First, fuck "Secure Digital" media. All that means is that it is DRM-enabled.
I got a USB flash drive that is also an MP3 player. It needs no drivers. It's not fancy in any way, but it's pretty cool and less than a hundred bucks for 128mb. It's the "Apacer Audio Steno."
Holy shit, 40 bit DES is peanuts. I think when they said keep the government supercomputers busy for weeks, they meant seconds. Even the EFF could do it for a measly $250,000. (http://www.eff.org/Privacy/Crypto_misc/DESCracker/HTML/19980716_eff_descracker_pressrel.html)
It's true that it's hard to audit the expenditure, but it shouldn't be *that* hard. If someone really wants to waste a lot of money in order to get a patent, then that patent is hopefully worth his time and money. I want to mainly get rid of the ridiculous patents, and having to expend a lot to get the patent will make it hard for one guy to patent a lot of dumb stuff.
> Hardly seems fair that we would encourage the inefficient dumb thinking X's of the world and not encourage the insightful, > questioning Y's.
Well, we currently encourage X but also reward Y (I don't think we really "encourage" him). I don't have any problem with not rewarding Y, since he hardly put any work into coming up with the idea. Remember that the main purpose of patents is to advance society by promoting invention, not to "pay back" those who come up with the inventions.
One glaring problem with the patent office today is that it allows you to patent ideas that you "had in the shower," so to speak.
Patents exist in order to encourage inventors and labs to expend the resources to come up with inventions. They are encouraged by having exclusivity over their idea for a limited time. This incentive provides the "activation energy" for inventions that would probably otherwise not come to be, and it is pretty hard to argue against. Pharmaceutical companies, chemical engineering companies, biotech firms, etc. all operate under this model.
But when you just "have an idea," it's similarly hard to argue that the patent system encouraged you to have that idea. It might encourage you to develop it, because of the exclusivity you have, but patent law wasn't made to encourage the development of ideas, only their inception. (Note that it is perfectly legal, though shameless, to develop and patent an idea merely in order to license it to others -- an act that diminishes, if anything, its development.) In fact, these are the worst kind of patents, because usually one of two things happens:
- the inventor is too underfunded or inept and the idea never gets developed (at least until it is out of patent, and possibly irrelevant by that time)
- someone else also just happens to "have the idea," but he's locked out of using it
In addition to cleaning up their prior art and "obviousness" certification, I think that the patent office should also reject applications unless there is a significant and auditable resource expenditure in developing the idea. (That could be a basement inventor's hours working away, or 3M's labs and employees.)
They don't look great to me!! Unlike the tiny phosphors in a CRT, LCDs have specific individual imaging elements for each screen pixel. If you don't run at the native resolution (or an integer divisor of it), then screen pixels will have to be displayed at different widths in different places, which will distort the image. Most modern LCD screens do anti-aliasing in order to minimize this effect, but then you lose the perfect crispness that is (IMO) the best advantage of LCDs over CRTs in the first place.
First, have a work area (or computer) where you don't do anything but work. This might be a small weak laptop, it might be a study area at your school, whatever.
Go there when you need to do work. If you find that you're unable to, leave. Don't fuck around, and don't put in 10% while daydreaming.
When you're working, work 100%. Try to get into that "deadline mode." You'll be amazed how much you can get done, and your friends will be jealous at how you spend most of your time "not working."
> I admit the boundry is a bit fuzzy, but I wouldn't really say that portion is cryptographic.
I didn't mean that specific loop, but the whole routine in general. I think that level of carelessness could easily have undone all the work he did, and still made the output "look" like a cryptographically strong hash. That's why code audit is critical, and this code was not audited.
> I suspect the memory clear is redundant becuase there is a later memory clear, but redundant/paranoid security isn't a bug. > The "j" variable is certainly peculiar. It could be harmless legacy code he didn't bother to delete, or it could be a "bug" > in specific intent that preserves the general intent if it was intended to be arbitrary anyway.
Well, it's fairly obvious to me that it was not the authors intent. If he had intended to write the routine that he wanted, he wouldn't have bothered adding a constantly zero 'j' to the index each time, and he wouldn't have zeroed out a buffer and then subscripted its first element each time. He would have just said 0.
> It would be interesting to ask the author about that.
Well, I just did in response to his post claiming responsibility for the code, but he didn't respond yet!
"With current multi-sample implementations of anti-aliasing, you may sample texels outside of the polygon boundary..."
I understand what they say is happening, but I don't understand *why* an implementation of anti-aliasing would sample outside the polygon boundaries. What does the implementation do that causes this?
Well, I think the idea is that (a) you'd be able to do that on the card, so you wouldn't need to move it to main memory, and (b), you do not need to literally render the whole screen and then shrink it; you can just do 2x2 pixel or 4x4 pixel blocks and then combine those to get each pixel. The intermediate data does not need to stick around.
> What they do is they don't actually sample the entire screen, they basically just run AA on the textures when they are > rendered, then anti-alias the edges as they are rendered.
How is AA on the textures different from bilinear sampling? Or, how does anti-aliasing the edges cause textures to leak through?
Lucky for us, Microsoft has enough cash to make a difference! If they hate software patents, maybe a few wealthy congressmen will start hating them, too...
Yeah, I understand the general intention of the code. I don't think there's anything wrong with trying to make the hashing code slower, in fact, that's probably a good idea.
What does worry me is:
- The whole algorithm is extremely ad-hoc. Since it serves an important cryptographic function, it should use cryptography carefully, and this doesn't. I have faith in MD5's practical ability to mask the author's missteps, but I'm not a genius cryptographer myself so I don't know what's possible. I do think that knowing the input has a special form would be an aid to cryptanalysis of the algorithm.
- The code itself is bizarre and (IMO) buggy, which leads me to believe that nobody ever audited it. It seems likely that I was the first person to look at it carefully (7 years later when I ported it to SML)--that's really scary since it plays such a vital role in the security of the system.
Based on my understanding of 3D rendering, I don't see how this can happen.
I thought that FSAA worked by one of two methods:
- Render the entire screen at a higher resolution (double width and height, for instance), and then downsample it to the screen resolution
- Render the same scene at screen resolution several times from slightly (sub-pixel) different locations, then mix the images together
Either way, I don't see how texture coordinates would be disturbed such that parts of other textures show through at boundaries. Can someone with an understanding of modern graphics hardware clue me in?
OK, author of md5_crypt, what the hell is up with this code? (http://www.freebsd.cz/pub/FreeBSD/branches/4.0-stable/src/contrib/libpam/modules/pam_unix/md 5_crypt.c)
/*... */
/* Don't leave anything around in vm they could use. */ memset(final, 0, sizeof final);
/* Then something really weird... */ for (j = 0, i = strlen(pw); i; i >>= 1) if (i & 1) MD5Name(MD5Update)(&ctx, (unsigned const char *)final+j, 1); else MD5Name(MD5Update)(&ctx, (unsigned const char *)pw+j, 1);
/*... */
There are a number of alarming things about this code. First, you're overwriting 'final' with zeros so that it won't stick around in VM, but you're not done using it yet! Then in the next loop the variable j is added each time around, but it always remains zero (essentially, that loop computes alternating 0s and the first character of the password). Really weird, indeed!
There's a bunch of other awkward things about this code that make it obvious that (a) it was not designed by a cryptographer and (b) was never audited. That scares me a little. Do you have any explanation?
Yes, but compared to what a good indie label does for its artist (produce the album, press CDs and secure distributing deals, advertise,...) and what the purchaser receives for about the same amount (an actual high-quality CD with artwork) we're looking at a significantly better deal for CD Baby and Apple and a worse deal for the consumer.
Better, in my opinion, is realizing that the internet gives budding artists the way to realize their dream of being heard without having to succumb to industry metrics of success like CD sales and radio play, and now, 60 cents a song. The vast majority of bands will never make any money at all, AND nobody will download their music, AND CD Baby will get $40 apiece. Better is to put their music online for free (it costs almost nothing to do; there are even some free music sites like IUMA that will host it for you), and make music for fun.
All of this stuff could be handled with endpoint solutions. (Except for dynamic IPs, and there's no reason to believe that wouldn't be a problem with IPv6, either). Port forwarding in NAT is the simplest, and stupidest way, but we could easily create a "home device network" protocol and run that all off the single external IP. (uPNP is trying, sort of.) This would be easier than IPv6 because it doesn't require changing the infrastructure of the entire internet.
It's true that Apple does stuff, but to throw on an extra album or extra hundred albums can't really be that expensive. Most of the things you mention are independent of how much music they host (and advertising gets easier when they have more albums;)).
> If it's so easy, go build yourself an ITMS and charge less!
Actually, I just distribute all my music on the internet for free.
It's 91% of whatever percent apple gives them. Someone says that comes out to about 60%, which is only a smidgeon better than the "industry standard" 50/50 for a good indie label. And that's a ripoff considering that they aren't actually doing anything.
It is so sad to see people sucked into the success=sales dream, when they could be making music just for fun and for the sake of art.
These aren't physical CDs, they're just music files, so why is CD Baby taking a continual 9% cut of your music?
Anyway, for most bands it's tough enough getting people to listen to your songs even if you put them online for free. So, this is probably just another way to coax money out of indie hopefuls.
Slashdot Mirror
Using the same techniques as they did to brute-force DES56, triple-des would be about 2^112 times as secure.
First, fuck "Secure Digital" media. All that means is that it is DRM-enabled.
I got a USB flash drive that is also an MP3 player. It needs no drivers. It's not fancy in any way, but it's pretty cool and less than a hundred bucks for 128mb. It's the "Apacer Audio Steno."
Holy shit, 40 bit DES is peanuts. I think when they said keep the government supercomputers busy for weeks, they meant seconds.r /HTML/19980716_eff_descracker_pressrel.html)
Even the EFF could do it for a measly $250,000. (http://www.eff.org/Privacy/Crypto_misc/DESCracke
It's true that it's hard to audit the expenditure, but it shouldn't be *that* hard. If someone really wants to waste a lot of money in order to get a patent, then that patent is hopefully worth his time and money. I want to mainly get rid of the ridiculous patents, and having to expend a lot to get the patent will make it hard for one guy to patent a lot of dumb stuff.
> Hardly seems fair that we would encourage the inefficient dumb thinking X's of the world and not encourage the insightful,
> questioning Y's.
Well, we currently encourage X but also reward Y (I don't think we really "encourage" him). I don't have any problem with not rewarding Y, since he hardly put any work into coming up with the idea. Remember that the main purpose of patents is to advance society by promoting invention, not to "pay back" those who come up with the inventions.
One glaring problem with the patent office today is that it allows you to patent ideas that you "had in the shower," so to speak.
Patents exist in order to encourage inventors and labs to expend the resources to come up with inventions. They are encouraged by having exclusivity over their idea for a limited time. This incentive provides the "activation energy" for inventions that would probably otherwise not come to be, and it is pretty hard to argue against. Pharmaceutical companies, chemical engineering companies, biotech firms, etc. all operate under this model.
But when you just "have an idea," it's similarly hard to argue that the patent system encouraged you to have that idea. It might encourage you to develop it, because of the exclusivity you have, but patent law wasn't made to encourage the development of ideas, only their inception. (Note that it is perfectly legal, though shameless, to develop and patent an idea merely in order to license it to others -- an act that diminishes, if anything, its development.) In fact, these are the worst kind of patents, because usually one of two things happens:
- the inventor is too underfunded or inept and the idea never gets developed (at least until it is out of patent, and possibly irrelevant by that time)
- someone else also just happens to "have the idea," but he's locked out of using it
In addition to cleaning up their prior art and "obviousness" certification, I think that the patent office should also reject applications unless there is a significant and auditable resource expenditure in developing the idea. (That could be a basement inventor's hours working away, or 3M's labs and employees.)
It's the same as visualizing a small file system, except that the files are an order-of-magnitude bigger (DVD rips, databases...)
Is it true that your last name is really short for "Parentheses?"
They don't look great to me!! Unlike the tiny phosphors in a CRT, LCDs have specific individual imaging elements for each screen pixel. If you don't run at the native resolution (or an integer divisor of it), then screen pixels will have to be displayed at different widths in different places, which will distort the image. Most modern LCD screens do anti-aliasing in order to minimize this effect, but then you lose the perfect crispness that is (IMO) the best advantage of LCDs over CRTs in the first place.
First, have a work area (or computer) where you don't do anything but work. This might be a small weak laptop, it might be a study area at your school, whatever.
Go there when you need to do work. If you find that you're unable to, leave. Don't fuck around, and don't put in 10% while daydreaming.
When you're working, work 100%. Try to get into that "deadline mode." You'll be amazed how much you can get done, and your friends will be jealous at how you spend most of your time "not working."
> I admit the boundry is a bit fuzzy, but I wouldn't really say that portion is cryptographic.
I didn't mean that specific loop, but the whole routine in general. I think that level of carelessness could easily have undone all the work he did, and still made the output "look" like a cryptographically strong hash. That's why code audit is critical, and this code was not audited.
> I suspect the memory clear is redundant becuase there is a later memory clear, but redundant/paranoid security isn't a bug.
> The "j" variable is certainly peculiar. It could be harmless legacy code he didn't bother to delete, or it could be a "bug"
> in specific intent that preserves the general intent if it was intended to be arbitrary anyway.
Well, it's fairly obvious to me that it was not the authors intent. If he had intended to write the routine that he wanted, he wouldn't have bothered adding a constantly zero 'j' to the index each time, and he wouldn't have zeroed out a buffer and then subscripted its first element each time. He would have just said 0.
> It would be interesting to ask the author about that.
Well, I just did in response to his post claiming responsibility for the code, but he didn't respond yet!
"With current multi-sample implementations of anti-aliasing, you may sample texels outside of the polygon boundary ..."
I understand what they say is happening, but I don't understand *why* an implementation of anti-aliasing would sample outside the polygon boundaries. What does the implementation do that causes this?
Well, I think the idea is that (a) you'd be able to do that on the card, so you wouldn't need to move it to main memory, and (b), you do not need to literally render the whole screen and then shrink it; you can just do 2x2 pixel or 4x4 pixel blocks and then combine those to get each pixel. The intermediate data does not need to stick around.
> What they do is they don't actually sample the entire screen, they basically just run AA on the textures when they are
> rendered, then anti-alias the edges as they are rendered.
How is AA on the textures different from bilinear sampling? Or, how does anti-aliasing the edges cause textures to leak through?
Lucky for us, Microsoft has enough cash to make a difference! If they hate software patents, maybe a few wealthy congressmen will start hating them, too...
Yeah, I understand the general intention of the code. I don't think there's anything wrong with trying to make the hashing code slower, in fact, that's probably a good idea.
What does worry me is:
- The whole algorithm is extremely ad-hoc. Since it serves an important cryptographic function, it should use cryptography carefully, and this doesn't. I have faith in MD5's practical ability to mask the author's missteps, but I'm not a genius cryptographer myself so I don't know what's possible. I do think that knowing the input has a special form would be an aid to cryptanalysis of the algorithm.
- The code itself is bizarre and (IMO) buggy, which leads me to believe that nobody ever audited it. It seems likely that I was the first person to look at it carefully (7 years later when I ported it to SML)--that's really scary since it plays such a vital role in the security of the system.
Based on my understanding of 3D rendering, I don't see how this can happen.
I thought that FSAA worked by one of two methods:
- Render the entire screen at a higher resolution (double width and height, for instance), and then downsample it to the screen resolution
- Render the same scene at screen resolution several times from slightly (sub-pixel) different locations, then mix the images together
Either way, I don't see how texture coordinates would be disturbed such that parts of other textures show through at boundaries. Can someone with an understanding of modern graphics hardware clue me in?
All this thinking... and stop thinking.... that's hard stuff, man.
OK, author of md5_crypt, what the hell is up with this code?s /4.0-stable/src/contrib/libpam/modules/pam_unix/md 5_crypt.c)
/* ... */
/* Don't leave anything around in vm they could use. */
/* Then something really weird... */
/* ... */
(http://www.freebsd.cz/pub/FreeBSD/branche
memset(final, 0, sizeof final);
for (j = 0, i = strlen(pw); i; i >>= 1)
if (i & 1)
MD5Name(MD5Update)(&ctx, (unsigned const char *)final+j, 1);
else
MD5Name(MD5Update)(&ctx, (unsigned const char *)pw+j, 1);
There are a number of alarming things about this code. First,
you're overwriting 'final' with zeros so that it won't stick
around in VM, but you're not done using it yet! Then in the
next loop the variable j is added each time around, but it always
remains zero (essentially, that loop computes alternating 0s and
the first character of the password). Really weird, indeed!
There's a bunch of other awkward things about this code that make
it obvious that (a) it was not designed by a cryptographer and (b)
was never audited. That scares me a little. Do you have any explanation?
Yes, but compared to what a good indie label does for its artist (produce the album, press CDs and secure distributing deals, advertise, ...) and what the purchaser receives for about the same amount (an actual high-quality CD with artwork) we're looking at a significantly better deal for CD Baby and Apple and a worse deal for the consumer.
Better, in my opinion, is realizing that the internet gives budding artists the way to realize their dream of being heard without having to succumb to industry metrics of success like CD sales and radio play, and now, 60 cents a song. The vast majority of bands will never make any money at all, AND nobody will download their music, AND CD Baby will get $40 apiece. Better is to put their music online for free (it costs almost nothing to do; there are even some free music sites like IUMA that will host it for you), and make music for fun.
All of this stuff could be handled with endpoint solutions. (Except for dynamic IPs, and there's no reason to believe that wouldn't be a problem with IPv6, either). Port forwarding in NAT is the simplest, and stupidest way, but we could easily create a "home device network" protocol and run that all off the single external IP. (uPNP is trying, sort of.) This would be easier than IPv6 because it doesn't require changing the infrastructure of the entire internet.
It's true that Apple does stuff, but to throw on an extra album or extra hundred albums can't really be that expensive. Most of the things you mention are independent of how much music they host (and advertising gets easier when they have more albums ;)).
> If it's so easy, go build yourself an ITMS and charge less!
Actually, I just distribute all my music on the internet for free.
I think that's meant to be sarcastic, though I've seen figures that indicate it is the most popular language in the world.
Anyway, Visual Basic is essentially the Windows "Perl," so I wish linux kids wouldn't act so high-and-mighty about it.
It's 91% of whatever percent apple gives them. Someone says that comes out to about 60%, which is only a smidgeon better than the "industry standard" 50/50 for a good indie label. And that's a ripoff considering that they aren't actually doing anything.
It is so sad to see people sucked into the success=sales dream, when they could be making music just for fun and for the sake of art.
What the hell does CD Baby "distribute?"
These aren't physical CDs, they're just music files, so why is CD Baby taking a continual 9% cut of your music?
Anyway, for most bands it's tough enough getting people to listen to your songs even if you put them online for free. So, this is probably just another way to coax money out of indie hopefuls.
Yeah man, I am psyched!!!!!!!!!!!!!!!!
I hate that I can copy MP3s onto my MP3 player and back off onto another computer!!
Man, you sit around in front of a computer, drinking beer and not working all day?