I'm so glad to be Canadian now, more than ever. I can't imagine a company anywhere else in the world with so much power that they can force an ISP to divulge personal information about their users just because they said so. I mean. Now they've got the address and name of a user that didn't do anything wrong. Can Mrs. Ward sue someone?! Invasion of privacy?! No? I'm probably the furthest possible thing from a lawyer so I wouldn't know, but if that happened to me, I'd be a little more then ticked.
I would be surprised if there were any common law country where the identify of users of an IP address were NOT subject to subpoena in a civil suit. Why should it be? There's no presumption of confidentiality.
How difficult is this puzzle? "Not very," Sanborn says. Not nearly as difficult
as his first encoded sculpture -- a work called "Kryptos" that he created for CIA
headquarters in Langley, Va., in 1987. That code, created with the help of a
cryptographer, is so hard to break that the CIA "will never figure it out," he says.
So why is this news for anyone not on the UNC campus?
The person who actually decrypted this (Frank Corr) doesn't really think it's that big of a deal. It did fall to fairly standard cryptanalysis. We tried to get my 80 year-old mother to help translate it. But, given her failing eyesight, the fact that all the words are run together, and that her Russian is a little rusty, we gave up on that.
He finally put up his untranslated solution on the web last week, but didn't announce it to anyone. Elonka noticed it in her referral logs and decided to make a big announcement of it.
Besides not thinking it's such a big deal, Frank is also worried that the FBI keeps a file on anybody interested in cryptography!
See any products that aren't made in your home country?
I don't see any that ARE made in my home country. What is still made here in the US? My computers I'm sure are made somewhere else, even if the companies are American. My desk is from Thailand or Singapore or Hong Kong or Korea. I just looked at my Belkin router... sticker says "Designed In California" and then just below that "Made In Taiwan"... so at least they employ an American designer... except how do we know that? Maybe they hired someone from Taiwan to move over here and design the router...who knows.
There is also no argument that they gave weapons to Saddam Hussein to fight Iran, and weapons to Iran to fight Iraq.
The U.S. was an insignificant supplier of arms to Iraq (less than 1%). Iraq bought weapons mainly from the Soviet Union and France.
As for Iran, as far as I am aware the only arms that the U.S. sold after the Shah fell was those that were part of the "arms for hostages" deal.
And besides, what is the point of this? If we helped bin Laden earlier, that makes me want to kill the ungrateful bastard even more. I guess the point you people are trying to make is that whatever happens, it's America's fault. If we are for Israel and against the Arabs, then they hate us. On the other hand, if we help them against the Russians, it's our fault, too, because, well, um, er, it just is.
I hate the actions of the terrorists, but I hate more a government that creates no opportunities for dialogue in other countries and doesn't respect their original sovereignty nor their human rights.
What inane bullshit. Osama bin Laden isn't interested in "human rights." His main beef with the U.S. was that we had troops in the Arabian "holy land." This would be like Catholics bombing us because we had troops in Italy, near Rome. It's pure religious fanaticism.
Bin Laden wants the Arabian government to be more like the Taliban: more repressive, more religious, not less.
The U.S. troops were in Saudia Arabia at the request of the government to protect the kindgom from invasion by Iraq. I don't what you mean by "original sovereignty."
Given the extremely high levels of birth defects and rare cancers seen by Iraqis since 1991, the general consensus among the medical community is that DU munitions do cause considerable harm when used in battle.
This is not the consensus at all. The dangers of uranium, depleted or not, are well-studied. Workers at uranium-processing plants were exposed to many times any conceivable exposure of Iraqis for decades. There have been many studies of them and they did not find any significant differences in health from control populations. (Just in case anybody brings this up, uranium miners did suffer many health problems, but that was from the radon in the mines, not the uranium.)
The Iraqis suffered from a lot of deprivations in the 1990s and assigning all their problems to depleted uranium or to U. N. sanctions is unwarranted.
Anybody who has actually looked at how bad coal plants are for the environment and human health must realize what a joke the "dangers" of nuclear power are.
There are no ships involved; this is not piracy. It's copyright violation. (Write it out a hundred times on the blackboard!)
So a word only has one meaning? Use of the word "piracy" for infringement of IP dates back to at least 1771 according to the Oxford English Dictionary:
2. fig. The appropriation and reproduction of an invention or work of another
for one's own profit, without authority; infringement of the rights conferred by a
patent or copyright.
1771 LUCKOMBE Hist. Print. 76 They..would suffer by this act of piracy, since it
was likely to prove a very bad edition. 1808 Med. Jrnl. XIX. 520 He is charged with
'Literary Piracy', and an 'unprincipled suppression of the source from whence he
drew his information'. 1855 BREWSTER Newton I. iv. 71 With the view of securing his
invention of the telescope from foreign piracy.
Karma points to whoever is the first to notice the irony of my copying this from the OED.
It costs a spammer around $20 to send that many messages, and they can expect at worse a 0.1% positive response, for a total profit of $380 if they can make $10 off each response and pay the $200 for a certificate. This is in line with the MO and expected income of your average spammer, according to various studies.
Sources, please. From what I've read, the actual positive response rate (for an actual sale, that is), is about 0.0023%, so you're off by about a factor of 40. And you're ignoring other costs. Estimates are that the current cost per sale for spam is about 4.50. If we can drive that up ten-fold, they're out of business.
End users (like spammers) don't obtain certificates in AMTP. MTA's (ISPs and possibly large companies) do. You can't just revoke MTA certificates and prevent the ISP from reregistering -- the ISP has to take some proactive steps to prevent abuse, and then respond when it does occur.
Most spammers do not go through their ISP's SMTP server. Instead, they run their own and they use open relays or open proxies to send mail. Of course you can revoke MTA certificates, just like RBLs block them now. ISP's SMTP servers are not the source of very much spam.
Besides using certificates instead of IP addresses, the main difference from the current situation is that ATMP is a whitelist system. Right now RBLs just can't keep up with the constant stream of open relays--several hundred new ones per week--nor with the prospect of hundreds of thousands of PCs infected with Sobig.xyz relaying spam.
You need to do some reading on spam economics. Traditional postal spam is economical to advertisers, despite the cost of snail mail (even given bulk discounts). The costs run into a lot more than a couple of hundred dollars per "run" of mails.
I have read on the economics of spam. Given the real response rate, it would not be economical for spammers to spend an extra hundred dollars a day. Note that if the certificate authority is acting properly, not only will that particular certificate be revoked, but the information used to purchase the certifcate can be used to revoke any other certificates of the spammer, plus track them down for legal action.
In my particular proposal for TLS-based email (not the AMTP proposoal), I stress that it is important for CAs to not only try to verify identity, but to try to verify to a unique identity. In the U.S., that would be something like a Social Security Number (or taxpayer id for business). I don't know how feasible this is in the third world.
Your estimation of the significance of the cost of a certificate is based on US economics. It doesn't take into account the cost relative to income of $200 to an ISP in countries with lower per capita incomes and weak currency. It also doesn't consider the prejudice to small ISPs in poorly serviced regions.
There are certificate authorities in third-world countries. Presumably they charge appropriately for their own country. There are several things to note:
I think you are underestimating how much third-world ISPs have to pay for hardware and bandwidth charges. These charges are still likely to be much more than the cost of a certificate
Strong identity and inconvenience can be substituted for cost in issue certificates. If you have to present a government-issued photo ID in person, that will help prevent spammers from obtaining excessive numbers of certificates
It is not necessary for each mail server to have its own certificate. Mail servers can forward to a shared host. It would be relatively simple for someone in the U.S. to set up an AMTP server. It would accept authenticated SMTP connections from those who are too small or cheap to want to pay for their own certificate. The AMTP provider would count the number of mails sent
by each account to make sure that it is not excessive.
There are already SMTP providers that do this for less than $100 per year. If that is cheaper for someone than running their own server, they should do that.
This draft fails to provide any significant advance over SMTP. The use of TLS and authentication between MTAs merely provides a mechanism to identify policy violators. It does not (as the draft recognises) prevent fraud against a CA, it does not address the problem of distributing certificate revocations, it opens the door to a new era of DoS attacks against CA services (which will likely be far less robust than the DNS system), increases the barrier to entry for the ISP market (with costs being passed on to consumers, of course), and the opportunity for politically based service interrupts (like we already see with SPAM black lists) is just plain scary.
The problem of distribution of certificate revocation lists does need to be addressed, but the problem is not as serious as you suggest. CRLs are signed, so can be replicated easily. The same people who now run RBLs can both replicate the CRLs from the CAs and publish their own list of certificates that they feel should not be trusted.
Although people on slashdot are complaining that CAs charge for certificates, it is precisely that fact, that certificates are much more expensive than domain names or IP addresses, that makes the system workable. Spammers cannot afford to pay a couple of hundred dollars for a certificate that will be revoked after a few days of abuse.
The idea that paying $100-$200 per year for a certificate is a significant burden on an ISP is ridiculous. The hardware, bandwidth, and administration dwarf this. The savings on bandwidth alone from solving the spam problem will more than make up for this.
think you overstate the benefits. For example you mention a "repeating history" database example. In your next breath you point out that it was "re-invented". This happens constantly in software.
The vast majority of software "inventions" get independantly invented by the second person to look at any given problem.
This is not true about repeating histories. Databases have been around since the 1960s, but repeating histories wasn't published until 1989. It has had a huge effect on database research and was cited 10 years later as the most influential paper of the year.
The few truely non-obvious softare developements are the deep mathematical developments like public key encryption. But once the math has been discovered the software application of the math tends to be pretty obvious. So those sorts of patents amount to a patent on the math itself. I ceritainly hope you aren't advocating patents on
math itself?
This is an objection I don't understand. Some patents are just physics, some are just chemistry, some are just mathematics. What's the problem? Am I supposed to decide whether Diffie-Hellman and RSA are mathematics or algorithms? Either way, they are brilliant, non-obvious, useful.
Software patents are a new development. Computers and software exploded before such patents ever existed. The entire internet was developed patent free. I find it hard to imagine that history would have been enhanced by software patents.
Software patents date back twenty-four years. Patents on computer hardware have been present since the beginning. Most of the hardware innovations that make up the Internet are patented. Some of the software is, too. RSA being patented didn't prevent it from becoming the most commonly used secure protocol.
Here's something I posted on another site a couple of days ago:
Although I would really prefer to not have software patents, I don't think that the case against them is so clear cut. There are many terrible software patents--vague, obvious, trivial, overly broad, and so on. But there are also software patents that are specific, novel, useful, innovative, implementable. And it is possible that software patents benefit us in a couple of ways.
First, companies are encouraged to publish details of their inventions that otherwise would have been held as trade secrets. In the database management world, most of the innovations have been made in industry, and before software was patentable most details were kept secret. For example, David Lomet tells me that Tandem held as secret the "repeating history" recovery scheme that was later re-invented by Mohan and published as part of IBM's ARIES system (parts of which were patented.). See ARIES for details of that system and links to good patents.
If it weren't for software patents, it's doubtful that IBM would have published such details.
Lomet himself has a couple of dozen patents. Of the ones I've looked at, they are all high quality patents. On the question of patents encouraging innovation, he says:
I believe that software patents increase the value of research to companies, and hence that there is more industrial research because of it. It is impossible to know which inventions would or would not have been made due to software patents, but I firmly believe that there would be less research, and that some of the inventions would not have been made- and some that would still have been made would be held as trade secrets. For example, almost all of my inventions were made while I was working in a research lab. It seems highly plausible to me that had I held a different job, I would not have made as many inventions.
(Personal Communication)
I'm not sure that this effect is as significant, and the ill effects of all the low-quality software patents may outweigh the benefits, but I think it's important to admit that there are some good effects.
Re:Satellites? Why in my day we used dogs!
on
Anticipating Earthquakes
·
· Score: 2, Informative
Interestingly, a 1975 earthquake in China was successfully predicted due in large part to strange animal behavior. A large number of lives were saved.
Needless to say, this is an extreme exception to the rule, and is about as reliable as grandma's old bones are at predicting the weather.
I saw a TV show about fringe-scientific earthquake predictors. One of the was quite unconvincing, but the other was interesting. He predicted quakes by satellite photos of "earthquake clouds". The finding mentioned in the Science@NASA article about thermal anomalies might back his theory up some. He makes his predictions publicly on his website.
There is already a protocol that can ensure the identity of the sending SMTP server: RFC2487: SMTP Service Extension for Secure SMTP over TLS. With the right certificate policy you could make sure that all spammers could be tracked down. I have suggested that people transition to SMTP over TLS and use a challenge-response system (such as TMDA) for backward compatibility.
Working out the details of an appropriate certificate policy is not trivial, though.
Reminds me of the old joke about two efficient-market economists walking down the street. Economist one: "Look - there's a $50 bill on the sidewalk" Economist two: "Don't be stupid, if it was somebody would have picked it up already" I reckon that's about the predictive power of this initiative.
Well? How often have you found $50 on the sidewalk?
One thing they always seem to omit is that DNA testing is not 100% reliable. Not counting the possibility of errors in the testing lab, or decay or contamination of the sample, the results still narrow things down to one in x-million people (the value of x currently escapes me) under ideal conditions. While this may be sufficient for a paternity test, I'm not sure it's equally effective as stand-alone evidence for any arbitrary crime.
There has been at least one case in Britain of somebody whose DNA caused them to be falsely linked to a crime. However, after the person insisted he was really innocent, further tests were done which showed he was innocent. The DNA-fingerprint kept on file does have a tiny possibility of error, but when you have the actual person, you can tests parts of their DNA that are not usually used.
Compared to any other evidence used in court, including fingerprints, eyewitnesses, photographs, DNA is far more accurate.
The RFID tag IDs are useless without the database linking them to actual product items. If all the store's products were scanned by a third party, they would have no way of knowing what an individual ID corresponds to.
Not likely. The RFIDs will be included by the manufacturers, just as bar codes are now. It will include the product number and a "serial number" to make it unique.
Secondly, anything that is sold should be marked as such in the store's database. Somebody walking into the store with tagged clothing should not be fingered for shop lifting, since the item shoudl have been marked as sold.
Yeah, right. Every WalMart is going to keep a database of every individual item sold over the last ten years.
Your two reasons for not worrying about security are flawed. Care to try again?
I recieved my official danish digital certificate(x.v509) by getting two pin codes. One via snail mail and the other when I ordered the certificate via the web. Both had to be typed in to recieve the certificate via mail.
Seems pretty secure to me.
That verifies your snail mail address, not your identity.
In case you're actually interested in reading what the technologies are about, instead of just FUD. Here is The TCPA and Microsoft's Next-Generation Secure Computing Base (which is what came from the Palladium Project).
Well, it's great that it can pull down 150Mb/s... but you've gotta have an empty OC3 to feed it. And if you've got an OC3, might as well kick out the extra cash to run in the extra 300 meters.
A friend of mine bought a house a couple of years ago. It's in a new neighborhood and Bellsouth has fiber down to the neighborhood level, then copper to each house. When the realtor was showing them the house, he noticed the fiber connection was in the backyard (a little air-conditioned box, dunno what you call it). His DSL line runs less than 50 feet to that. He gets great throughput.
Once one company gets their employees to go along with a heath care cost increase or a salary cut, the other companies will rush to offer just as low pay and benefits. They call this "competitive" compensation. So if the jobs can be outsourced for cheaper, then the majority of businesses will all race to find where that is. It happened with manufacturing jobs, it is happening with service jobs. I don't really know what (if any) jobs are "safe."
The largest manufacturer in the world is: the United States of America. The largest exporter of manufactured goods: the United States of America.
Was there a "race to the bottom" in America after the NAFTA and WTO treaties? No, incomes rose in every quintile.
Here we are in the worst recession in a long while and unemployment is: 6%. Not great, but better than most past recessions and better than most European countries even during the best of times. Meanwhile, wage growth has continued in the U.S. even during the recession.
Yes, jobs in the IT sector are hard to come by, but that has more to do with there being hugely inflated demand during the late 1990s, with the confluence of the dotcom bubble and the Y2K "crisis", than it has to do with world trade.
Also, don't think this automatically translates into lower prices. It doesn't make the products better or less expensive, just cheaper to make. How much in lower prices do you pay for your Nike tennis shoes made in Burma?
During the last 15 years, inflation has been noticeably low.
They're assuming a 39% piracy rate basically because 39% of people who demand (stated that they want to or will buy or who actually buy) software didn't buy a copy.
That's not how they estimated demand. See this comment
Slashdot Mirror
I would be surprised if there were any common law country where the identify of users of an IP address were NOT subject to subpoena in a civil suit. Why should it be? There's no presumption of confidentiality.
He finally put up his untranslated solution on the web last week, but didn't announce it to anyone. Elonka noticed it in her referral logs and decided to make a big announcement of it.
Besides not thinking it's such a big deal, Frank is also worried that the FBI keeps a file on anybody interested in cryptography!
As for Iran, as far as I am aware the only arms that the U.S. sold after the Shah fell was those that were part of the "arms for hostages" deal.
And besides, what is the point of this? If we helped bin Laden earlier, that makes me want to kill the ungrateful bastard even more. I guess the point you people are trying to make is that whatever happens, it's America's fault. If we are for Israel and against the Arabs, then they hate us. On the other hand, if we help them against the Russians, it's our fault, too, because, well, um, er, it just is.
Bin Laden wants the Arabian government to be more like the Taliban: more repressive, more religious, not less.
The U.S. troops were in Saudia Arabia at the request of the government to protect the kindgom from invasion by Iraq. I don't what you mean by "original sovereignty."
The Iraqis suffered from a lot of deprivations in the 1990s and assigning all their problems to depleted uranium or to U. N. sanctions is unwarranted.
Anybody who has actually looked at how bad coal plants are for the environment and human health must realize what a joke the "dangers" of nuclear power are.
Besides using certificates instead of IP addresses, the main difference from the current situation is that ATMP is a whitelist system. Right now RBLs just can't keep up with the constant stream of open relays--several hundred new ones per week--nor with the prospect of hundreds of thousands of PCs infected with Sobig.xyz relaying spam.
In my particular proposal for TLS-based email (not the AMTP proposoal), I stress that it is important for CAs to not only try to verify identity, but to try to verify to a unique identity. In the U.S., that would be something like a Social Security Number (or taxpayer id for business). I don't know how feasible this is in the third world.
There are certificate authorities in third-world countries. Presumably they charge appropriately for their own country. There are several things to note:There are already SMTP providers that do this for less than $100 per year. If that is cheaper for someone than running their own server, they should do that.
The problem of distribution of certificate revocation lists does need to be addressed, but the problem is not as serious as you suggest. CRLs are signed, so can be replicated easily. The same people who now run RBLs can both replicate the CRLs from the CAs and publish their own list of certificates that they feel should not be trusted.
Although people on slashdot are complaining that CAs charge for certificates, it is precisely that fact, that certificates are much more expensive than domain names or IP addresses, that makes the system workable. Spammers cannot afford to pay a couple of hundred dollars for a certificate that will be revoked after a few days of abuse.
The idea that paying $100-$200 per year for a certificate is a significant burden on an ISP is ridiculous. The hardware, bandwidth, and administration dwarf this. The savings on bandwidth alone from solving the spam problem will more than make up for this.
Although I would really prefer to not have software patents, I don't think that the case against them is so clear cut. There are many terrible software patents--vague, obvious, trivial, overly broad, and so on. But there are also software patents that are specific, novel, useful, innovative, implementable. And it is possible that software patents benefit us in a couple of ways.
First, companies are encouraged to publish details of their inventions that otherwise would have been held as trade secrets. In the database management world, most of the innovations have been made in industry, and before software was patentable most details were kept secret. For example, David Lomet tells me that Tandem held as secret the "repeating history" recovery scheme that was later re-invented by Mohan and published as part of IBM's ARIES system (parts of which were patented.). See ARIES for details of that system and links to good patents.
If it weren't for software patents, it's doubtful that IBM would have published such details.
Lomet himself has a couple of dozen patents. Of the ones I've looked at, they are all high quality patents. On the question of patents encouraging innovation, he says:
I'm not sure that this effect is as significant, and the ill effects of all the low-quality software patents may outweigh the benefits, but I think it's important to admit that there are some good effects.
Yes, the Chinese are now downplaying predicting earthquakes after 30 false alarms. See Is the reliable prediction of individual earthquakes a realistic scientific goal?
I saw a TV show about fringe-scientific earthquake predictors. One of the was quite unconvincing, but the other was interesting. He predicted quakes by satellite photos of "earthquake clouds". The finding mentioned in the Science@NASA article about thermal anomalies might back his theory up some. He makes his predictions publicly on his website.
Working out the details of an appropriate certificate policy is not trivial, though.
Here's an HTML version of Why Pascal is Not My Favorite Programming Language. There's a Postscript version on Kernighan's website
Well? How often have you found $50 on the sidewalk?
There has been at least one case in Britain of somebody whose DNA caused them to be falsely linked to a crime. However, after the person insisted he was really innocent, further tests were done which showed he was innocent. The DNA-fingerprint kept on file does have a tiny possibility of error, but when you have the actual person, you can tests parts of their DNA that are not usually used.
Compared to any other evidence used in court, including fingerprints, eyewitnesses, photographs, DNA is far more accurate.
Not likely. The RFIDs will be included by the manufacturers, just as bar codes are now. It will include the product number and a "serial number" to make it unique.
Yeah, right. Every WalMart is going to keep a database of every individual item sold over the last ten years.
Your reasons for paranoia are flawed.
That verifies your snail mail address, not your identity.
In case you're actually interested in reading what the technologies are about, instead of just FUD. Here is The TCPA and Microsoft's Next-Generation Secure Computing Base (which is what came from the Palladium Project).
Any servers they have in America (and their business requires them) would still be subject to American patent law.
A friend of mine bought a house a couple of years ago. It's in a new neighborhood and Bellsouth has fiber down to the neighborhood level, then copper to each house. When the realtor was showing them the house, he noticed the fiber connection was in the backyard (a little air-conditioned box, dunno what you call it). His DSL line runs less than 50 feet to that. He gets great throughput.
Was there a "race to the bottom" in America after the NAFTA and WTO treaties? No, incomes rose in every quintile.
Here we are in the worst recession in a long while and unemployment is: 6%. Not great, but better than most past recessions and better than most European countries even during the best of times. Meanwhile, wage growth has continued in the U.S. even during the recession.
Yes, jobs in the IT sector are hard to come by, but that has more to do with there being hugely inflated demand during the late 1990s, with the confluence of the dotcom bubble and the Y2K "crisis", than it has to do with world trade.
During the last 15 years, inflation has been noticeably low.That's not how they estimated demand. See this comment