Slashdot Mirror

An anonymous reader writes: Security researcher Moxie Marlinspike has an interesting post about the state of GPG-encrypted communications. After using GPG for much of its lifetime, he says he now dreads getting a GPG-encrypted email in his inbox. "Instead of developing opinionated software with a simple interface, GPG was written to be as powerful and flexible as possible. It's up to the user whether the underlying cipher is SERPENT or IDEA or TwoFish. The GnuPG man page is over sixteen thousand words long; for comparison, the novel Fahrenheit 451 is only 40k words. Worse, it turns out that nobody else found all this stuff to be fascinating. Even though GPG has been around for almost 20 years, there are only ~50,000 keys in the "strong set," and less than 4 million keys have ever been published to the SKS keyserver pool ever. By today's standards, that's a shockingly small user base for a month of activity, much less 20 years." Marlinspike concludes, "I think of GPG as a glorious experiment that has run its course. ... GPG isn't the thing that's going to take us to ubiquitous end to end encryption, and if it were, it'd be kind of a shame to finally get there with 1990's cryptography."

An anonymous reader sent in this excerpt from Moxie Marlinspike's weblog: "Last week I was contacted by an agent of Mobily, one of two telecoms operating in Saudi Arabia, about a surveillance project that they're working on in that country. Having published two reasonably popular MITM tools, it's not uncommon for me to get emails requesting that I help people with their interception projects. I typically don't respond, but this one (an email titled 'Solution for monitoring encrypted data on telecom') caught my eye. ... The requirements are the ability to both monitor and block mobile data communication, and apparently they already have blocking setup. ... When they eventually asked me for a price quote, and I indicated that I wasn't interested in the job for privacy reasons, they responded with this: ' I know that already and I have same thoughts like you freedom and respecting privacy, actually Saudi has a big terrorist problem and they are misusing these services for spreading terrorism and contacting and spreading their cause that's why I took this and I seek your help. If you are not interested than maybe you are on indirectly helping those who curb the freedom with their brutal activities.'"

A few weeks ago you asked security guru Moxie Marlinspike about all manner of security issues, being searched at the border, and how to come up with a good online name. He's graciously answered a number of your inquiries which you will find below. Who writes your paychecks?
SirGarlon

From your Web site it looks like you've worn a number of hats. How do you mainly earn your living by penetration testing, developing software as a contractor, or what? Or do you have a day job? (I won't ask where). Do you have any advice for software engineers seeking an independent career?

I was the CTO at WhisperSystems, which was just acquired by Twitter. In the past, I've done both contract and full-time software engineering work, and I've worked on boats and as a delivery captain. I've also spent a considerable amount of time being broke and living without money.

I don't think I have any particularly sage advice for software engineers looking to go independent, so I'll answer a different question: on a somewhat regular basis now, I receive inquiries from young people coming out of high-school or college, asking me what they should do to get started in their software or security career. My most common response is "don't do it." Or at least, not right now.

I think the biggest thing young people fail to realize is the interminable nature of a career. As a young person in the global north, your whole life is generally marked by periods with definite beginnings and endings: elementary school is 5 years, middle school is 3 years, high-school is 4 years. It's significant because when you're in high-school and hating the indignity of it all, there is at least a definite endpoint that you can look forward to. But if you're coming out of that, you might not fully comprehend that when you start a career, you're expected to do that... for the rest of your *life*! Don't be too anxious to jump into that, because it's not as different as what's come before as you might think.

A friend of mine recently quipped "most people working in software discovered technology before they discovered themselves." There are so many people in the industry working on projects without a real personal narrative as to *why* they're doing them, other than the intrinsic feeling that solving technical problems is fulfilling. There is a whole entrepreneurial scene in the Bay Area right now; I can understand the draw of building things, but the level of self-seriousness that people bring to something like a "customer loyalty" startup baffles me. Honestly, it's simply not true that this stuff is "changing the world," so don't be too concerned about missing out if you don't jump in as quickly as you can.

Please, don't spend your late teens or early twenties in front of your computer at a startup. If you're a young person, I think the very best thing you could do is get together with a group of friends and commit to a one year experiment in which the substantial part of your life will be focused on discovery and not be dedicated to wage work -- however that looks for you. Get an instrument, learn three chords, and go on tour; find a derelict boat and cross an ocean; hitchhike to Alaska; build a fleet of dirigibles; construct a UAV that will engage with the emerging local police UAVs; whatever -- but make it count.

security and society
xappax

In addition to being a very sharp security researcher, you seem to have a strong interest in issues of social and political control. What emerging security trends do you see as being most important or helpful for authoritarians (at home and abroad)? What security trends are most important for anti-establishment movements?

I'll mention a few things I think about:

1) A lot has been said from people like Clay Shirky about the horizontalizing effect of the internet. And while it's true that platforms have emerged on the internet which make horizontal coordination and communication possible, what's often glossed over is that the infrastructure of the internet itself is actually extremely hierarchical. I know this seems obvious, but it's not something that comes up in the dialog about this stuff very often. It's worth remembering that this is how things are currently structured, and that the dreams of the Clay Shirkies of the world can never be fully realized as long as that's true; especially since those in control of the infrastructure seem to be taking increasing notice of that fact.

2) It's also just more of what we've been seeing for years: the economics of "information capitalism" have created a world where data is for the most part unsellable, driving businesses towards surveillance and profiling of their users for targeted advertising as the only means of obtaining revenue. Perhaps this isn't so bad in itself, but it puts us in a dangerous position, because it means the data is there for the (very efficient) taking. This becomes a magnet for governments and attackers.

3) Security vulnerabilities have become more difficult to find and exploit. Rather than making things "secure," however, it's shifted the balance of who has access to these vulnerabilities. There are still plenty of dumb sqli bugs out there, but more and more it's shaping up to mean that those with the most money and resources will have access to the exploits, while everyone else will be vulnerable to them. Which is not the way I'd like to see it.

Hardware for the traveling hacker?
capnkr

I'd be interested to know more about the hardware and/or platform you use on a daily/regular basis to do your work/research. I would assume that with your 'itinerant' lifestyle you have had to make choices and compromises in this area. IIRC, you "temporarily bought" ;) a laptop to edit Hold Fast, but that isn't something you do on a regular basis is it? Are there any suggestions/tips/tricks about hardware or methods that you'd care to share for the traveling hacker with the above in mind?

As an aside - Thanks for all the good work and entertaining tales! :) Been using that Capt's license much lately?

I secretly hate technology, so I actually have a mostly boring setup. I just run Linux on a laptop, which I replace about every eight years. I'm pretty stubborn about making a laptop last; the one I have now has cooling problems, so every time I do a long compile I have to find an ice pack to put under it. In some small way, it probably makes me feel like my computer is accomplishing something really difficult.

Every once in a while I'll need to do something creative if my setup isn't cutting it. So yeah, it's true that I edited Hold Fast on a nice machine with a 14 day return policy. =)

These days I can't travel internationally without CBP wanting to search (or failing that, confiscate) my electronics on my return to the US. So I just don't travel with them if I'm leaving the country.

As for the captain's license, I still get out every now and then, but rarely make deliveries. There's an anarchist yacht clubb convergence happening in Guatemala at the end of February.

WhisperCore
dark_requiem

I really like the idea behind WhisperCore. The problem, as I see it, is that it's only available for two devices, and the Android source is updated regularly, making it difficult to keep WhisperCore up to date with the latest version of Android. Also, there are a wide variety of existing ROMs, each sporting its own array of features, but WhisperCore is the only one focusing on full-device encryption and a quality firewall interface. Given that security is becoming more critical on mobile devices, I would love to see WhisperCore's functionality integrated into every ROM. Have you given any consideration to integrating the WhisperCore project into an existing community such as CyanogenMod, or opening the source to build a community around WhisperCore? It would definitely help with making it available on more devices.

WhisperSystems was acquired by Twitter recently, so the answer to this question has changed a little for us. In general, though, we never saw WhisperCore as something that could be a pervasive aftermarket solution. We made it available on the Nexus devices with an aftermarket installer because we wanted to give something free to the security community and those devices make it easier with unlocked bootloaders. However, the bulk of our distribution efforts were spent trying to get the software through OEM channels, so that it would just appear on new devices.

CyanogenMod has done an excellent job of supporting a wide range of devices, but as you note, they are only able to do this because it's an open source project with enough volunteers to deal with all of the proprietary integration, build, and test issues. They only get access to the source after Google does public drops (that is to say, long after the rest of the industry does), and the device vagaries are endless. WhisperCore was a commercial product focused on the enterprise security market, and that market isn't particularly interested in reflashing ROMs onto their employee's phones. We were simply making it available in that form so that individuals could benefit from our work, but it wasn't our main focus. The other integration problem with CyanogenMod is that they are not a security-focused community, and have actually done a number of things to reduce the security of the platform (which is a shame, since the bar was low to begin with). So the interests of our user bases are fairly distinct, and actually in conflict on some important points.

WhisperCore - why not OSS?
nullchar

Are there business or technical reasons you do not want to open the source code for WhisperCore or any of the sub-projects like WhisperMonitor?

Same reason most enterprise software vendors' products aren't OSS, harder to sell software that way. =)

CarrierIQ nnet

Does Whisper Monitor stop CarrierIQ as well?

Haven't tested it, but it should. That said, it doesn't come with WhisperCore, so it seems unlikely that you'd encounter it on a device with WhisperMonitor.

Thoughts on TLS-SRP as a partial solution?
WaffleMonster

Most secure sites we normally depend on require you to establish an account. Rather than sending our passwords in the "clear" over SSL as everyone is foolishly doing today couldn't part of this problem be solved using trust previously established between you and the site in the form of mutually authenticated credentials?

The best case example would be an online banking site first requiring you to physically come into the office with proper ID. There would no longer be any need for this bank to need to trust or use any third party.

TLS-SRP RFCs have already been written, SSL stacks used by all popular browsers already patched with support... obviously this does not fully eliminate the need for trusted third parties.

I think these types of approaches are interesting for things like SSH, IMAPS, and SMTPS. The way that webapps tend to be architected and deployed, however, makes this tricky.

of trust versus online consensus
DamnStupidElf

PGP provides a model for partial trust in a public key based on the trust placed in signers of that key. I think a similar model would work much better for SSL certificates than either the current forest of fully trusted root CAs or projects like Convergence because it would allow long term trust in entities instead of merely the ephemeral keys used for SSL connections while also providing offline security and the ability to separate the keys used for privacy and identification.

If I wanted to validate the hypothetically secure https://slashdot.org/ I would be happy seeing an SSL certificate signed by Geeknet's PGP key (assuming they cared enough to be in the strong set), but even happier if it was also signed by a couple certificate authorities and some other folks in the strong set. I would assign partial trust to each of the certificate authorities' root certificates and use PGP to measure the partial trust of other signatures and set a threshold for the security of any SSL site, perhaps requiring "full trust" for automatic acceptance of an SSL certificate, a warning for marginal trust, and a bigger warning for anything less.

One of the primary advantages is separation of privacy and identification; the private key for identifying an entity would only be used to sign SSL certificates, reducing the likelihood of an attacker compromising an identity certificate. Notaries, as in Convergence, would simply be entities who sign a large number of SSL certificates after verifying the owner's identity through the existing trust network. The advantage for notaries is that they would not need to keep their private keys online and would only serve signatures. SSL sites could also just include the signatures in the initial SSL/TLS exchange, shifting bandwidth costs to the entities that benefit from the signatures. Site owners could also pre-distribute new SSL keys to certificate authorities and notaries to obtain signatures similar to the way that the existing PKI works, without relying on projects like Convergence to correctly identify a legitimate key change through heuristics.

The biggest advantage is a much more robust framework for trusting the privacy and identify of web sites. The likelihood of obtaining fraudulent SSL certificates signed by enough entities to achieve full trust is much lower than the likelihood of compromising a single fully trusted root CA or tricking a Convergence-style network into trusting a fraudulent SSL certificate by DNS poisoning or other methods.

Do you think this is a workable and, if so, good idea?

The MonkeySphere project is working on something quite similar to your proposal. Personally, I always have trouble with suggestions for bringing the "web of trust" to some new context, because I never found it workable in the context it was invented for. I use PGP more consistently for email than almost anyone else I know, and the truth is that I almost never find a new key with signatures that are meaningful to me.

While there are organizations and individuals I trust, there aren't thousands of them, and probably not even hundreds of them. I think that trust agility is essential to any solution moving forward, but as I see it trust agility requires two things:

1) The trust relationship has to be initiated by the client.
2) A trust decision can be easily revised at any time.

I don't believe that using WoT style signatures meets these requirements, at least in their most obvious form. In the WoT model, if I look up a certificate, I don't have any influence over who's chosen to sign it. I'm given the signatures I'm given, and that's that. If I decide to make it work by trusting some entity that has made it a habit to sign a bunch of certificates, untrusting them becomes difficult, because maybe the entity I'd really like to trust hasn't signed as many. And if it's a matter of manually evaluating the signatures I'm given for any site I visit, that sounds pretty unpalatable to me.

All that said, this idea is not incompatible with Convergence. Just build a MonkeySphere notary backend, and it'll plug right in alongside any other notary strategies you'd like to simultaneously query from your client. I anticipate that it would give you a lot of "stand aside" votes for the foreseeable future, however.

Is everyone just re-inventing _parts_ of the WoT?
Sloppy

It seemed to me that what Perspectives notaries do, as expressed in OpenPGP-speak, is act as sophisticated Robot CA. (Is this wrong?) Is a Convergence notary "merely" a more sophisticated Robot CA, or does it provide information which couldn't be represented in a Web of Trust?

Well, I dunno, on some level I think all knowledge can be expressed as simile through any particular domain of knowledge. It's important to remember that a Convergence notary isn't bound to any particular validation technique, meaning that not all notaries will use network perspective. I prefer to think of notaries as SSL Certificate Authorities with an inverted trust relationship. They're pretty similar, but rather than the server initiating the trust relationship, it's the client. It's a subtle but powerful change.

bootstrapping -- notary trust
Onymous Coward

Do you see the matter of how users come to trust the notaries themselves as a concern? What methods do you see for assuring users that a list of notaries is in fact recommended by a given party? I see notaries distributed with the Convergence plug-in (is the distribution signed?), but doubtlessly that's not meant as a steady-state solution as it does not promote trust agility.

Have you considered notary list configuration based on "subscriptions" a l AdBlock lists. For example, if the EFF periodically published a signed "EFF Trusted Notaries" list, as one of a number of organizations doing so?

And how much is a working web of trust required for this? Do you feel there is one?

Right now installing Convergence is a leap of faith, as is true for most software. I'm being intentionally inflammatory by making a point of not distributing it over SSL, because if you're installing it, you don't have it to validate your SSL connection yet. Once you have it, however, all updates are signed.

I don't actually see pre-distributed lists of trusted notaries as anathema to trust agility, however. It's nice for a user to be able to select who they trust, but it's also essential that browser vendors can revise those defaults as well. Right now that's not the case, and it means that a browser vendor's entire user base suffers.

I would like to imagine that one day browsers will ship with Convergence support built in, and that it will come with a list of default notaries that the browser has curated. If one of those notaries starts acting in bad faith, the browser can remove them. If you as a user would like to make different trust decisions, they can do that as well.

Notary subscription lists are a good idea. You can kind of do this with the HA Notary bundles right now, but it'd be better to break them out into a meta-bundle. In any case, the bundle auto-update logic is in there, so it wouldn't be too difficult (git pull requests gladly accepted!).

Switch from Perspectives?
Burz

I'm already using the Perspectives extension (and not sure what benefit I'm getting from that)... Why should I switch from Perspectives to Convergence?

Convergence is obviously inspired by Perspectives, but slightly more generalized (not tied to network perspective), and designed to address what I felt were shortcomings in the Perspectives protocol. The biggest differences are browser integration, notary lag, and privacy.

Perspectives doesn't work for any of the CSS/JS/Image content on a page load, only the initial GET. It will suffer from notary lag since it requires notaries to regularly poll target sites. And you'll leak your entire browsing history to notaries.

Choice of name?
Alioth

Completely unrelated to your work, but the name "Moxie Marlinspike" sounds wonderful. It's obvious why you chose "Marlinspike", after all as a sailor it's an object that you may have found useful (and it's not that uncommon to have a last name that is a tool or a trade). But the first name you chose - why did you choose it? Looking around for references to Moxie the most prominent one is for one of the earliest carbonated beverages sold in the world, which doesn't sound too probable as an origin.

Apparently the etymology of the word "moxie" is thought to originate with the soda, although there is some indication that it might have been a word from a native American language that meant "dark water." I actually know another person named Moxie in the Bay Area, and someone got us a six pack of Moxie Cola to split once. I couldn't even finish one!

I'd estimate that in roughly 1/3rd of the cases where I introduce myself to someone, they ask whether Moxie is my "real name." There are a few interesting things about this to me. First, apparently we're all so used to a limited pantheon of possible names that anything outside of it must be "not real." And second, that when people say "real," it seems that what they actually mean is "legal."

What's interesting to me about the corpus of "real sounding" names is that they're mostly drawn from the bible. The name my parents put on my birth certificate is "Matthew." For as long as I can remember, however, people have called me Moxie Marlinspike. There's obviously a story there, but it's actually not that interesting. In the end, it's just what stuck. I don't switch back to Matthew, however, because it's a biblical name. I'm not that inspired by the stories from the bible, so it feels counter-intuitive for me to literally identify with them. So while many people find my name "strange," what's more bemusing to me is that many of those same people *also* don't find the stories of the bible to be the major inspiration of their lives, and yet continue to be walking endorsements for them with every handshake.

The notion of "realness as legality" is interesting to me because it seems like it should be possible for reality to extend beyond whatever is defined by law, yet this seems to be the litmus in most people's minds. If I have a name which literally everyone in my life since childhood has known me by, it seems to me that this should be the definition of "reality," not whether the government (who, by contrast, has a pretty cold and distant relationship with me as far as acquaintances go) agrees.

As a security researcher, Moxie Marlinspike has played a big role in explaining what can go wrong in using Certificate Authorities to authenticate SSL traffic, an issue that's been top of mind this year thanks to compromised and faked certificates. On that front, he's lately come up with a system designed to circumvent CAs entirely, which means bypassing compromised (or invidious) authorities, rather than trying to patch the CA system. Another line of research, but not the only one, is mobile security and privacy; his Whisper Monitor Android firewall, released earlier this year, gives Android users notifications (and fine-grained permissions) when apps — including location-tracking or malware apps — want to make outbound connections. Possibly related: Moxie can also speak first-hand about what new border-search policies mean for travelers, having had his laptop and phones seized on returning to the U.S. from a trip. (And by the way, he's also an accomplished sailor and film-maker.) Moxie's agreed to answer your questions. Ask as many questions as you'd like, but please, be kind of rewind^wask don't ask unrelated questions in the same post.

Trevelyan writes "In his Blackhat talk on the past and future of SSL (YouTube video) Moxie Marlinspike explains the problems of SSL today, and the history of how it came to be so. He then goes on to not only propose a solution, but he's implemented it as well: Convergence. It will let you turn off all those untrustable CAs in you browser and still safely use HTTPS. It even works with self-signed certificates. You still need to trust someone, but not forever like CAs. The system has 'Notaries,' which you can ask anonymously for their view on a certificate's authenticity. You can pool Notaries for a consensus, and add/remove them at any time."

Em Adespoton writes "At DEFCON this year, Moxie Marlinspike gave an excellent presentation showing how broken the current SSL certification model is and proposing a replacement. Naked Security adds to the issue, asking: does it even matter if you can trust your certificate notaries?"

mask.of.sanity writes "The first dynamic Android firewall, dubbed WhisperMonitor, has been released by respected security researcher Moxie Marlinspike. The firewall will allow users to stop location-tracking apps and restrict connection attempts by applications. Marlinspike, whose company created the application, designed WhisperMonitor in response to the incidence of location tracking and malware on Android platforms. It monitors all outbound connection attempts by applications and the operating system, and asks users to permit or block any URLs and port numbers that are accessed."

An anonymous reader writes "There has been a growing tide of support for replacing SSL's Certificate Authorities with an alternative authentication mechanism. Moxie Marlinspike, the security researcher who has repeatedly published attacks against SSL, has written an in-depth piece about the questions we should be asking as we move forward, and urges strong caution about adopting DNSSEC for this task."

An anonymous reader writes "GoogleSharing, the popular Google anonymizing service created by well known privacy advocate and security researcher Moxie Marlinspike, has released a major new version today. The biggest change is leveraging Google's SSL search option to provide an anonymizing service which doesn't require you to trust either Google or GoogleSharing. This means that anyone who wishes to opt out of Google's data collection practices can now do so without having to trust the operator of the anonymizing service."

penguinrecorder writes "Google offers Web users a simple trade-off: Let the search giant track a substantial portion of your comings and goings around the Web, and it will offer you a free, superior online experience. Now independent security researcher Moxie Marlinspike is making Web users a counter-offer: take Google's giveaways and keep your privacy too. On Tuesday, Marlinspike launched a service he calls GoogleSharing, a plug-in for Firefox designed to give users access to Google's online offerings while cloaking their identity from the company's data collection tools. By hosting a proxy server with a collection of Google 'identities,' the privacy software will allow users temporarily to route their traffic through another computer that masks their identity by mixing their online actions with those of other users. The system is totally transparent, with no special 'alternative' websites to visit. Your normal work flow should be exactly the same." GoogleSharing only works for those services not requiring a Google login; for the latter, no proxying is done.

An anonymous reader writes "Moxie Marlinspike, a security researcher well known for his SSL/TLS attacks, today launched a cloud-based WPA cracking service, where for $34 you can test the security of your WPA password. The WPA Cracker Web site states: 'WPA-PSK networks are vulnerable to dictionary attacks, but running a respectable-sized dictionary over a WPA network handshake can take days or weeks. WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes.'"

An anonymous reader writes "Nine weeks after Moxie Marlinspike presented at Defcon 17, null-prefix certificates that exploit the SSL certificate vulnerability are beginning to appear. Yesterday, someone posted a null-prefix certificate for www.paypal.com on the full-disclosure mailing list. In conjunction with sslsniff, this certificate can be used to intercept communication to PayPal from all clients using the Windows Crypto API, for which a patch is still not available. This includes IE, Chrome, and Safari on Windows. What's worse, because of the OCSP attack that Moxie also presented at Defcon, this certificate cannot be revoked." Update: 10/06 23:19 GMT by KD: Now it seems that PayPal has suspended Marlinspike's account.

An anonymous reader writes "Nine weeks after Moxie Marlinspike presented at Defcon 17, null-prefix certificates that exploit the SSL certificate vulnerability are beginning to appear. Yesterday, someone posted a null-prefix certificate for www.paypal.com on the full-disclosure mailing list. In conjunction with sslsniff, this certificate can be used to intercept communication to PayPal from all clients using the Windows Crypto API, for which a patch is still not available. This includes IE, Chrome, and Safari on Windows. What's worse, because of the OCSP attack that Moxie also presented at Defcon, this certificate cannot be revoked." Update: 10/06 23:19 GMT by KD: Now it seems that PayPal has suspended Marlinspike's account.

An anonymous reader writes "Moxie Marlinspike, who recently published new attacks on SSL at Defcon 17, seems to have released the new version of sslsniff which supports these attacks. While the release appears to coincide with a patch from Mozilla, every product that uses the Microsoft CryptoAPI is still vulnerable, including Internet Explorer and Outlook. The new version of sslsniff also supports built-in modes for hijacking software auto-updates that depend on SSL, and apparently includes techniques for defeating OCSP as well — making the elimination of existing null-prefix certificates difficult."

An anonymous reader writes "Moxie Marlinspike, who recently published new attacks on SSL at Defcon 17, seems to have released the new version of sslsniff which supports these attacks. While the release appears to coincide with a patch from Mozilla, every product that uses the Microsoft CryptoAPI is still vulnerable, including Internet Explorer and Outlook. The new version of sslsniff also supports built-in modes for hijacking software auto-updates that depend on SSL, and apparently includes techniques for defeating OCSP as well — making the elimination of existing null-prefix certificates difficult."

An anonymous reader writes "Moxie Marlinspike, who last week presented his controversial SSL stripping attacks at Black Hat Federal, appears to have released his much-anticipated demonstration tool for performing MITM attacks against would-be SSL connections. This vulnerability has been met with everything from calls for more widespread EV certificate deployment to an even more fervent push for DNSSEC."

An anonymous reader writes "Moxie Marlinspike, who last week presented his controversial SSL stripping attacks at Black Hat Federal, appears to have released his much-anticipated demonstration tool for performing MITM attacks against would-be SSL connections. This vulnerability has been met with everything from calls for more widespread EV certificate deployment to an even more fervent push for DNSSEC."

An anonymous reader writes "Mike Benham of thoughtcrime.org has started a cool project for sharing information and building community in San Francisco. From the website: "Unfortunately, the traditional library system doesn't do much to foster community. Patrons come and go, but there is very little opportunity to establish relationships with people or groups of people. In fact, if you try to talk with someone holding a book you like - you'll probably get shushed. The Distributed Library Project works in exactly the opposite way, where the very function of the library depends on interaction." It looks like the software is now available for other cities."

An anonymous reader writes "Mike Benham of thoughtcrime.org has started a cool project for sharing information and building community in San Francisco. From the website: "Unfortunately, the traditional library system doesn't do much to foster community. Patrons come and go, but there is very little opportunity to establish relationships with people or groups of people. In fact, if you try to talk with someone holding a book you like - you'll probably get shushed. The Distributed Library Project works in exactly the opposite way, where the very function of the library depends on interaction." It looks like the software is now available for other cities."

Panix has written in with an open letter to the Emulation community where he addresses the recent rise and fall of the UltraHLE- the N64 emulator, ROM piracy, and the real reason for console emulators. Click below to read what he has to say. The following was written by Slashdot Reader Panix

This is an open letter to the emulation scene, and to the authors of UltraHLE.

I have been an emulation fan for years, ever since I downloaded the first version of VSMC years ago. That version of VSMC did not run a single game, in fact I don't even think that it displayed graphics. But, it still fascinated me, and many others like me. I remember reading hundreds of technical documents relating to emulation, specifically of the SNES, a brand new system at the time. The emulation world was exciting, even though commercial games were not the focus. In the past few years, hordes of people have hit the emulation scene and have equated it with the warez scene. A few days ago, with the release and discontinuation of UltraHLE, this reality has come to a head.

I repect the authors of UltraHLE, but I would like to address this open letter to them and to any other true members of the emulation scene, who are simply amazed by the technical prowess of UltraHLE. At the release of UltraHLE, I was extremely excited for the community. With bleem, Connentix's Virtual Game Station, and UltraHLE all ready for release, the scene finds itself at a defining point. The events that occur now will shape the future of emulation.

Then it hit. Many outsiders, mostly "31337 warez h4x0rs", discovered UltraHLE and the frenzy began. No matter where I went, I saw requests for ROMs. At one point, I had to leave EFNet's #emu out of disgust. What ever happened to the true emulation scene and the days of Archaic Ruins, Node 99, VSMC, and technical interest in emulation? Simply put, with the world watching, we all ran and hid.

The first people to hide were the true members of the emulation scene. We easily could have prevented this from the very start by not giving away our own personal ROMs, not posting ROM sites, and kicking every person from our IRC channels that we could. The maintainers of popular emulation sites could have removed all links to ROMs, and posted the true point of emulation. But, instead we just bitched. That's all, we just complained about how lame the warezers were, and otherwise kept quiet. What is the result of this? The rest of the world looked at the scene and didn't see us, didn't hear us, and saw one thing and one thing only: piracy. I am very disappointed in myself and the scene.

Following this, the authors of emulators began to get scared. At a pivotal point in the history of emulation, the very founders got scared! With Sony suing Connectix, the potential for legal action, and the explosion of warez foolishness, the authors got frustrated. But, what did they do? Several of them just quit, further tarnishing the public view of the emulation scene, at the most important time in emulation history. To those authors that discontinued their emulators: I am ashamed.

Now, this is specifically to the authors of UltraHLE. Congratulations, you have created the best emulator of all time. Oh, and by the way, thank you for destroying the scene. Don't get me wrong, I hold the highest respect for your technical abilities, and as a coder myself, I am aware of the daunting task that you had ahead of you. But, please, your arguments for discontinuing your emulator are weaker than any that I have ever heard. Let us analyze your argument:

"The UltraHLE project was a technical demo, an experiment to see if N64 emulation really is possible and an attempt to advance the state of the art in emulation. It was not designed to be a tool for piracy."

No emulator is designed as a tool for piracy! In fact, nearly every emulation author gives their emulator away for free, simply because they are only interested in the technical side of emulation. If you had stated this days in advance before releasing your emulator, then maybe some of this could have been avoided.

"Once it was released, things moved at an unforeseen pace. In a matter of hours, the main interest for people became acquiring illegal copies of game ROMs. This was why the pages were put down in a matter of hours."

If you did not expect this hysteria, then I doubt that you thought over what you were doing when you were writing the emulator. In fact, if you thought that there would not be warez pups fighting and pleading for ROMs, then you must be naïve. This is not an excuse! On top of this, you only kept the site up for a matter of 4 hours. I can guarantee that the hysteria would die down in under a month. If you would have stood up for the emulator, and for the scene, then you may have actually helped the community, instead, you have damaged it nearly irreparably.

"We do not condone this use of illegal ROMs in any form and do not allow our emulator to be used in this way. As we cannot effectively stop people from using this product in wrong and illegal ways, we have no choice but to discontinue the project.

This is the crescendo of your argument, and it is essentially like a software engineer saying the following: "I am going to stop coding anything at all, because people are going to pirate it." OF COURSE THEY ARE. There are millions of idiots in this world, it is unavoidable, but that does not mean that you can use them as a crutch, and it does not mean that any idiots are a part of the scene. With this statement, all you have done is admitted publicly to the rest of the world that noone in the emulation scene cares about the technical element, which is simply not true. As an ambassador to the world for the emulation scene, you pointed at us and made us look like fools. Thanks a bunch. Now the world thinks that we are warezing anarchist teenagers and that emulation is illegal. Evidence of this is Nintendo's comment on UltraHLE.

In conclusion, I would like to reinstate that I have the utmost respect for the technical abilities of the UltraHLE authors, and I am not trying to attack them. I understand that it all happened so quickly, but that does not mean that there were not 3 months to prepare before you released the emulator. At this point, I wish you hadn't released it at all.

There is only one way to mend the damage that has been done. And it is twofold. First, the emulation scene needs to gather together to get rid of the warez pups. Simply put: don't give out ROMs, don't post ROMs, don't post links to ROMs, deny that UltraHLE ever existed, and explain the technical beauty of emulation. Secondly, the authors of UltraHLE must release the source code of their emulator, release technical papers on how they did it, how it works, and why it was created. This would be for the benefit of the community, and would show the world what we are really about.

With hope,

Jonathan LaCour Panix on EFNet
panix@resnet.gatech.edu

Panix has written in with an open letter to the Emulation community where he addresses the recent rise and fall of the UltraHLE- the N64 emulator, ROM piracy, and the real reason for console emulators. Click below to read what he has to say. The following was written by Slashdot Reader Panix

This is an open letter to the emulation scene, and to the authors of UltraHLE.

I have been an emulation fan for years, ever since I downloaded the first version of VSMC years ago. That version of VSMC did not run a single game, in fact I don't even think that it displayed graphics. But, it still fascinated me, and many others like me. I remember reading hundreds of technical documents relating to emulation, specifically of the SNES, a brand new system at the time. The emulation world was exciting, even though commercial games were not the focus. In the past few years, hordes of people have hit the emulation scene and have equated it with the warez scene. A few days ago, with the release and discontinuation of UltraHLE, this reality has come to a head.

I repect the authors of UltraHLE, but I would like to address this open letter to them and to any other true members of the emulation scene, who are simply amazed by the technical prowess of UltraHLE. At the release of UltraHLE, I was extremely excited for the community. With bleem, Connentix's Virtual Game Station, and UltraHLE all ready for release, the scene finds itself at a defining point. The events that occur now will shape the future of emulation.

Then it hit. Many outsiders, mostly "31337 warez h4x0rs", discovered UltraHLE and the frenzy began. No matter where I went, I saw requests for ROMs. At one point, I had to leave EFNet's #emu out of disgust. What ever happened to the true emulation scene and the days of Archaic Ruins, Node 99, VSMC, and technical interest in emulation? Simply put, with the world watching, we all ran and hid.

The first people to hide were the true members of the emulation scene. We easily could have prevented this from the very start by not giving away our own personal ROMs, not posting ROM sites, and kicking every person from our IRC channels that we could. The maintainers of popular emulation sites could have removed all links to ROMs, and posted the true point of emulation. But, instead we just bitched. That's all, we just complained about how lame the warezers were, and otherwise kept quiet. What is the result of this? The rest of the world looked at the scene and didn't see us, didn't hear us, and saw one thing and one thing only: piracy. I am very disappointed in myself and the scene.

Following this, the authors of emulators began to get scared. At a pivotal point in the history of emulation, the very founders got scared! With Sony suing Connectix, the potential for legal action, and the explosion of warez foolishness, the authors got frustrated. But, what did they do? Several of them just quit, further tarnishing the public view of the emulation scene, at the most important time in emulation history. To those authors that discontinued their emulators: I am ashamed.

Now, this is specifically to the authors of UltraHLE. Congratulations, you have created the best emulator of all time. Oh, and by the way, thank you for destroying the scene. Don't get me wrong, I hold the highest respect for your technical abilities, and as a coder myself, I am aware of the daunting task that you had ahead of you. But, please, your arguments for discontinuing your emulator are weaker than any that I have ever heard. Let us analyze your argument:

"The UltraHLE project was a technical demo, an experiment to see if N64 emulation really is possible and an attempt to advance the state of the art in emulation. It was not designed to be a tool for piracy."

No emulator is designed as a tool for piracy! In fact, nearly every emulation author gives their emulator away for free, simply because they are only interested in the technical side of emulation. If you had stated this days in advance before releasing your emulator, then maybe some of this could have been avoided.

"Once it was released, things moved at an unforeseen pace. In a matter of hours, the main interest for people became acquiring illegal copies of game ROMs. This was why the pages were put down in a matter of hours."

If you did not expect this hysteria, then I doubt that you thought over what you were doing when you were writing the emulator. In fact, if you thought that there would not be warez pups fighting and pleading for ROMs, then you must be naïve. This is not an excuse! On top of this, you only kept the site up for a matter of 4 hours. I can guarantee that the hysteria would die down in under a month. If you would have stood up for the emulator, and for the scene, then you may have actually helped the community, instead, you have damaged it nearly irreparably.

"We do not condone this use of illegal ROMs in any form and do not allow our emulator to be used in this way. As we cannot effectively stop people from using this product in wrong and illegal ways, we have no choice but to discontinue the project.

This is the crescendo of your argument, and it is essentially like a software engineer saying the following: "I am going to stop coding anything at all, because people are going to pirate it." OF COURSE THEY ARE. There are millions of idiots in this world, it is unavoidable, but that does not mean that you can use them as a crutch, and it does not mean that any idiots are a part of the scene. With this statement, all you have done is admitted publicly to the rest of the world that noone in the emulation scene cares about the technical element, which is simply not true. As an ambassador to the world for the emulation scene, you pointed at us and made us look like fools. Thanks a bunch. Now the world thinks that we are warezing anarchist teenagers and that emulation is illegal. Evidence of this is Nintendo's comment on UltraHLE.

In conclusion, I would like to reinstate that I have the utmost respect for the technical abilities of the UltraHLE authors, and I am not trying to attack them. I understand that it all happened so quickly, but that does not mean that there were not 3 months to prepare before you released the emulator. At this point, I wish you hadn't released it at all.

There is only one way to mend the damage that has been done. And it is twofold. First, the emulation scene needs to gather together to get rid of the warez pups. Simply put: don't give out ROMs, don't post ROMs, don't post links to ROMs, deny that UltraHLE ever existed, and explain the technical beauty of emulation. Secondly, the authors of UltraHLE must release the source code of their emulator, release technical papers on how they did it, how it works, and why it was created. This would be for the benefit of the community, and would show the world what we are really about.

With hope,

Jonathan LaCour Panix on EFNet
panix@resnet.gatech.edu

Panix writes "Good news today from HP and SGI. Both have announced that they plan to offer Linux as one of their "core" operating systems. HP even stated that it would develop a special version of Linux for Merced!" It's crazy- 2 companies once known for their OSs have chosen another.