Slashdot Mirror
Slashback: Toner, Zimmerman, Languages
Sheesh! All the guy ever promised was pretty good security! :) zenith744 writes: " Now available here is PGP v6.5.8, which appearently "...corrects a security-related bug with Additional Decryption Keys (ADKs) that may allow sophisticated attackers to add unauthorized ADK key IDs to the unhashed areas of PGP public keys...". This bug was previously brought to light about a week ago and reported on slashdot. A little more security, a little less stress. A happily balanced equation."
And an unnamed reader points to a story on Network Fusion about Zimmerman's response to the hubbub. Paraphrased: "It was a bug. We're embarrassed about it. Now it's fixed." In an imperfect world, you gotta admit that PGP is one of the bright spots.
It's always "wait a minute," isn't it? Tjisana M. Lewis, Product Manager, Emerging Products World-wide Business Management at Hewlett Packard (and who hopefully doesn't have many middle names to remember) wrote in response to the article on Slashdot recently about HP's new print server which runs Linux internally but does not support LDP client printing: "I've read some of the responses and (understandably) there is much speculation on WHY we did not support LPD client printing in the product's first release." She sent the following response, which strongly hints at better Linux support in the future for this product.
"The JetDirect 4000 Print Appliance can send print jobs to any LPD enabled destination whether such destination is a Linux box, JetDirect print server, or any other vendor's print server. Currently the JetDirect 4000 does not receive LPD print jobs, however in a few months, this [and other features] will be available in a free firmware upgrade.As a vendor with a Linux based product, HP is extremely committed to supporting the Open Source community. We support developers in the Samba team including Jeremy Allison and Andrew Tridgell by contracting with both VA Linux and Linuxcare to develop features for the print appliance. These features are part of the Samba project and will be available to everyone under the GPL. An example is NT Printing functionality that will enable the use of native NT tools and features such as "point and print." Point and print enables automatic downloading of a print driver to a Windows client when the client adds a printer.
Furthermore, HP, in working with SAMBA, adds testing resources during the development process of the release thereby increasing the final quality of the release."
Care for some salt with your wound, Mr. Valenti? Master of Kode Fu writes: "The New York Times has an article quoting MPAA President Jack Valenti saying this: "[it] is to the American film producer and the American public as the Boston Strangler is to the woman alone." He wasn't talking about DeCSS, Napster, Scour, FreeNet or Gnutella -- he said it in 1982 and he was talking about VCRs. He didn't see that VCRs would eventually become as important an income stream for films as box-office sales. Will the MPAA (and similarly, the RIAA) learn from historical precedent, or is file sharing over the 'Net a completely different case with different circumstances?"
Isn't it funny how the fight to prevent consumer taping went away when the companies involved realized that what VCRs really represented was a whole new way to make money? Hmmm. Extend, project, extrapolate ... I smell money here, too. Don't they?
Contribute to the death of excuses! The excuses not to at least try Free software keep dwindling, and it's nicer than strangling dodo birds. Remember when "But there aren't any books!" was a valid complaint about Linux? How about "I can hire MSCEs and know they have at least some knowledge of the systems they purport to administrate -- but there aren't Linux equivalents!"? That one's gone too, for better or for worse. And now, if your boss (or spouse) grouses that there aren't any free, multilingual Linux journals online, not only do you know their excuse barrel is near empty, but you can point them to ... well, let Atif Ghaffar explain:
"LinuxFocus (LF) is a multilingual magazine about the operating system Linux.LF is managed and produced by Linux volunteers, fans and developers. There is no subscription necessary to read LF, it is freely available on the web with mirrors all over the world.
Lf is published almost every two months. The master website for Linuxfocus is at http://www.linuxfocus.org
Articles this month include pieces on Rebol, a presentation application for X Window, distro reviews, a book review and more. Get it while it's Free!
There already are a couple of closed-source DVD players for Linux. This argument doesn't really hold water (and, actually, DeCSS has probably hurt DVD for Linux more than it's helped it.)
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
What has ALWAYS boggled me is all those shareware authors expecting to be paid for totally useless crap ... ok I would want to pay for something really useful or something really fun, especially if it's only a few bucks ... but when I was a mac user I found that shareware that allowed you to drag your windows transparently. Completely useless, extremely slow (esp. at the time), utterly crash prone, and with an obnoxious alert box at every startup to remind you of paying ... 10 bucks, that's it, for a complete piece of shit. This kind of program has a hack value, but the value is to its author. That's it.
Now think about this: "what do you think the NSA is doing with your tax money ?", playing solitare on Windows ?
It's definately in there interest if they can crack the communications they intercept. And what nicer way than to have "bugs" introduced in crypto products exported from the US ?
Bruce Schneier reported last year that the NSA was walking door-to-door trying to introduce backdoors into crypto products, that would then be eligeble for export.
--
Why pay for drugs when you can get Linux for free ?
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
If the bad guys had hashed the password with MD5 the police would have been able to crack it much quicker.
Why is this? Clearly searching by brute force, using the assumption of a low-entropy password (ie. ascii characters, and dictionary words) would be quicker than a brute force MD5 match (ie. finding a key that hashes to the same value as the original key). To my knowledge, MD5 has never been shown to be a weak hash (ie. it has appropriate collision properties, and while 128 bits is not as great as SHA-160, it should be more than adequate for protecting simple passphrases)
Do you remember where this "Article" is, or any other details?
"It's overkill, of course. But you can never have too much overkill." - Anonymous Slashdot Coward
I'd say it's time to start using GNUPG.
-- iCEBaLM
Did anyone else notice that the JetDirect box was actually to translate an SMB printing connection into an LPD printing connection to allow simple Windows printing on printers which only had LPD support?
Admittedly, it is nice to have all your printing going into the same queue, so that Unix Print jobs don't ignore prioritization, but that's not what their JetDirect box seemed to be intended for. It looks like more of a small business plug and play SMB->LPD translator.
Adam (Who uses SaMBa printing to an NT server and is quite happy with it)
Well, I decided that I would finally get my stuff together and build my own system (yeah, like how hard is that?). So I read review after review on motherboards, cpus, video cards, etc. I got an AMD K6-III 400, an Asus P5a, Creative sound and video card, and cdrom, and standard 3Com NIC and modem. I decided I'd give Windows 2000 a spin because I use NT at the office, and wanted to be one of the ones on the block experimenting with Windows 2000. Well, I don't know if it is my hardware, but that Windows 2000 box is an unstable piece of shit. Totally unstable. Getting it installed was a nightmare...had to do it twice because of some goddamn BIOS option that was causing Windows to lock up on boot. I have a big honking fan over the cpu but the machine seems to still randomly reboot. My cdrom drive broke just a day or so ago and the damn machine rebooted in the middle of my writing an email to get it replaced. I get blue screens frequently. Games won't install (but stupidly if copied from another windows 95 machine, work just fine).
Moral of the story: if you are installing a windows product either make damn sure all your hardware is on the compatibility list, and then hold your breath, or pay premium and buy retail and hope you're not saddled with low quality components.
It's 10 PM. Do you know if you're un-American?
What HP really has to say is: Stop whining, we're putting a lot of good work into the SAMBA project, so accept that. You're right, we didn't want to spent millions of dollars re-training our support staff, when 90% of Linux installations have a knowledgable tech either on hand or a phone call away, who will probably get your Linux machine to work with our appliance. Thanks everyone for Linux, though. We hope the next version of SAMBA makes your lives a bit easier.
Barclay family motto:
Aut agere aut mori.
(Either action or death.)
Jesus! Jack Valenti is still running the MPAA 20 years later. You would think that after being sooo wrong about VCRs, he would have got the boot. It looks like the MPAA is so corrupt that they would rather institutionalize stupidity than learn from their mistakes. If I were a shareholder in any of the MPAA member companies I would be furious.
When information is power, privacy is freedom.
Yup!
I bought a copy for the Mac a couple of months before OS 9 came out. When it did a incampatability cropped up and I needed an upgrade. I call them and ask if there will be a free upgrade. Nope. I ask if there's a upgrade discount like most software. Nope. They actually wanted me to pay the full price again after just a few months! I'll never buy anything off them again.
- Apple Computer......proudly going out of business for over twenty years.
I've now started using Windows 2000, and am pretty impressed. It does crash, but it's a well-documented visual bug (playing around with OpenGL with beta Voodoo 3 drivers), and only if I attempt a set group of tasks. It runs games extremely well, in some cases better than their Windows 98 counterparts (e.g. Unreal Tournament). I also can use Visual C++ to quickly create W32 apps, and list them as shareware for hundreds of millions of "normal" computer users to use (instead of just Freshmeat users, which though cool, don't represent the average user).
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
I don't use it, and won't use it. Their liscensing is too restrictive. I'd much rather use the German produced GnuPG. Better liscensing, more standards compliant, and they don't put stupid features like ADK in to satisfy Big Brotherish commercial interests.
Need a Python, C++, Unix, Linux develop
If, on the other hand, you would prefer to continue to believe that the government secretly controls all security products, read this:
http://cryptome.org/nsa-sabotage.htm
How to Lobby Politicians http://www.zeta.org.au/~aldis/lobby.html
Nice of the PGP folks to provide a fix for those using the freeware version of PGP. However, if you were one of the suckers who purchased PGP for commercial use, Network Associates requires that you *purchase* an upgrade to fix the problem. Seems to me that with a major blunder like this, they owe me a fix at no charge.
Nice to see that honesty is rewarded.
The link given for PGP says:
So if that doesn't mean you (it is not I) go to the international site. The link given has versions for many platforms.
Date: Mon, 28 Aug 2000 22:29:56 -0400 From: Nemo Newsgroups: alt.privacy.anon-server Subject: Think Twice before installing PGP 6.5.8 If you want to install an updated PGP to fix the ADK issue, you might want to read this message thread over in comp.security.pgp.discuss Apparently, NAI's solution is to hide the problem from the user. The updated PGP won't use a forged ADK, but it also will not show you that a key has a forged ADK; a forged key will appear to be valid with no ADKs at all. Consequently, the "view->ADKs" menu option is no longer useful for detecting keys with forged ADKs. This fix is a Public Relations fix, not a bugfix. The ADK problem is a major design flaw, not a simple bug. It cannot be reliably fixed by what NAI is doing. This update show a fundamental misunderstanding of what the real problem is and makes me question whether NAI really wants to fix this. -- Nemo -:- nemo@redneck.gacracker.org "For those with more memory than 8 Mb - tough luck. I've not got it, why should you." - Linus Torvalds (from the linux kernel source code, circa 1991)
Having started with *nix in '96, I remember that there were many excuses not to try open source software. I had a friend tell me, here play with this on a 2nd partition or older machine. It's fun. You can learn UNIX for free.
I got slackware 3.0 (I may be off) and played with the command line for a while, just poking at things. I didn't care that the install was hard...it was fun! I was challenged to learn how computing worked at a deeper level. I was specifically told that I would spend many hours wrestling with things, but it would feel good at the end. I remember thinking...hey cool, this comes with a c compiler by default. Then when I got X running it was fun to tweak, and pop xeyes randomly on other peoples screens (causing a few lost shell accounts).
I think people are reluctant to try OSS today because of the way the community presents it. No one says anymore "hey, install this and see if you can learn *nix". Instead it is "This is faster, more reliable, easier to install, better than windows, and totally free." Obviously, this is quite a hefty claim for a win32er to take (true or not true), and so people will quickly become disillusioned at the first couple signs of trouble, and will not wish to work for a few hours learning how to compile soundcard support into a new kernel, or activate IP-Masquerading with additional modules.
If we said instead, "Hey try this on an old P100, it is fun to play with," we could let the OS try and prove itself. Without the hype, people might get turned on quicker. When I started, there was no concept of replacing windows, it was just another OS to accomplish things on. I only went full *nix in '98 when NT4 ate my partition table, and I went back to win98 this year because I missed the games, and Netscape4.0 does have issues.
Its true that win2000 and linux are closing in on each others turf, and this is going to cause sparks, but the attitude that should be fostered is to know BOTH win2000 and *nix inside and out, and take some pride in being knowledgeable in both spheres. Granted, everyone has a preferred environment, but discussion should focus more on getting things done, not "come to our side."
The more hype escalates, the more win32 users will loathe *nix. (also, win2k hype will make *nixers hate the win32 community, works both ways). People will find excuses, especially with the "conversion" attitude. The community needs to go back to "grab that old 486 from the closet and come play". As easy as setup and install is getting, excuses will go away when win32ers stop feeling threatened.