Slashdot Mirror

Longhorn will be the first release of Windows authored completely after Microsoft began their Trusted Computing Initiative and released .NET. Longhorn will reimplement and convert major Windows subsystems to managed code.

This really starts to get boring. I have already written about it countless times only to get completely ignored every time I dare to point out that the emperor is naked.

I find it truly amusing that people who say that there are other advantages than only Digital Restrictions Management of using "trusted" computing and Palladium-like platforms usually talk with great enthusiasm and excitement about the new and innovative security features that have already been implemented in the 1970s for crying out loud, only better and with no strings attached. All TCPA zealots are usually completely ignorant of the existance of such operating systems as KeyKOS or EROS with formal proofs of correctness for God's sake and without all of the silliness of "trusted" computing.

And no, this is not only my opinion that we don't need DRM to get security. I am not the only one who says that everything that TCPA can possibly do to security can also be done in software, with the only exception of DRM, and in fact it has already been done, decades ago. I am not really surprised at all why it is completely ignored by the TCPA and TCI pushing industry. I am only outraged that there are so many naïve people who once again will gladly do anything no matter how dumb it is, if only their good uncle Bill Gates says that it's good for them.

Please, people, if you want to learn about real systems security, then read some old papers by Jerome Saltzer, Michael Schroeder, Norman Hardy and Jonathan Shapiro. If you want to learn about cryptography, read texts by Bruce Schneier. Microsoft is not a reliable source of knowledge in that field.

People always ask me where are the real innovations in systems security and I always say them that they are in the seventies, and have been being ingnored since then by major software vendors because people don't demand using them. This story and this thread is a great example: "Yeah, this version of Windows may suck, but still I am looking forward to buy the next one."

This will dramatically lessen the exploitation potential of code flaws in the Windows application libraries. Microsoft has to maintain support for legacy application, but that doesn't mean they can't get a fresh start on the underlying code, and doesn't mean that existing Microsoft applications can't be converted to managed code as well.

Wait, I've already heard it... In 1995, 1998, 2000, 2003... Oh, you mean that this time they really mean it?

When the first programs run, it is just a matter of time before there is a functional L4 port of Debian GNU/Hurd (or just Debian GNU?). I really like the design of the Hurd, but what I'd like to see the most are not the "POSIX capabilities" but the real capabilities as described in the 1975 paper by Jerome Saltzer and Michael Schroeder, The Protection of Information in Computer Systems. (For those who don't know what am I talking about, I recommend starting from the excellent essay What is a Capability, Anyway? by Jonathan Shapiro, and then reading the capability theory essays by Norman Hardy. As a sidenone I might add that I find it amusing that people who say that there are other advantages than only Digital Restrictions Management of using TCPA/Palladium-like platforms usually quote security features, which have already been implemented in the 1970s, only better and with no strings attached. Those TCPA zealots are usually completely ignorant of the existance of such operating systems as KeyKOS or EROS with formal proofs of correctness without all of the silliness.) Are there any plans to have a real capability-based security model available in the Hurd?

Martin Seligman has done some research that seems to match the OP's description.

LanguageLog is a resource linked in the article, where linguists discuss current peculiarities of the English language.

This is misleading in suggesting that LanguageLog is limited to English. Actually, it deals with all sorts of linguistic topics and languages.

LanguageLog is a resource linked in the article, where linguists discuss current peculiarities of the English language.

This is misleading in suggesting that LanguageLog is limited to English. Actually, it deals with all sorts of linguistic topics and languages.

I, for one, welcome our new linguistic overlords.

Still, you can't block every hole in security. Sometimes you just have to hope, right?

Yes, you can. No you don't. Software is just an applied form of discrete mathematics. "Beware of bugs in the above code; I have only proved it correct, not tried it," as Donald Knuth once said. It is possible to present a formal proof of correctness for any algorithm. It is nearly impossible and certainly impractical when you have a big mess of spaghetti code like with most of software that is utter crap, but it is possible nonetheless when you know what are you doing and design appropriately, with very clean, small and isolated parts of your system responsible for enforcing its security policies. Take a look at such operating systems as KeyKOS and EROS. E.g. read Verifying Operating System Security paper by J. S. Shapiro and S. Weber: "This paper presents a proof of correctness of the EROS operating system architecture with respect to confinement." Read some essays by Norman Hardy, especially those on Capability Theory. This is hardly a new idea, see GNOSIS: A Prototype Operating System for the 1990s paper by Bill Frantz, Norm Hardy, Jay Jonekait and Charlie Landau, written more than 25 years ago. The bottom line is: it is certainly possible to have a 100% secure system, but developers don't bother because users don't care.

Still, you can't block every hole in security. Sometimes you just have to hope, right?

Yes, you can. No you don't. Software is just an applied form of discrete mathematics. "Beware of bugs in the above code; I have only proved it correct, not tried it," as Donald Knuth once said. It is possible to present a formal proof of correctness for any algorithm. It is nearly impossible and certainly impractical when you have a big mess of spaghetti code like with most of software that is utter crap, but it is possible nonetheless when you know what are you doing and design appropriately, with very clean, small and isolated parts of your system responsible for enforcing its security policies. Take a look at such operating systems as KeyKOS and EROS. E.g. read Verifying Operating System Security paper by J. S. Shapiro and S. Weber: "This paper presents a proof of correctness of the EROS operating system architecture with respect to confinement." Read some essays by Norman Hardy, especially those on Capability Theory. This is hardly a new idea, see GNOSIS: A Prototype Operating System for the 1990s paper by Bill Frantz, Norm Hardy, Jay Jonekait and Charlie Landau, written more than 25 years ago. The bottom line is: it is certainly possible to have a 100% secure system, but developers don't bother because users don't care.

And from the actual paper: "Between 1980 and 2001, the percentage of Fortune 100 top executives with Ivy League undergraduate degrees fell by four points (to nearly 30%) while the proportion from public schools increased by 16 points (to 50%)." The paper then goes on to say that this effect may be because there are more people graduating from state schools than ivy league schools (Harvard continues to graduate approximately 1600 kids ech year).

As someone who graduated Harvard recently, I can tell you my hypothesis as to what the difference is. When most of my peers graduated they either went on to become consultants (a nice pay-check + world travel), graduate school (both professional and academic), or investment bankers (really nice pay-check). A few became newspaper reporters, governmental employees, or started working at a large publicly traded corporation, but these things were not the norm.

Also, though there are some rich (and very rich) kids at Harvard, there are also poor and middle class kids from public schools. Harvard's financial aid is good that you can afford to go if you are admitted. They even give you money to buy winter clothes if you can't afford them. But it's so much fun to stereotype, isn't it?

"Many people in computer science lament that there aren't more women involved in research. Some people say they think it's because girls don't like computer science. I think they're wrong. I think it's because girls don't like the boys in computer science."

Lately I've been using Unison to back up to my ipod: http://www.cis.upenn.edu/~bcpierce/unison/ It's cross-platform and works on mounted file systems as well as ssh. Also if I add documents on my ipod, changes are made to the source (if I say so). All in all, it's a great little (free) tool.

How about Minuets I and II in D minor from the French Suite #1?

You'd be wanting Unison then: http://www.cis.upenn.edu/~bcpierce/unison/

There's Win/Lin/Mac client's, both graphical and console... lovely little app :)

Try Unison.

According to http://www.cis.upenn.edu/departmental/faculty/ the CIS faculty of Penn Uni has a faculty member named Assoc. Prof. Matthew Blaze.

relianceindiacall.com works well for calls to india.

more on call card review at
-- http://www.seas.upenn.edu/~gauravch/

I would say that the meaning of "copy" as a synonym of "manuscript" is archaic in the sense that it is now used only within one limited context, that of journalism. Outside of this discipline, many or most people may not even be aware of this additional meaning of the word.

For a quick justification, see www.dictionary.com:

copyright
The legal right granted to an author, composer, playwright, publisher, or distributor to exclusive publication, production, sale, or distribution of a literary, musical, dramatic, or artistic work.

Note that this definition refers to distribution, not the making of copies.

For a longer treatise on this subject, including the misinterpretation of the original meaning of "copy", see Taking the Copy Out of Copyright, by Miller and Feigenbaum.

Along the same lines, there is a remarkable amount of drug abuse in universities by whose who would like an advantage over their peers. Beside the joke that grad students use more meth than bikers, the ADD/ADHD (Adderall, Ritalin) drugs are gaining in popularity as they help with concentration and fatigue:

• Adderall is still first and foremost used as a study drug because of its ability to enhance concentration and the ability to focus for long periods of time. http://www.vpul.upenn.edu/ohe/library/drugs/addera ll.htm
• Elizabeth, 17, a high-school senior in the Washington area, credits Adderall with helping her post her best-ever score on the March SAT. "Why work harder to get a 1260 when you can take something . . . ?" Wall Street Journal. (Eastern edition). New York, N.Y.: Nov 8, 2004. pg. A.1

Indeed.

It may just be me who can't spot it in the list, but where is using BitTorrent to distribute the latest ISO images for Linux installs?

There's an entry for "Linux Distributions" on his UPenn SNIU page under the "Other SNIU" section, roughly 2/3 of the way down. Currently lists Debian, Gentoo, and Others. Certainly the list could be extended, but there is an entry for torrents of Linux distros.

For me, this is my primary use of torrents/P2P. I've found it much easier to get first-day Linux releases via torrents than the previous madhouse of hammering the living daylights out of a handful of overloaded ftp/http mirror sites.

For distros that have been out for a while, I found my P2P mileage varied - sometimes ftp/http sites provided faster downloads. But it's been good enough often enough that I'll try a torrent first if one exists.

Or perhaps it means that the Postmaster General is a brooding and dashingly mysterious rake who keeps an insane Condoleeza Rice chained up in his attic.

A bit of common sense here - 9 *years* for hacking. That is higher than the average federal sentence for murder http://www.law.upenn.edu/fac/phrobins/OxfordDeterr enceAppendix.pdf although lower than the average state one.

http://ccat.sas.upenn.edu/jod/texts/aristotle.soul .html

• R, including several add-on packages (such as tseries, RODBC, coda, mcmcpack, gtkdevice, rgtk, rquantlib, qtl, dbi, rmysql), out-of-the box support for the powerful ESS modes for XEmacs as well as the Ggobi visualisation program;
• A complete teTeX, TeX, and LaTeX setup for scientific publishing, along with TeXmacs and LyX for wysiwyg editing;
• Perl and Python with loads of add-ons, plus ruby, tcl, Lua, and Scientific and Numeric Python;
• The Emacs and Vim editors, as well as Gnumeric, kate, Koffice, jed, joe, nedit and zile;
• Octave, with add-on packages octave-forge, octave-sp, octave-epstk, and matwrap;
• Computer-algebra systems Maxima, Pari/GP, GAP, GiNaC and YaCaS;
• the QuantLib quantitative finance library including its Python interface;
• GSL, the Gnu Scientific Library (GSL) including example binaries;
• The GNU compiler suite comprising gcc, g77, g++ compilers;
• the OpenDX, Plotmtv, and Mayavi data visualisation systems;
• it includes apcalc,aribas,autoclass,

Free tech books
Large collection of free online books at UPenn (not just tech)

Glossaries like these have their uses, and I sometimes use them myself when I'm reading something and don't know a word, but good dictionaries go way beyond these. To begin with, you often can't adequately translate a word from one language with a single word from another language. It often takes at least a phrase, and sometimes there isn't any straightforwad translation and a fairly elaborate explanation is necessary. Furthermore, especially if you're going into the language you don't know well, it is often necessary to have information about the grammar of the word in order to be able to use it properly. What case does the object of a verb have to be? Which conjugation does a verb belong to?

The other major limitation of simple glossaries like these is that they don't work very well for languages with complex word-formation where the citation form is not easily obtained from the inflected forms. For instance, in English it isn't a big deal to look up a plural noun because in almost all cases you just remove s or es, so someone who reads, e.g. trapezoids doesn't need to know very much in order to guess that it is a form of trapezoid and look it up under trapezoid. However, there are languages in which words have hundreds or thousands of forms and in which it is quite difficult to figure out what to look a word up under. Creating dictionaries for such languages that can be used by inexpert users is a long-standing problem for which electronic dictionaries offer a solution, but such dictionaries won't be simple glossaries; they will be databases with morphological analyzers as front ends. I've got a paper about this problem in Athabaskan languages here.

http://itre.cis.upenn.edu/~myl/languagelog/archive s/000405.html

Check out Unison File Synchronizer.

It's bi-directional file/directory synchronizer, works over just ssh, cross-platform, very fast.

Extremely useful when you need to keep, say, home and university accounts in sync, or do remote backups.

rsync would do it, but Unison will do it better. Like rsync, it can run over SSH and will only copy changed files. Unlike rsync, it will get you two-way synchronization, so you can change one file on one end and another file on the ohter end, and both locations will up updated with the changes. It's also available for *nix, OS X, and Windows, and can sync files across all platforms.

Which reminds me, I haven't synced up my laptop yet today...

Whatever you use make sure to drop unison on your USB key.

Unsion can be found at http://www.cis.upenn.edu/~bcpierce/unison/

From the Web page: "Unison is a file-synchronization tool for Unix and Windows. It allows two replicas of a collection of files and directories to be stored on different hosts (or different disks on the same host), modified separately, and then brought up to date by propagating the changes in each replica to the other."

Seems like the parent post was correct -- this may come in handy on my newly-aquired USB drive.

This page specifies, among other information, the copyright terms in various countries. In some cases, the "life of author+70 years" term was adopted in a retroactive manner, and supposedly this meant that copyrights were restored on public domain works. In Mexico, copyright is for the author's life+100 years! For copyrights in Cote d'Ivoire, the term is usually life + 99 years.

Also unison, which is a great app.

I had a "types and programming languages" (graduate level) course at UPenn that made heavy use of OCaml. Though I can't imagine voluntarily going through that material, the resources page gives a good general background including OCaml references. The homework page provides some OCaml programming examples. The solutions seem to have been pulled, but I imagine they are still easily found on archive.org (which is not responding for me right now to check) or via google.

I had a "types and programming languages" (graduate level) course at UPenn that made heavy use of OCaml. Though I can't imagine voluntarily going through that material, the resources page gives a good general background including OCaml references. The homework page provides some OCaml programming examples. The solutions seem to have been pulled, but I imagine they are still easily found on archive.org (which is not responding for me right now to check) or via google.

As a medical student myself, I am selfishly glad that the ACGME has adopted an 80 hour week recommendation, as there seems to be evidence that shifts of even 12+ hours are detrimental to patient care. (Note that the link is for nursing. Current recommendations for medical residents have a 30-hour-straight limit).

On the other hand, you are entirely correct that certain specialty residency programs have been having trouble meeting the 80 hour guideline. Indeed, residents feel pressured to lie about work hours, since their program losing accredidation would hurt their own prospects as well.

Finally, please note that even 80 hour recommendations have officially been extended to 88 hours for some programs, such as many neurosurgery residencies. Imagine if your boss explicitly told a theoretical programming/IT governing body that 80 hours a week, averaged over 4 weeks, simply wasn't enough time. I hope this gives pause to those who love to complain about long hours spent programming.

my NES Contra Strategy Guide at this time. Yes, the site's kinda ugly, but I think it's informative.

So long as the files you generate are plain audio files and don't need fancy stuff like playlists, you can ensure that the WAV files you distribute don't contain any metadata by running them through one of the programs available that strip fancy WAV files down to "canonical" format. Here's a shareware program for MS Windows, and here is C source for one for GNU/Linux. These all work by eliminating everything other than the header, the format chunk, and the data chunk. These programs exist because there is a lot of software that doesn't know how to parse full WAV files. Of course, this won't eliminate "metadata" embedded in the audio data.

We know we're not smart, no one is. However, some are smarter. I actually believe conservatism such as the kind we are experiencing in America is an illness and if it continues to grip the country we'll be ruined.

Interesting that you bring up Ockam's razor. Which is the simpler theory? That billions of highly unlikely events with a beginning event that came from "nothing" produced the world or that a eternal omnipotent God created it all.

Actually, it's not "billions of highly unlikely events." You should read this, either the SciAm article he wrote, or better yet, the paper he links to. I don't agree with the second two levels but that's besides the point here.

Omnipotence is not simple at all. It seems simple to you because you can use a single word to say it. Yet it turns out that when one tries to define it, paradoxes come up (the well known "can God create a stone that he can't lift" may seem trivial but is really a deep problem for the concept of omnipotence). More important, by claiming God did it, you are delegating responsibility for explaining why he created a given universe as opposed to any other out of an infinity of possibilities. How is it chosen? The complexity in that question is not an iota less in the complexities you see in naturalistic explanations (and that are explained away by Tegmark, although that's just one possible explanation and I only buy the first two parts of it).

http://www.cis.upenn.edu/~sequence/ http://graphics.cs.brown.edu/research/telei/home.h tml

And Internet2 has this type of technology as one of its goals. See http://www-pagines.fib.upc.es/~si/treballs-SI2001/ e4024048/Tele-immersion.htm

Would Unisonbe any help to you?

(To paraphrase John Sarfan)

Often when I talk about my travels to America to my Australian friends they always tell me how stupid Americans are, and how uninformed they are about world events, and how they don't care about anything but what happens within their own country.

Point to Zaire on this map.... Go on you smug fuck, you have 10 seconds.

If you couldn't point to Zaire on that map, your an idiot.

If you did point to Zaire on that map your an idiot too.

Zaire became the Democratic Republic of the Congo in 1997, and I hope you didn't point to the Republic of the Congo, because thats a completely different country.

Wheres all this going?

Since 1998 up to three million people have been killed in the Democratic Republic of the Congo.

So whilst you've been sitting back on a smug platform of loving and caring for the world unlike those terrible Americans it turns out three million people have died and you don't even know where.
(End paraphrase)

Laugh, its funny.

That kind of phonetic reinterpretation is what the Language Log guys are trying to get people to call an eggcorn.

If you don't read Language Log, you should, BTW.

If you don't plan to move your window between different machines, there is another solution at a lower layer: e.g. transport layer of the network stack. Find an appropriate network mobility solution, then you are all set. For example, I use DHARMA (http://dharma.cis.upenn.edu/). I ssh into a box, use X11 forwarding to start an X application on my laptop at home, then I suspend my laptop, bring it to my office, resume the laptop, and after the laptop is reconnected, all my X11 applications are still alive. This is especially convenient when a server doesn't have VNC installed and you are not the root, or you have a very crappy wireless condition, coming up and down all the time.

Take part in the ICFP programming contest. It's exactly about that. And the time you have there is 72 hours.

To summarize: the traditional access controls are designed to protect users from each other. This is not enough.

What you need is a capability based system. And by capabilities I don't mean POSIX "capabilities" but the real ones. This is hardly a new idea. Read some papers by Norman Hardy. Start from Capability Theory by Sound Bytes and read the referenced articles until you start getting the idea. Then read about GNOSIS: A Prototype Operating System for the 1990s, a 1979 paper by Bill Frantz, Norman Hardy, Jay Jonekait and Charlie Landau. Then read about KeyKOS, a persistent, pure capability operating system. Then read about EROS: The Extremely Reliable Operating System. I think it will be enough for a good start. As you see all of those problems we discuss today in this article have already been solved in the '70s or '80s at worst. But those who don't know the history are doomed to repeat it.

To summarize: the traditional access controls are designed to protect users from each other. This is not enough.

What you need is a capability based system. And by capabilities I don't mean POSIX "capabilities" but the real ones. This is hardly a new idea. Read some papers by Norman Hardy. Start from Capability Theory by Sound Bytes and read the referenced articles until you start getting the idea. Then read about GNOSIS: A Prototype Operating System for the 1990s, a 1979 paper by Bill Frantz, Norman Hardy, Jay Jonekait and Charlie Landau. Then read about KeyKOS, a persistent, pure capability operating system. Then read about EROS: The Extremely Reliable Operating System. I think it will be enough for a good start. As you see all of those problems we discuss today in this article have already been solved in the '70s or '80s at worst. But those who don't know the history are doomed to repeat it.

This was analyzed in a Language Log post by Mark Liberman. Conclusion: very easily Bush was trying to control the flow of the debate, and more specifically, Bush was probably talking to Lehrer because it might have seemed like he was done.

That appears to be an entry from the Amber Dictionary whatever that is... a dictionary about some fantasy book.

Comparing every aspect of computing and networking to biology is not any less fallacious than trying to understand how does a car work looking at it like it was a biological organism. Real life has evolved randomly together with virii and parasites but all of the software including any kind of malware was intelligently designed. The most common misconception resulting from such a reasoning is that computer malware will always be relatively harmless because killing the victim is not smart from any parasite's point of view. Wrong. A deadly worm quickly spreading and erasing all of the data an hour later would not survive so long as Code Red, but it doesn't have to survive in the first place if that is not important for its creator. Survival is not important because software doesn't have to live long enough to evolve. It is designed and created manually and then released. It can be written for months or years and then live only few hours if that is the purpose of writing it. I think that assessing the spreading patterns of Internet malware like those of human epidemics might be very interesting but there is a hidden fallacious reasoning that comparing the virii themselves to human diseases will somehow help fighting them which leads to concentrating on spectacular effects instead of boring causes of the problem. The problems are buffer overflows which can be completely eliminated, running code from untrusted sources, etc. It has nothing to do with literally anything known in the real world any more than proving a theorem does. Another thing is comparing Internet to a population and fighting malware in the context of epidemics. This is foolish. In reality, there is a user with a computer and her data. She can lose her data or some of her secrets may become public and in that case she won't say "that's OK because this epidemic disease is contained and the population of computer users will survive" because if she loses her work she doesn't care about other computers. When she gets broken into she shouldn't think "I am sure my system will keep working because killing it would be disadvantageous from the evolutionary standpoint for the software" becuase the ultimate reason of the attack is not just the existence itself. The reason may be getting user's credit card number or performing a DDoS attack. The reason may be causing panic by deleting everything. The reason may be anything. And the problem is not millions years of evolution side by side with parasites but using "gets" instead of "fgets." It's not that we don't know how does the malware work or that we cannot write secure code. Look at KeyKOS or EROS. Look at OpenBSD. Look at Debian. Do we have any "epidemics" there to contain and to fight? No. Such studies are interesting but only because observing symptoms and effects is interesting. If we really want to stop malware we should start from reading the source code of EROS instead of analysing global patterns in problems with Windows. Please read this paper from 1979: GNOSIS: A Prototype Operating System for the 1990s. The problem is that we have 2004 and still the most popular operating system completely ignore the solutions from the 1970s.

Not only that, some even claims that language is human's nature and part of human evolution. The motive was that humans are social cretures. Check here for a short tutorial on "Origins of Language"