Re:2 passwords instead of 1
on
Sudo vs. Root
·
· Score: 4, Insightful
Actually, you missed the point of why sudo only asks for the user password. And so did the author of that web page (which is why he's wrong).
Firstly, asking for a root password has no effect on the security of the system. A cracker does not have to crack an extra password. Once your user account has been cracked, if you know the root password and use su (or sudo or whatever), then at some point you are going to login and do that. Unfortunately, the cracker knows your user password - your.bashrc was replaced, the shell you are running is a trojan. The password that you typed in was captured, and the cracker now knows the root password. In fact, it probably just used that password to launch a rootkit.
This can be solved, with some form of secured authentication path (like a smartcard device, which can't be trojaned using the user's password, and there are also ways to do this without needing extra hardware). sudo supports stuff like that, if you know what you're doing. But simply asking for a second password, in an application running in the terminal, is no more than a speed bump. It's not the second layer of security that it looks like it should be. Anything you type into the terminal is compromised once an attacker has your user password.
Secondly, shared passwords are bad security. You can't easily change them - it has to be arranged between several people. You have to pass the secret between at least two people on at least one occasion, and somebody else can overhear when you do that. People tend to be less careful about information that is known to several people. If the secret leaks out, there's no easy way to trace who leaked it. There's all sorts of issues with shared passwords. If you really wanted a second password, you should have one 'root' password for every user who has root access (Kerberos systems allow for this scenario, because a Kerberos environment can have secure authentication paths; sudo and su don't, although you could have one 'login' password and one 'sudo' password by creative use of PAM, but you have to tackle the authentication path issue first).
Thirdly, the point of sudo asking for the user password is to authenticate that the user currently sitting in front of the computer is the same user that logged in at some point in the past. Users are forgetful; they walk away from their console to get coffee without locking it. sudo attempts to verify that the user currently sitting there is probably the right one, and not somebody else who snuck into their office. If you have sudo ask for a single shared root password, then one of the other users with root access could use somebody else's account, and would appear in the logs as that user. That means they deflect blame for their actions onto somebody else. If you really wanted to have a second password with a shared root password, you should ask for both the user and the root password.
You could argue that a user with root access can always just clean the logs afterwards - but this is not necessarily true. A system can be configured so that syslog immediately sends every message over the network to another host. sudo deliberately sends the message to syslog before running the command, so that this scenario remains secure. The user could immediately disable this configuration, but they can't stop that first message from going out, saying who they are and when they logged in. (We will assume that this scenario involves ssh access to a server located in a locked datacentre, so there is no opportunity to interfere with the physical network connection).
sudo's way of doing things really does have security advantages. It may be true that these advantages aren't relevant to the default macosx configuration, but that does not mean they don't exist. However, using a single root password, like the article author suggests, does not have security advantages over the default behaviour (see the first point in this post). And the default behaviour is more convinient for users (who only have to remember one password instead of two), which is almost certainly why Apple set it up that way. The article ignored this aspect.
Suggesting that makes you an anti-american terrorrist. The Department of Homeland Security will now investigate you at great expense, and if you happen to be a muslim, ship you off to a detainment camp to be held without trial.
What kind of TOS is that? It should look something more like this:
The player provides no guarantee of service or payment on time.
The player is not responsible for any actions made using the player's account, and cannot be held responsible for anything they may do while using the service.
The player may withhold payment whenever they feel that Blizzard is not doing stuff the way they want it, and Blizzard can't do a damn thing about it. They player may also urinate upon three Blizzard employees, once per year.
If Blizzard feels that the player's actions are at any point unreasonable, then the player will consider their complaint, and will inform Blizzard whether or not they agree and what action they are going to take. There is no appeal against the player's decision if they determine that the complaint was not valid.
Sounds unreasonable? It sounds pretty similar to the one that Blizzard offers, as far as I can see. Exactly who is the vendor and who is the customer here?
I know one dumbass who spent $8000 for SQLServer based on a lie from the Microsoft salesman who told the dumbass that Postgres can not in any way handle Triggers!
That's fraud. I hope you sued Microsoft. Should have been a simple case that paid out large damages plus your legal costs.
First off, redundancy factors make failure and meltdown a near impossibility. Unless an operator is asleep in the control room, and then deaf and blind to all of the alarms and lights that go off when a coolant failure might occur, the reactor will be shut down.
You missed the most 'obvious' way: the operators can deliberately deactivate and/or ignore the alarms, and override the safety cut-outs. Stupid? Well, yes, but that's how Chernobyl happened.
You could redesign the control systems to avoid such issues.... but pebble bed reactors are a better solution. They don't have meltdown failure modes, they just get cold(ish) and stop working.
Credit cards and magnetic stripes have to be practically inserted into the machine to read em.... the field strength is too weak otherwise.
That's not strictly true, you can read a credit card stripe at a distance of several feet with the right equipment. Of course, you can't do that to the new ones with the smartcard chip on them. However, this was never a serious issue, because...
If you keep em in your wallet your are safe.
This part is true because your wallet contains a bunch of metal coins and other credit cards and stuff like that which is pretty effective at interfering with the very weak magnetic fields being used here.
a lot of these botnet creators employ "features" such as
Typical security theatre from people who just don't know much about security. None of those things will accomplish anything, because it's the same old DRM problem - if it has to run on the target host, then the person controlling that host can analyse it, reverse engineer it, and discover how it works. Having done that they can defeat it. It doesn't matter how much you encrypt or hide the communication between the loser running the botnet and the infected host - that host can be 'compromised' by a person with physical access.
Of course, if something like Palladium ever became a reality, this would no longer be the case, which would be the security disaster everybody has been warning about.
Also, anonymising systems like freenet are designed specifically to protect the identity of the person inserting information, so it's not necessarily possible to track down the one controlling the botnet.
But it is very easy to defeat security theatre like port knocking and 'stealth' commands. We are always going to know precisely what the infected host is doing in one of these things.
None of that matters though. While it could be effective in the short term to track these people back from the infected hosts, it's far more realistic to track them forwards from their clients. Money is much easier to follow.
Why do you think this is Microsoft's fault?... Why pay $300 for a home OS that you won't use half the features.
It's their fault for charging $300 for a box that's worth at most $30 - the linux boxes you can get on the shelf set the true market value of that functionality, and they come with a complete suite of applications. You don't get anything with windows - even IE and OE have to be replaced with Firefox and Thunderbird before the system is viable.
The differences in functionality between XP Home and Professional are frankly rather small. Microsoft are charging extra because they can, not because the product is more expensive. The real reason for the Home/Professional split was to let them shove up the price of Professional and to get a lot of people to pay for windows twice when the box arrives and they realise that they actually needed Professional (happens a lot in medium companies where the purchasing people don't understand computers - sure, you can blame the idiot who bought the wrong thing, but Microsoft deliberately engineered things to encourage this).
RISC died a long time ago. Once you get past all the morons on slashdot, the point behind the RISC idea was simply this: We know more about writing compilers than we do about making chips. Design systems so that the compiler does more of the work.
Since the 1980s we've learned a lot about making chips but not much about making compilers (there have been massive changes in the way chips are designed; compilers have made some minor improvements but basically work the same way as they always have). Nobody's made RISC chips for the mass market in years - all modern chips behave a little like RISC and a little like CISC but mostly like neither of them. The whole RISC/CISC thing is so obsolete that it's not funny any more - it is just not a relevant consideration in modern chip design. Nowdays we're concerned with things like register pressure, speculative out-of-order execution, cache coherency, and retaining the information from the original source code so that the CPU can behave more intelligently with it.
Swing, unfortunately, has some design limitations, not the least of which is that it is very memory hungry.
I'm surprised that you didn't mention the biggest problem with Swing for practical purposes, which is that the API was designed by an insane crack weasel with a terminal case of brain rot. Really, what sort of person thinks that getSystemLookAndFeelClassName is a sensible name for a function in a standard library? (There's certainly far worse issues, but that one always struck me as the most gratuitous. Somebody probably spent a fair bit of time thinking of the most obnoxious names they could for the more obscure functions - you just can't come up with a name like that by accident)
Swing makes the rest of the java standard library look good.
RFID tag is just something like license plate on your car.
Do you walk around wearing a large plate describing, in lettering visible from a considerable distance, all the items you are carrying about your person?
This technology could revolutionise the pickpocket industry. They don't need a complete database of all known tags. They just need to lurk down the street from the Apple store and know the code for "ipod" which is used at that particular store. Other valuable items (on the black market) that may include RFID tags are: passports, ID cards, most electronic products still in their original boxes, pharmaceuticals...
And that's just one of the many possible uses for them. I'm sure people will find more and more creative ways to take advantage of the newly available information. Imagine if you could profile the current posessions of a customer to identify the ones likely to make a purchase, and target your salespeople to them, or even just prohibit the rest from entering.
The possibilities for bold new patents are almost unlimited.
No "Digital Rights Management" type scheme. Once you download it, it's yours to put on any computer you own.
Frankly, I expect the grandkids to look back and laugh at the idea that anybody would ever pay for DRMed crippleware. After all, people like to own things - not be told that they're trying to steal the thing they paid for. The "TV prohibition" years should have come and gone by then. And I find it pretty funny that dongles ever existed.
There will probably still be stores with boxes in them, but internet delivery of games is already here - I haven't bought a PC game on a physical disk in at least a year. Service that good is here to stay.
Can it translate accurately from Arabic to English?
If it does what I think it's doing, which is about looking for structural patterns in the data without having any understanding of English in the first place, then this is unnecessary. Such systems don't really care much about the language they are applied to, so long as it's got something approximating a word-sentence-paragraph structure.
Not that it matters, because the 'terrorists' being targetted here are really US dissidents, who will be using English in the first place. Nobody expects a system like this to catch real terrorists, it's obviously intended to monitor the population who might otherwise be sympathetic to the foreign freedom fighters trying to throw off the yoke of US oppression, or whatever. Makes me glad I don't live in the US.
Sounds like a big waste of time and (my) money.
My bet is that this is a research effort which the researchers put a 'terrorrism' spin on in order to get funding. It's definitely a worthwhile research project - if it does what I think, this is leading-edge stuff that should advance the state of the art in data mining. Probably not so worthwhile as an application, because the technology isn't really that accurate yet.
Spinning research as a military and/or defense system in order to get grant money is standard practice in the military-obsessed, anti-science US. Everybody does it, it's probably the best way to get government funding these days. Whether this is wasteful would depend on your opinion of research, but it's certainly an idiotic way to go about it.
Nearly right, but people have pointed out some of the gaps in your examples. Here's the slight variation that doesn't have them:
Scenario P:
BadCorp produce a box which won't run unsigned code, and which only they can add keys to the trusted keys file. ApostleCorp produce modified GPL programs for the BadCorp box, and publish the full source of their modified program on the internet. BadCorp produces only proprietary programs for the BadCorp box, with no GPLed code in them, but they do (for a fee) sign programs written by other people. ApostleCorp pay to have their program signed so that people can run it on BadCorp's box.
The GPL prohibits this. Sounds unlikely? BadCorp is Sony, their box is the Playstation 2 (their signing system has been resoundingly defeated, but the intent was there and the Playstation 3 will probably have a harder version). You can boot linux on that thing, because it's GPLv2. If linux were GPLv3, there would be no playstation port of it. Sony will never release those keys and they will never care because they don't make any GPLed software.
In shooting at companies who would use GPLed software in their own devices, the GPLv3 prevents anybody else from using it on those devices either. In a few years, if MS gets their palladium stuff working, that will probably include new PCs - you will not be able to run linux-based platforms on your desktop any more, not because MS banned it, but because the FSF did (they are aware of this problem and just don't care).
That is of course if Intel doesn't lift this technology from IBM for their own chips in the future. Which they will.
Only if by "Intel" you mean "AMD". Intel hasn't updated their chip fabrication technology in ages - they're notoriously slow to make improvements in that area. It's one of the reasons why AMD caught up with them so fast. Coincidentally, it's also why AMD has so much trouble producing enough chips to meet demand (currently there is a shortage of low-end opterons): they keep having to rebuild their production lines.
I don't think we'll see Intel producing mainstream chips using this technology before 2010 - assuming they manage to revive their chip development (which has been lackluster in the past three years) and that AMD doesn't wipe them out of the desktop CPU market entirely. (Apple's reasons for choosing Intel over AMD were, according to slashdot, all about the non-desktop CPUs)
AMD have a partnership with IBM for just this sort of thing (it's how they got SOI technology), so we just might see them using this stuff first.
There has to be a statistical reason why your car insurance is so absurdly high when you're a late teen, with a steady decrease before a significant reduction at the age of 35.
There's elementary survival statistics here, for one thing. Significant numbers of the worst drivers get themselves killed; the survivors will overall be better drivers. Older people have survived longer therefore are more likely to be better drivers.
Like any technology this could have its uses (as the above example) and I really think a lot of the concerns are exaggerated (I have a hard time getting my RFID badge to trigger the door locks here, even when it's practically touching the reader). The tinfoil hat crowd and their "the black helicopters will read these as they fly over your house" don't make a lot of sense to me.
To repeat a point that Schneier made recently (can't find the link, sorry), there's three ranges involved here and you're making the common mistake of confusing two or more of them.
There's the expected operating range - that's the distance at which the device is intended to function. In order to keep costs down, and to prevent false triggers (which are regarded as worse than false misses), door opening systems, checkout scanners, and similar devices are designed with an intended operating distance of a few inches. At that range it should always work, when the hardware is not defective.
Then there's the maximum operating range - that's how far you can manage to pick up the signal with the same equipment on a good day, if you wave it about a bit and tilt it to get a better angle and clear any metal objects out of the immediate area, etcetera. That's usually a few feet on the same devices.
Then there's the maximum operating range for a person with special equipment. No longer using that cheap $20 RFID reader in the door sensor or checkout. Now we're using an expensive, high-gain antenna with an expensive amplifier, and a specialised computer device on the back end doing noise compensation and stuff. That's usually on a scale of somewhere between dozens of yards and miles (depending on exactly what variation of RFID you are dealing with), reading the same tags that we were reading the first times. The cost of this equipment is measured in hundreds or thousands of dollars. Too much to be installed in a door sensor, but there's absolutely no reason why you couldn't own one if you wanted to, and scan all the RFID tags on your street. Anybody who can afford a helicopter can certainly have one of those.
You are observing some combination of the first two distances and wondering why people are worried about the third one. Saying that the government wants to do this might be a conspiracy theory, but saying that it can be done is not - hobbyists do this kind of thing all the time. Bluetooth has the same issue (normal operating range is a few feet, maximum is some number of miles). Most wireless devices do, to some extent.
The difference between these ranges is just economics at work. You can buy better equipment if you want, but the companies who install hundreds of fixed devices buy the cheapest equipment they can get away with using.
Would a French company be allowed to re-distribute GPL'd software in violation of the terms of the GPL by claiming this law frees them of the constraints of copyright?
This is a variation on the old argument that strong copyright is necessary for the GPL to work. The flaw in the argument is that the GPL is only necessary in the presence of strong copyright. If such a law permitted you to distribute any software without regard for licensing terms, then we wouldn't need a license that forces people to distribute their changes - we can just take their changes without a license. Sure, there are some issues (you need somebody within the company to publish the source - legal, but you still have to get your hands on the actual bits), but it's still got some great advantages to the end user. It's difficult to say which option is better, overall, but it's definitely not "copyright good, public domain bad".
I suspect that if companies did not have the stick of copyright and patent law to beat up their competitors with, then they would naturally migrate to free software models, because anything else costs more and accomplishes little - once the secret gets out anyway (and it will, in the networked world), you've lost your only advantage and might as well migrate.
Are there any cases where the word "blog" is used and it is not both unneeded and senseless? Mostly it seems synonymous with "pointless shit that I'm going to promote with buzzwords". (The 'official' meaning is basically the same thing as 'web site').
That was war. All parties were equally responsible and there were lots of parties. I believe the poster was comparing the slave trade to the non-war stuff, like the Jewish holocaust - acccording to your article, that was only 5 million.
"When you kill 1 man, it is a tragedy. When you kill 10 million, it is a statistic." - Stalin, or something like that
Most of those aren't ads, they're permanent picture links to stuff that the editors think is cool. Who the hell advertises "Impeach Bush"?
Anyway, boingboing doesn't appear to be doing anything they haven't been doing for years - collecting interesting stuff from the internet and putting it on boingboing. It's like slashdot, only with interesting stuff and fewer idiots doing the writing. I can only guess that random users have been submitting things to slasdot that they saw on boingboing more often - I haven't noticed any of it coming from the boingboing editors.
Slashdot Mirror
Actually, you missed the point of why sudo only asks for the user password. And so did the author of that web page (which is why he's wrong).
.bashrc was replaced, the shell you are running is a trojan. The password that you typed in was captured, and the cracker now knows the root password. In fact, it probably just used that password to launch a rootkit.
Firstly, asking for a root password has no effect on the security of the system. A cracker does not have to crack an extra password. Once your user account has been cracked, if you know the root password and use su (or sudo or whatever), then at some point you are going to login and do that. Unfortunately, the cracker knows your user password - your
This can be solved, with some form of secured authentication path (like a smartcard device, which can't be trojaned using the user's password, and there are also ways to do this without needing extra hardware). sudo supports stuff like that, if you know what you're doing. But simply asking for a second password, in an application running in the terminal, is no more than a speed bump. It's not the second layer of security that it looks like it should be. Anything you type into the terminal is compromised once an attacker has your user password.
Secondly, shared passwords are bad security. You can't easily change them - it has to be arranged between several people. You have to pass the secret between at least two people on at least one occasion, and somebody else can overhear when you do that. People tend to be less careful about information that is known to several people. If the secret leaks out, there's no easy way to trace who leaked it. There's all sorts of issues with shared passwords. If you really wanted a second password, you should have one 'root' password for every user who has root access (Kerberos systems allow for this scenario, because a Kerberos environment can have secure authentication paths; sudo and su don't, although you could have one 'login' password and one 'sudo' password by creative use of PAM, but you have to tackle the authentication path issue first).
Thirdly, the point of sudo asking for the user password is to authenticate that the user currently sitting in front of the computer is the same user that logged in at some point in the past. Users are forgetful; they walk away from their console to get coffee without locking it. sudo attempts to verify that the user currently sitting there is probably the right one, and not somebody else who snuck into their office. If you have sudo ask for a single shared root password, then one of the other users with root access could use somebody else's account, and would appear in the logs as that user. That means they deflect blame for their actions onto somebody else. If you really wanted to have a second password with a shared root password, you should ask for both the user and the root password.
You could argue that a user with root access can always just clean the logs afterwards - but this is not necessarily true. A system can be configured so that syslog immediately sends every message over the network to another host. sudo deliberately sends the message to syslog before running the command, so that this scenario remains secure. The user could immediately disable this configuration, but they can't stop that first message from going out, saying who they are and when they logged in. (We will assume that this scenario involves ssh access to a server located in a locked datacentre, so there is no opportunity to interfere with the physical network connection).
sudo's way of doing things really does have security advantages. It may be true that these advantages aren't relevant to the default macosx configuration, but that does not mean they don't exist. However, using a single root password, like the article author suggests, does not have security advantages over the default behaviour (see the first point in this post). And the default behaviour is more convinient for users (who only have to remember one password instead of two), which is almost certainly why Apple set it up that way. The article ignored this aspect.
Suggesting that makes you an anti-american terrorrist. The Department of Homeland Security will now investigate you at great expense, and if you happen to be a muslim, ship you off to a detainment camp to be held without trial.
The sad part is that this isn't a joke.
What kind of TOS is that? It should look something more like this:
The player provides no guarantee of service or payment on time.
The player is not responsible for any actions made using the player's account, and cannot be held responsible for anything they may do while using the service.
The player may withhold payment whenever they feel that Blizzard is not doing stuff the way they want it, and Blizzard can't do a damn thing about it. They player may also urinate upon three Blizzard employees, once per year.
If Blizzard feels that the player's actions are at any point unreasonable, then the player will consider their complaint, and will inform Blizzard whether or not they agree and what action they are going to take. There is no appeal against the player's decision if they determine that the complaint was not valid.
Sounds unreasonable? It sounds pretty similar to the one that Blizzard offers, as far as I can see. Exactly who is the vendor and who is the customer here?
I know one dumbass who spent $8000 for SQLServer based on a lie from the Microsoft salesman who told the dumbass that Postgres can not in any way handle Triggers!
That's fraud. I hope you sued Microsoft. Should have been a simple case that paid out large damages plus your legal costs.
First off, redundancy factors make failure and meltdown a near impossibility. Unless an operator is asleep in the control room, and then deaf and blind to all of the alarms and lights that go off when a coolant failure might occur, the reactor will be shut down.
You missed the most 'obvious' way: the operators can deliberately deactivate and/or ignore the alarms, and override the safety cut-outs. Stupid? Well, yes, but that's how Chernobyl happened.
You could redesign the control systems to avoid such issues.... but pebble bed reactors are a better solution. They don't have meltdown failure modes, they just get cold(ish) and stop working.
Credit cards and magnetic stripes have to be practically inserted into the machine to read em.... the field strength is too weak otherwise.
That's not strictly true, you can read a credit card stripe at a distance of several feet with the right equipment. Of course, you can't do that to the new ones with the smartcard chip on them. However, this was never a serious issue, because...
If you keep em in your wallet your are safe.
This part is true because your wallet contains a bunch of metal coins and other credit cards and stuff like that which is pretty effective at interfering with the very weak magnetic fields being used here.
a lot of these botnet creators employ "features" such as
Typical security theatre from people who just don't know much about security. None of those things will accomplish anything, because it's the same old DRM problem - if it has to run on the target host, then the person controlling that host can analyse it, reverse engineer it, and discover how it works. Having done that they can defeat it. It doesn't matter how much you encrypt or hide the communication between the loser running the botnet and the infected host - that host can be 'compromised' by a person with physical access.
Of course, if something like Palladium ever became a reality, this would no longer be the case, which would be the security disaster everybody has been warning about.
Also, anonymising systems like freenet are designed specifically to protect the identity of the person inserting information, so it's not necessarily possible to track down the one controlling the botnet.
But it is very easy to defeat security theatre like port knocking and 'stealth' commands. We are always going to know precisely what the infected host is doing in one of these things.
None of that matters though. While it could be effective in the short term to track these people back from the infected hosts, it's far more realistic to track them forwards from their clients. Money is much easier to follow.
Don't you know you must now say Richard M. Stallman, Peace be upon Him,
And you have to make the gesture of the holy beard.
We are at war.
Yes.
You are at war with limits on government power.
You are at war with threats to profit margins.
You are at war with competitors to the president's business interests.
You are at war with people who might vote against the current regime.
You are at war with informed citizens.
You are at war with freedom.
Your weapons in this war are terror, rhetoric, money, politics, TV, and anything else you can lay your hands on.
You are the enemy. I really hope you lose.
Why do you think this is Microsoft's fault? ... Why pay $300 for a home OS that you won't use half the features.
It's their fault for charging $300 for a box that's worth at most $30 - the linux boxes you can get on the shelf set the true market value of that functionality, and they come with a complete suite of applications. You don't get anything with windows - even IE and OE have to be replaced with Firefox and Thunderbird before the system is viable.
The differences in functionality between XP Home and Professional are frankly rather small. Microsoft are charging extra because they can, not because the product is more expensive. The real reason for the Home/Professional split was to let them shove up the price of Professional and to get a lot of people to pay for windows twice when the box arrives and they realise that they actually needed Professional (happens a lot in medium companies where the purchasing people don't understand computers - sure, you can blame the idiot who bought the wrong thing, but Microsoft deliberately engineered things to encourage this).
RISC died a long time ago. Once you get past all the morons on slashdot, the point behind the RISC idea was simply this: We know more about writing compilers than we do about making chips. Design systems so that the compiler does more of the work.
Since the 1980s we've learned a lot about making chips but not much about making compilers (there have been massive changes in the way chips are designed; compilers have made some minor improvements but basically work the same way as they always have). Nobody's made RISC chips for the mass market in years - all modern chips behave a little like RISC and a little like CISC but mostly like neither of them. The whole RISC/CISC thing is so obsolete that it's not funny any more - it is just not a relevant consideration in modern chip design. Nowdays we're concerned with things like register pressure, speculative out-of-order execution, cache coherency, and retaining the information from the original source code so that the CPU can behave more intelligently with it.
Swing, unfortunately, has some design limitations, not the least of which is that it is very memory hungry.
I'm surprised that you didn't mention the biggest problem with Swing for practical purposes, which is that the API was designed by an insane crack weasel with a terminal case of brain rot. Really, what sort of person thinks that getSystemLookAndFeelClassName is a sensible name for a function in a standard library? (There's certainly far worse issues, but that one always struck me as the most gratuitous. Somebody probably spent a fair bit of time thinking of the most obnoxious names they could for the more obscure functions - you just can't come up with a name like that by accident)
Swing makes the rest of the java standard library look good.
RFID tag is just something like license plate on your car.
Do you walk around wearing a large plate describing, in lettering visible from a considerable distance, all the items you are carrying about your person?
This technology could revolutionise the pickpocket industry. They don't need a complete database of all known tags. They just need to lurk down the street from the Apple store and know the code for "ipod" which is used at that particular store. Other valuable items (on the black market) that may include RFID tags are: passports, ID cards, most electronic products still in their original boxes, pharmaceuticals...
And that's just one of the many possible uses for them. I'm sure people will find more and more creative ways to take advantage of the newly available information. Imagine if you could profile the current posessions of a customer to identify the ones likely to make a purchase, and target your salespeople to them, or even just prohibit the rest from entering.
The possibilities for bold new patents are almost unlimited.
Yeah, everybody knows that you can't do digital delivery. Well, not without strong DRM, anyway.
From http://totalgaming.stardock.com/about.aspx:
Frankly, I expect the grandkids to look back and laugh at the idea that anybody would ever pay for DRMed crippleware. After all, people like to own things - not be told that they're trying to steal the thing they paid for. The "TV prohibition" years should have come and gone by then. And I find it pretty funny that dongles ever existed.
There will probably still be stores with boxes in them, but internet delivery of games is already here - I haven't bought a PC game on a physical disk in at least a year. Service that good is here to stay.
Where does "knowledgeable about" end, and "vested interest" begin?
Somewhere near the foot of Capitol Hill, apparently.
Can it translate accurately from Arabic to English?
If it does what I think it's doing, which is about looking for structural patterns in the data without having any understanding of English in the first place, then this is unnecessary. Such systems don't really care much about the language they are applied to, so long as it's got something approximating a word-sentence-paragraph structure.
Not that it matters, because the 'terrorists' being targetted here are really US dissidents, who will be using English in the first place. Nobody expects a system like this to catch real terrorists, it's obviously intended to monitor the population who might otherwise be sympathetic to the foreign freedom fighters trying to throw off the yoke of US oppression, or whatever. Makes me glad I don't live in the US.
Sounds like a big waste of time and (my) money.
My bet is that this is a research effort which the researchers put a 'terrorrism' spin on in order to get funding. It's definitely a worthwhile research project - if it does what I think, this is leading-edge stuff that should advance the state of the art in data mining. Probably not so worthwhile as an application, because the technology isn't really that accurate yet.
Spinning research as a military and/or defense system in order to get grant money is standard practice in the military-obsessed, anti-science US. Everybody does it, it's probably the best way to get government funding these days. Whether this is wasteful would depend on your opinion of research, but it's certainly an idiotic way to go about it.
Nearly right, but people have pointed out some of the gaps in your examples. Here's the slight variation that doesn't have them:
Scenario P:
BadCorp produce a box which won't run unsigned code, and which only they can add keys to the trusted keys file. ApostleCorp produce modified GPL programs for the BadCorp box, and publish the full source of their modified program on the internet. BadCorp produces only proprietary programs for the BadCorp box, with no GPLed code in them, but they do (for a fee) sign programs written by other people. ApostleCorp pay to have their program signed so that people can run it on BadCorp's box.
The GPL prohibits this. Sounds unlikely? BadCorp is Sony, their box is the Playstation 2 (their signing system has been resoundingly defeated, but the intent was there and the Playstation 3 will probably have a harder version). You can boot linux on that thing, because it's GPLv2. If linux were GPLv3, there would be no playstation port of it. Sony will never release those keys and they will never care because they don't make any GPLed software.
In shooting at companies who would use GPLed software in their own devices, the GPLv3 prevents anybody else from using it on those devices either. In a few years, if MS gets their palladium stuff working, that will probably include new PCs - you will not be able to run linux-based platforms on your desktop any more, not because MS banned it, but because the FSF did (they are aware of this problem and just don't care).
That is of course if Intel doesn't lift this technology from IBM for their own chips in the future. Which they will.
Only if by "Intel" you mean "AMD". Intel hasn't updated their chip fabrication technology in ages - they're notoriously slow to make improvements in that area. It's one of the reasons why AMD caught up with them so fast. Coincidentally, it's also why AMD has so much trouble producing enough chips to meet demand (currently there is a shortage of low-end opterons): they keep having to rebuild their production lines.
I don't think we'll see Intel producing mainstream chips using this technology before 2010 - assuming they manage to revive their chip development (which has been lackluster in the past three years) and that AMD doesn't wipe them out of the desktop CPU market entirely. (Apple's reasons for choosing Intel over AMD were, according to slashdot, all about the non-desktop CPUs)
AMD have a partnership with IBM for just this sort of thing (it's how they got SOI technology), so we just might see them using this stuff first.
There has to be a statistical reason why your car insurance is so absurdly high when you're a late teen, with a steady decrease before a significant reduction at the age of 35.
There's elementary survival statistics here, for one thing. Significant numbers of the worst drivers get themselves killed; the survivors will overall be better drivers. Older people have survived longer therefore are more likely to be better drivers.
Like any technology this could have its uses (as the above example) and I really think a lot of the concerns are exaggerated (I have a hard time getting my RFID badge to trigger the door locks here, even when it's practically touching the reader). The tinfoil hat crowd and their "the black helicopters will read these as they fly over your house" don't make a lot of sense to me.
To repeat a point that Schneier made recently (can't find the link, sorry), there's three ranges involved here and you're making the common mistake of confusing two or more of them.
There's the expected operating range - that's the distance at which the device is intended to function. In order to keep costs down, and to prevent false triggers (which are regarded as worse than false misses), door opening systems, checkout scanners, and similar devices are designed with an intended operating distance of a few inches. At that range it should always work, when the hardware is not defective.
Then there's the maximum operating range - that's how far you can manage to pick up the signal with the same equipment on a good day, if you wave it about a bit and tilt it to get a better angle and clear any metal objects out of the immediate area, etcetera. That's usually a few feet on the same devices.
Then there's the maximum operating range for a person with special equipment. No longer using that cheap $20 RFID reader in the door sensor or checkout. Now we're using an expensive, high-gain antenna with an expensive amplifier, and a specialised computer device on the back end doing noise compensation and stuff. That's usually on a scale of somewhere between dozens of yards and miles (depending on exactly what variation of RFID you are dealing with), reading the same tags that we were reading the first times. The cost of this equipment is measured in hundreds or thousands of dollars. Too much to be installed in a door sensor, but there's absolutely no reason why you couldn't own one if you wanted to, and scan all the RFID tags on your street. Anybody who can afford a helicopter can certainly have one of those.
You are observing some combination of the first two distances and wondering why people are worried about the third one. Saying that the government wants to do this might be a conspiracy theory, but saying that it can be done is not - hobbyists do this kind of thing all the time. Bluetooth has the same issue (normal operating range is a few feet, maximum is some number of miles). Most wireless devices do, to some extent.
The difference between these ranges is just economics at work. You can buy better equipment if you want, but the companies who install hundreds of fixed devices buy the cheapest equipment they can get away with using.
Would a French company be allowed to re-distribute GPL'd software in violation of the terms of the GPL by claiming this law frees them of the constraints of copyright?
This is a variation on the old argument that strong copyright is necessary for the GPL to work. The flaw in the argument is that the GPL is only necessary in the presence of strong copyright. If such a law permitted you to distribute any software without regard for licensing terms, then we wouldn't need a license that forces people to distribute their changes - we can just take their changes without a license. Sure, there are some issues (you need somebody within the company to publish the source - legal, but you still have to get your hands on the actual bits), but it's still got some great advantages to the end user. It's difficult to say which option is better, overall, but it's definitely not "copyright good, public domain bad".
I suspect that if companies did not have the stick of copyright and patent law to beat up their competitors with, then they would naturally migrate to free software models, because anything else costs more and accomplishes little - once the secret gets out anyway (and it will, in the networked world), you've lost your only advantage and might as well migrate.
Are there any cases where the word "blog" is used and it is not both unneeded and senseless? Mostly it seems synonymous with "pointless shit that I'm going to promote with buzzwords". (The 'official' meaning is basically the same thing as 'web site').
That was war. All parties were equally responsible and there were lots of parties. I believe the poster was comparing the slave trade to the non-war stuff, like the Jewish holocaust - acccording to your article, that was only 5 million.
"When you kill 1 man, it is a tragedy. When you kill 10 million, it is a statistic." - Stalin, or something like that
Most of those aren't ads, they're permanent picture links to stuff that the editors think is cool. Who the hell advertises "Impeach Bush"?
Anyway, boingboing doesn't appear to be doing anything they haven't been doing for years - collecting interesting stuff from the internet and putting it on boingboing. It's like slashdot, only with interesting stuff and fewer idiots doing the writing. I can only guess that random users have been submitting things to slasdot that they saw on boingboing more often - I haven't noticed any of it coming from the boingboing editors.
You're supposed to gather RIM, NTP, *and* the horde and crucify all the patent lawyers.