code? I post something on my github, Tim points out how it could be improved. I make those improvements, "admittingx" that my original code had flaws. Then Mary comes along and points out more imperfections. I admit it still wasn't perfect and make the changes. Then it goes to the integrators for a repeat. That's how we end up with beautiful code, by admitting that our first thought wasn't quite right. Hell even Microsoft admits they were wrong with Windows 8. Are you as intellectually honest as Microsoft?

Go ahead, check it out

I am curious about your sig. What do you have going there? Tim Hunt produces some code that's beautiful in it's perfection, but you may be looking for beauty in terms of being concise and as simple as possible. There's an implementation of strcpy that's beautiful in that way, something along the lines of:

Generally looking for beauty in any way.....some code can be visually attractive but a nightmare to work on (like stuff at the IOCC), other code is not pretty to look at but incredibly flexible and easy to work with.......both are beautiful.

I use nakefiles because they are written in a really cool programming language much better than python or ruby and compiled to binary code, which makes them instant. But I reckon if you want something more stable/supported you should give tup a try.

If somebody uses today make that's really like living in the past ignoring all the much better new options.

Chromium has no software updater. I either have to download a separate add-on that gives me an icon when an update is available, or I have to check their website for updates. And I still need to download and install them. Or I could use an external program to automate some of that. A giant hassle just to keep it updated.

Chromium is still brought to you by the people that brought you RLZ Tracking. Also see https://github.com/nylira/prism-break/issues/169

Obviously it's a great web browser. But its greatness is from the same reason that I avoid it: Google.

I'm thinking of it (using https://github.com/dwelch67/raspberrypi as a tutorial), but seeing that I just got around to writing "Hello, world!" in an x86 boot sector a few weeks ago (and that's cheating since I'm able to use the BIOS), I might be a while :-P

Apparently it's built using Ruby. You can find some of the source code on github here: https://github.com/CMSgov/healthcare.gov This repository doesn't include the fun parts that make up the market place code itself but does include other parts of the website. The license file says the code has been released to the public domain.

Hi! I'm the dev on this project that was quoted in the article. Definitely plan on including I2P and P2P-connected services to arkOS. And of course if anyone is interested in making their favourite software work with arkOS, they can do so quickly and easily https://github.com/cznweb/genesis

Was the old cert due to expire? I have thought before that it would be nice if my browser etc gave me a warning like "Certificate has changed but wasn't due to expire for another 3 months". This still gives the bad guys a window where a subverted certificate could be slipped in without notice, but it closes the window a bit.

Maybe. If I skip the web browser and run: msmtp --serverinfo --host=smtp.gmail.com --tls=on --port=587 --tls-certcheck=off

I get:
Activation time: Tue Sep 10 00:54:47 2013
Expiration time: Wed Sep 10 00:54:47 2014
SHA1: 10:75:E1:8C:DF:93:15:3B:A1:8F:CD:FE:D3:11:79:D5:16:43:77:BC

That's a pretty recent change. If there was overlapping time between the activation of this one and the expiry of the last one... problem is, I don't have a time machine and can't find out what the last one was, nor when it was set to expire.

Googling (look, just because they can MITM every site, I don't think even NSA is doing DPI on every HTTP transaction so they can pipe every web page through 'sed s/valid-signature/fake-signature/g' :) around for prior signatures reveals:

As of June 19, 2010: Activation time: Thu Apr 22 21:02:45 2010
Expiration time: Fri Apr 22 21:12:45 2011
SHA1: 1A:6F:48:8F:BE:5B:FD:92:D8:12:30:F9:22:CE:84:49:B3:43:BD:2C

As of August 16, 2011: Activation time: Wed Feb 16 12:38:09 2011
Expiration time: Thu Feb 16 12:48:09 2012
SHA1: DB:A0:2A:07:00:F9:E3:23:7D:07:E7:52:3C:95:9D:E6:7E:12:54:3F

As of October 2, 2012, another user reports a change from:
SHA1: F3:92:AE:B4:28:FE:64:03:6F:E1:55:ED:71:9E:5F:F6:88:90:5A:57
to:
SHA1: 34:B4:3E:66:71:D8:AC:5A:47:76:7F:B7:CD:E4:31:08:F4:A5:DD:A8
but didn't include the dates.

There was also a 2013 hit for what looked like a tls_fingerprint of 52:99:F2:7F:82:4F:79:5A:71:1F:FF:D3:BE:22:7C:88:06:62:89:76 also without dates.

So on the one hand, this may simply be an innocuous expiry of a cert for smtp.google.com that's related to this May 2013 note about upcoming changes. On the other hand, there's nothing else that says what the old fingerprint was, when it expired, nor what the new fingerprint ought to be. And on the gripping hand, maybe the root (if you'll pardon the pun) cause of the problem is that if the the user has no tls_trust_file defined, and if Google changed intermediate certificate authority... umm, dammit, now even I'm confused. I think I sympathize with OP, though. There needs to be an easy-to-google, bing, apt-get, or git-init means by which of seeing the history of what's legit at any moment in time. It's up to the user to decide how many ISPs to run the search query from, or even to pick up the phone and call a friend in a non-US country and ask them to do the search and see if they get the same results.

Which you can also do in Gnome with GPaste.

https://github.com/zfsrogue/zfs-crypto

In the ZFSonLinux area at https://github.com/zfsonlinux/zfs/issues/494#issuecomment-23652335 it's noted that the zfsrogue code is encumbered and so, will not be used.

There's an earlier comment https://github.com/zfsonlinux/zfs/issues/494#issuecomment-7158618 and a corresponding note in the OpenZFS wiki: The early ZFS encryption code published in the zfs-crypto repository of OpenSolaris.org could be a starting point

https://github.com/zfsrogue/zfs-crypto

In the ZFSonLinux area at https://github.com/zfsonlinux/zfs/issues/494#issuecomment-23652335 it's noted that the zfsrogue code is encumbered and so, will not be used.

There's an earlier comment https://github.com/zfsonlinux/zfs/issues/494#issuecomment-7158618 and a corresponding note in the OpenZFS wiki: The early ZFS encryption code published in the zfs-crypto repository of OpenSolaris.org could be a starting point

https://github.com/zfsrogue/zfs-crypto

In the ZFSonLinux area at https://github.com/zfsonlinux/zfs/issues/494#issuecomment-23652335 it's noted that the zfsrogue code is encumbered and so, will not be used.

There's an earlier comment https://github.com/zfsonlinux/zfs/issues/494#issuecomment-7158618 and a corresponding note in the OpenZFS wiki: The early ZFS encryption code published in the zfs-crypto repository of OpenSolaris.org could be a starting point

You certainly can!

Visit your repo page +"/compare" to setup the revisions you want to diff.
Or just construct the url:

https://github.com/gunn/ember.js/compare/emberjs:8446b121d8c635ebf...ember-libraries.diff

In other words, using GitHub is every bit as transparent and consistent as the git command line! It's a feature...

There are no satisfactory workarounds, and never will be. The crypto needs to be handled within ZFS or it becomes an over complicated and inefficient mess. (As you are probably aware.) Consider a ZFS mirror on top of two disks encrypted by the OS; even though the data is identical, it now needs to be encrypted twice on write, and decrypted twice on scrub. For ditto blocks, multiply the amount of crypto work by another two or three. There are now (at least) two keys to manage and still no fine granularity access. Adding more vdevs to the pool only exacerbates the problem.

Copy on write transaction oriented filesystems like like ZFS are the natural place for crypto, as constructing a nonce is trivial; simply append the transaction ID, block offset, etc. It couples perfectly with stream ciphers like Salsa20 (or XSalsa20 for the extended 24-byte nonce), and offers the possibility of extremely fast, flexible, and efficient crypto. There is no expensive key setup required and no need to generate ESSIVs. No need to use expensive crypto modes on top of conventional block ciphers, which require multiple encryptions or other expensive operations like GCM. Furthermore, Salsa20/ChaCha is not only highly secure and trustworthy, but extremely fast, simple, and elegant.

After all of the work of hammering a square peg into a round hole with conventional full disk encryption, performance of Salsa20 in ZFS/HAMMER/btrfs would rival hardware accelerated block device crypto and be useful on a far greater array of hardware. (Typically it should even surpass it, as redundant crypto operations are eliminated.)

There is ongoing work on ZFS crypto at https://github.com/zfsrogue/zfs-crypto, though I'm not sure how it is progressing. Having zfs-crypto integrated would be very useful, not only for efficiency reasons, but for the simple and flexible key management. While there are alternatives to a number of other features that ZFS offers, none of them come close to offering the flexibility and convenience of ZFS.

You certainly can!

Visit your repo page +"/compare" to setup the revisions you want to diff.
Or just construct the url:

https://github.com/gunn/ember.js/compare/emberjs:8446b121d8c635ebf...ember-libraries.diff

OSv certainly appears to be a derivative of FreeBSD (see https://github.com/cloudius-systems/osv/tree/master/bsd).

It's not much, but they solved everything I needed. If you need something in particular, maybe we could get an arrangement though I don't have now the time I used to have and just have a basic comprehension of the code.

As stenvar says, what is there to do? It's been good enough for years.

The scripting is all html/css/javascript using the Enyo framework.

It's cool that they open-sourced the webOS calculator, contacts, email, notes, etc., but it's not the complete phone image, I couldn't find the system settings, dialer, etc. The APIs that the published webOS apps use seem disconnected from any standardization efforts, and some apps seem to contact a local nodejs server instead of making simple JavaScript function calls. If it's all HTML/CSS/JavaScript, why is there a copy of Qt in the tree? Google suggests "much of the actual webOS GUI is (in webOS 2) Qt-based". The best explanation of Open webOS development I've found says

* JavaScript applications with HTML5 and CSS3 using cross-platform Enyo framework
* PDK for native C++ applications using OpenGL/ES, typically for games
* JavaScript services implemented with node.js
* System services implemented in either C++ or Javascript (node.js)
** Web access vs. performance
* Standard applications use Enyo framework
* User interface is a series of Qt C++ applications, libraries and services with some QML

That's one way to do it and Tizen is similar, but compared with Firefox OS's everything in JavaScript calling web APIs, it's far more elaborate and less in the "everything scriptable" approach that TFA wants.

Unless the phone's system apps are all open source and written in JavaScript, so necessarily there are Web APIs to everything. Firefox OS walks the walk.

PhoneGap will shrink to be a compatibility shim on decent standards-compliant smartphones; the problem is Apple will always favor native IOS over web apps because Apple Inc. wants the resulting lock-in and can get away with it while they have market dominance.

Surely Dave Winer can't be that out of touch. Firefox OS nails it.

In Firefox OS everything is written in JavaScript, the most widely-deployed scripting language that developers already know. Unlike all the other also-rans to IOS and Android, its system applications — calendar, on-screen keyboard, music player, etc. — are likewise written in JavaScript. To permit this, and unlike BBX, OpenWebOS, Tizen, Windows 8, and everyone else saying "Write apps for our failing platform using HTML/CSS/JavaScript", it has Web APIs to most phone features (battery status, Bluetooth, camera, SMS, etc.), all on various tracks towards standardization. Like lots of phones you can run your apps on the desktop in an emulator; unlike lots of phones the Firefox OS Simulator runs in your browser. Unlike any other smartphone many of the apps you write for the phone will also run and install unchanged as apps on desktops (and Android) running Firefox, many will also work as Chrome apps with minimal effort, and anyone can run an app store, you just put an install button for your app on a web page on your site.

I installed Crouton on a Samsung Arm Chromebook, and it has since become my main computer. Basically, it is the best of both worlds, in my book. Hassle free web experience (including Netflix), and I can flip any time to a "real" computing environment (there must be limitations with chroot. . . just have not found any for my use yet. mplayer over sshfs would have been a deal breaker, but it works perfectly fine . . .).

I am very content, but the price was so cheap there is nothing stopping me from trying out a Chromebook with Haswell or whatever comes down the pipe. Good times.

I've got an Acer Chromebook running Crouton and XFCE4. Best little devbox I ever had, especially for $199 bucks. It used to be that you had to give up verified boot (and the automatic patching that implies), but no longer.

It's not so difficult if it's pure Python and you're not compiling anything. The main problem was getting Qt to compile so I could compile my extensions. For your project, I'd make a virtual machine with something like WinXP (this makes it easier to make new releases if nothing changes), install Python and the associated PySide. Install any other modules you need. I used PyInstaller to make the runnable exe file. See e.g. here for my pyinstaller file. I then used NSIS to make an installer using this configuration file.

It's not so difficult if it's pure Python and you're not compiling anything. The main problem was getting Qt to compile so I could compile my extensions. For your project, I'd make a virtual machine with something like WinXP (this makes it easier to make new releases if nothing changes), install Python and the associated PySide. Install any other modules you need. I used PyInstaller to make the runnable exe file. See e.g. here for my pyinstaller file. I then used NSIS to make an installer using this configuration file.

Oh, hmm. I don't think I've actually written the process thingy up as a library yet. I probably should. It's a bit nicer than system(). Then all those bad programmers out there could do process_thingy("rm /tmp/some_file").wait() instead of system("rm /tmp/some_file"). That's a HUGE improvement. I'll add that to my to-do list for the weekend. Funnily enough I wanted exactly such a library a couple of jobs ago, but they were using Java for their application, and it's impossible to do this in Java without JNI. And my position is if you're using JNI in your java program, you've already defeated the reason you used java in the first place (Write once, run anywhere.) So you may as well use C for the entire project.

I DID write my socket thingy as a library though, and posted it as a repo on github. You just implement a class that takes its owner, a file descriptor and a sockaddr_in pointer as constructor parameters and overload operator() to do work against the the file descriptor. Mostly it's an academic exercise, but I'll be leveraging it to do some neat things in the coming weeks. It uses pthreads and network socket I/O. Good luck getting that to compile on windows (Maybe you can with cygwin *shrug*.) I don't actually compile any code up there though. It's mostly just up there to illustrate how to do something. Maybe one of these days when I've done enough libraries like that, I'll write a book.

Oh, yeah, and I don't do windows. I think that's what I was going to say right out the gate. Sorry about that. My bad.

Again, try the new version 1.4. As discussed in https://github.com/owncloud/mirall/issues/29 inotify on linux does not guarantee that the sync client will get notified of file changes under all circumstances, so we do need to poll. Any constructive hints are welcome.

Qcloud puts a chip in someone's butt, for coders to... "experiment". Fun!

https://github.com/DaveRandom/cloud-to-butt-mozilla

Available at https://github.com/SilentCircle, but now we have the problem of validating the binaries are built from the code. This is subtle: see, for example, https://lwn.net/Articles/565113/

The i.MX6 inside uses a Vivante GPU. Vivante drivers work rather well, but for some reason, that company can't version their drivers, which is annoying. However, Freescale takes care of this. When working on Sabre SD boards, I always had stable OpenGL ES and OpenVG support. Newest Vivante drivers even support desktop OpenGL (only 2.1 though).

There is also an opensource driver project called etnaviv https://github.com/laanwj/etna_viv it has come pretty far. People have been running GLQuake and others with it already.

The colophon of the book states it clearly enough:
"This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/ or send a or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. If you distribute this work or a derivative, include the history of the document."
"The source code is available at: https://github.com/ASCTech/mooculus/tree/master/public/textbook"

I guess the rush to post overwhelmed any curiosity in the material itself. Yes, the repetition "or send a or send a" exists in the textbook.

EVE doesn't use IronPython. It uses Stackless Python. And yes, it is possible to decompile the code, and it has been done in the past.

http://evesupernerf.blogspot.co.uk/2012/05/decompiling-eve-client.html
https://github.com/wibiti/evedec/blob/master/evedec.py

This. Though I have to admit, I've often been tempted to insert meaningful whitespace in there.

Maybe someday when I submit to the temptation to play with https://github.com/mame/quine-relay

This solution bypasses Google's Chromecast SDK entirely.

Maybe the project I've been working on could be usefull to you.

MLVPN can do what you want by creating multiple connections and aggregating them together.

You can find it on https://github.com/zehome/MLVPN Let us know if it's usefull to you or not!

This is really bass ackwards. Android has the same GNU userland as most other Linux distros or did you not know you can run ls, rm, ps et al. on your phone?

Command-line GNU userland, maybe. libc userland, libc GNU userland, not so much.

Something like this, completely independent of the core language. One should be able to strip all type annotations and run the program dynamically.

What I don't like about the type hints is that they don't compose and don't allow for basic types and complex types.
You can't represent something like a function that takes two integers and a float and returns a string, which could be written easily like this (int -> int -> float) -> str.
https://github.com/kennknowles/python-rightarrow

Syntactically, all of this can already be done with decorators and function calls, as well as function annotations, which I don't like, because they don't compose either.

@type_hint(...)
def f(a,b,c): ...
        # type_hint is identity in first arg
        x=type_hint(a, int)

        fun = pickle.load(...)
        type_hint(fun, '(int -> int -> float) -> str.')

For expressions that can't be typed at compile time (like the pickled function), python can now create unit tests and runtime checks.

It is important to have type annotations that can be composed, as a variable can be a member of more than one type. An example would be a value that is of type float, and of type physical unit kg.

Being able to check for physical units would be a huge selling point in the scientific community.

quick google of the name and i found a github repo that's been up for years.

The officially supported ioquake3 engine by the Frozen Sand Development Team for the game Urban Terror 4.x

so what's the deal?

It's so closed-source that they make it available on git-hub: https://github.com/opensource-apple/xnu

I like these articles about Amarok because they inevitably lead to people discussing the alternatives, and sometimes I'll give one of them a try.

One of my favourite players is Herrie. Playlist management is simple enough to do in text mode.

OTOH, I still maintain my textmode frontend to Audacious, because the Python code makes it easy to add custom functions. As a theatre sound guy, I don't want to futz around with a mouse in the midst of a play.

Text-mode players such as these are also convenient over ssh - it's quite neat to manage the player with a phone/tablet from the dance floor...

Maybe any of these work:
https://github.com/Razor-qt/razor-qt/wiki/3rd-party-applications

Now to find a distribution which actually have them all packaged...

http://goliat.eik.bme.hu/~balaton/gnustep/opal/ https://github.com/gnustep/gnustep-opal

Vaporware, yes. But I'm working on it.

https://github.com/scholarly/kbsum/wiki/Anonymous-Private-Communications-Service

Unlike others, I don't consider convenience and server-side searching essential features. I consider them fatal features. The only place a message should ever be decrypted is on a computer the recipient physically controls and knows and trusts the administrator.

I am open to suggestions, reviews, criticism, and help.

And until I know I can install an actual OS on there.

Not some Lovecraftian inner-platform abomination that makes the old joke about Emacs being a nice OS with a shitty text editor look not funny at all.

What's next? Booting Linux inside of it, and use your virtual modem to make a dial-up connection to your virtual modem on your PHP (*barf*) server? ... Oh, wait!

I have experimented with the open source jbig2enc library available at http://github.com/agl/jbig2enc, which has a encoding parameter called the “threshold”, described like this:

“sets the fraction of pixels which have to match in order for two symbols to be classed the same. This isn't strictly true, as there are other tests as well, but increasing this will generally increase the number of symbol classes”

The included command tool accepts values for this parameter between 0.4 and 0.9, with 0.85 as the default.

I have found replaced digits in single-page numerical tables encoded with this parameter set as high as 0.82. As with the other examples you have found, the errors are not in any ways obvious to the eye which is, of course, the real problem.

Since JBIG2 has been supported in PDF since 2001, it would be surprising if only Xerox have fallen into this trap.

..just move the voting to sundays, like every other sensible western nation does it.

digital remote voting, which enables vote selling and coercion? fuck that. it goes against every basic principle of being able to vote what you want no matter what your employer or even spouse tells you.

I support (and am working on) digital remote voting software (Just as a hobby, you can see it here). That said, its really nice to see someone oppose it on the correct grounds. "vote selling and coercion" are the correct objections to remote voting, mail in or digital. Unfortunately, it looks like digital remote voting might suffer worse from this issue, which is arguable more important that the issues it does solve (like venerability / needing to trust the people running the election)

I can't figure out an algorithm that resists vote selling that is also secret ballot, verifiable and works without trusting the authority running the election. I've been looking into deniable encryption though; there might be a way, and I'm thinking about it. I can get resistance to vote selling working, but I'd have to give up some of the other stuff (like real-time third party auditing that can prove election fraud if votes are rejected, or secret ballot with respect to those running the election servers). You either need to trust that your vote is counted, or its impossible to sell fake voting credentials that can not be checked for validity by the buyer. (The only way to resist vote selling for remote voting is if you can sell apparently valid credentials someone can cast a vote with, but it won't count, and they can't ever tell)

Regardless, this trad-off can be taken either way (verifiable, or coercion resistance) while still doing a remote digital system, so I don't think it being digital is inherently the problem here (I haven't see a paper system that offered both either).

Given that in my state (Washington) we do pure mail in now, I've been looking for a verifiable replacement for that. Personally though, given that I haven't worked out a good solution for vote selling+verifiable, maybe we go back to the in person voting booths being the only option, and legally require voting (you can go in and just cast an empty ballot if you want). That really seems like the only way, but that still could be done digitally (but not remotely), and perhaps with better verifiability.

Anyway, thanks for being thoughtful and actually knowing what the fundamental issues facing democracy are. I wish everyone was like that.