Some ideas how you could voice your protest indirectly. Things like this work, because company divisions send feedback to upper management and stores hate products with high return rates.
1.) Buy a SONY product from a local store, play around with it, be sure to have extra-greasy fat fingers when doing that, and then return the product within the official return period pointing out that you don't agree with the EULA (which was in the box, possibly just as a link).
Repeat at the next store.
2.) Write a friendly, formal sounding letter to SONY telling them that you have bought a PS3 (or whatever else you have from them), but realized upon closer examination that the EULA is completely unacceptable to you and might even be illegal in your country. Tell them explicitly that you do NOT agree with the license but, of course, wish to continue to use their product. Send them a copy of the license with your suggested changes, asking them to sign an agreement to accept these changes. If they don't agree, ask for a full refund.
3.) Open technical support tickets at SONY customer support (or call up), asking them for directions how to install LINUX on their device. If they say it can't run linux, be disappointed that this wasn't mentioned on the box and ask them for information on how to return the product for a full refund. Ask them for the postal mail address of the responsible legal department for subsequent correspondence.
4.) Close web/forum/service accounts you have with SONY (whatever it is), asking them to never send you mail again and to delete all the data about you stored on their servers. Point out that future correspondence need to be sent via postal mail and point out email anti-spam laws and privacy protection laws. Works at least in Europe, where there are strict anti-spam and privacy protection laws in place by now.
Of course, I'm only speaking hypothetically here. We all want to be good customers, don't we?
A quick Google search revealed that (statistically) every 30 seconds a child in Africa dies because of Malaria. Other causes of death are pneumonia, diarrhea, measles, and malnutrition. Most of these deaths are preventable.
I just can't believe I've been modded troll for pointing this out.
They would buy both if they were paid fairly for their work and therefore had the money to afford expensive, first-world gimmicks. Meanwhile, school books and malaria medicine would also do.
Na, Geocities was much cooler. It had dark corners and silent backwaters, nobody used his real name, and the company didn't constantly try to steal your data or lock you into their money making scheme.
I've recently had the pleasure of playing around with an Android device. So, let's see...
It wasn't able to correctly recognize the foreign-language hardware keyboard...no accent characters.I would have needed to root it in a rather complicated way, potentially bricking the device during the process, just in order to change the keyboard settings! (That was the Toshiba AC100 and I've returned it.) Moreover, the "marketplace" didn't look very interesting to me, there is just too much proprietary crap software for Android there. I'm really not interested at all in having to pay for software on my phone and would prefer to have access to all the applications available on one of the large Linux distros. Even worse, I had to get a Google account in order to use the "marketplace", even though I was only interested in free applications. That sucks. Now, what else there is...Android also has an ugly "corporate drone" GUI design and look-and-feel that I personally dislike. Lots of shiny buttons, but I want to be able to choose and adjust the look of my phone's GUI as I like. Perhaps this possible with Android, I just didn't find an obvious way to do it. Android also seems to have a tendency to submit data to 3rd party sites without asking me (e.g. to Google, correct me if I'm wrong). I'm not even using Google as a search engine and certainly don't want any Google searchbar on my phone. Finally, I'm using Emacs for my work, notes, schedules, coding, and so on, but Emacs doesn't seem to run on Android.
What I want is a phone running Ubuntu or some other decent Linux distro. The phone could look similar to a N900 but perhaps the keyboard should have one or two additional more modifier keys. Once one of these is out, I'll buy it.
(This is not a joke, it's my honest opinion. Sorry if it disturbs some people...and no, I'm not RMS.)
Sure, but how do you know that it's implemented correctly without auditing the source code?
I'm sure that the developer is competent, but as history has shown over and over competent and experienced implementers of cryptographic modules also make serious mistakes. Moreover, the Patriot act can be used to force a US developer, no matter how idealistic and good-willing he might be, to include a back-door and prevent him ever from telling anyone about it. My point of view is that for this reason alone you cannot trust proprietary, closed-source encryption software, particularly when it is developed in the US.
At least the app should allow for checking arbitrary test vectors.
It's not open source. The vast majority of all proprietary encryption products are flawed or intentionally flawed. In fact, I would say that nearly all of the products that have been scrutinized by experts (i.e. reverse engineered, etc.) have turned out to be seriously flawed. The ones that don't appear to have buggy implementations just haven't interested anyone enough yet to take a closer look.
If this document is genuine, this company "Palantir" has suggested and supports activities that are not only criminal in Europa but also in the US. We're talking about libel and slander, "cyber-terrorist" attacks on foreign it business and infrastructure (servers hosted in Sweden, France), and so on.
I don't know whether the document itself gives enough grounds for a lawsuits, probably not, but if these guys do anything of what they suggest or even aid in it, and it can be traced back to them, I feel a lawsuit coming in 3...2...1...
By the way, how are the investigations of the DoS attacks against Wikileaks server going? Any news on that?
I think your concern is that the hashes somehow converge after repeated iterations. No, that doesn't happen with cryptographic hashes.
No, I was really just worried about entropy loss, as I wrote. There was an extensive discussion about this many years ago at sci.crypt and the general consensus was that iterated hashing results in entropy loss---albeit a very, very slow one. Whether this could be used for any practical attack is another matter. I don't know.
Anyway, if you use a symmetric block cipher for intermediary steps (after first hashing) there should be no additional loss of entropy and so such a scheme for iterated hashing seems to have advantages over iterating the secure hash only as in PBKDF2. (I'm not convinced that, as another poster seems to have suggested, secure hash functions do not have collisions for input the same size as the output---although that would certainly be a nice property if it could be proved for such a function.)
You haven't convinced me yet. I have definitely heard otherwise from experts (but I'm myself not an expert on this).
Hash functions are generally many to one and have collisions. Doesn't that already suffice to prove that each application must result in a loss of entropy even when the input has the same size as the output block size? (I don't see the relation to the dispersion qualities of the function that you mention.) I recall having once read that the entropy of repeated iterations of the same secure hash function converges to n/2, where n is the original entropy. Doesn't Schneier say something like that, too?
I'm skeptical about schemes like PBKDF2. Doesn't the passphrase loose entropy each time you hash it? Instead, for iterated hashing it's probably better to use a one of the methods of transforming a conventional block cipher into a hash function. Anyway, what you should worry about is not so much the hashing itself but the entropy of the passphrase.
For example, I doubt many human-invented passphrases would stand a chance against a cleverly-generated, terabyte-sized dictionary. Heck, most people use "1234" anyway, don't they?
I've just bought a Toshiba AC-100 at a reduced price and spent 4 hours trying to figure out how to install flash for watching videos (hint: not possible). Okay, so flash is evil, perhaps I should force myself to live without it even though its used everywhere. Then I spent another 4 hours and numerous factory resets trying to figure out how to enter accented characters---the keyboard is Portuguese and has accents, but for some bizarre reason they are not combined with the character. On Ubuntu I'd just change the keyboard settings, but on Android there is no such setting (no, ctrl-space does not work). Of course, I could press "a" very long to get a menu and choose the accent in that menu---a really good option for someone who makes a living by writing texts. Oh and by the way, there is no word processor or text editor on the AC-100. And, of course, Toshiba had the glorious idea not to include the market place app so you cannot install new apps from market.android.com and have to use their crappy clone with about 50 apps instead.
Quite honestly, if I had the money I would definitely sue companies for pushing out clearly unfinished and dysfunctional products like the AC-100. I'm tired and too busy for being an unpaid beta tester, and putting GNU/linux on the device is not always a solution. (In case of the AC-100 it's still very complicated even for a tech-savvy person like me and you can accidentally brick the device because the factory reset does not work as it should.)
Could someone make a page with the personal phone numbers of the CEOs of companies like Toshiba, so people can call them up for customer support? Just an idea...
Anyway, thanks for your attention;-) I'll return the device tomorrow.
I used to run NetBSD on an old PP Mac booted from a zip drive in the nineties. It was running great but since then I haven't looked at it again. I know that the 3 free BSDs (open-, free- and net-) are security audited and support old hardware very well. But I wonder what advantages the kernel itself brings. So my potentially stupid questionis:
What's the advantage of running Debian with a BSD kernel instead of linux?
In my humble opinion, people working on projects called "Future Terrorism Project" at research institutes with names like "the Foundation for Defense of Democracies" should just shut up. I mean, really, shut up!
Instead of musing about a message protocol, they should rather spend their time learning and improving LINCOS. Freudenthal's system is still the de facto standard for communication with aliens but has only occasionally been worked on by enthusiasts and NASA employees. LINCOS is in dire need of an overhaul, including a more modern transcription notation, and the second volume has never been finished. The original book is hard to get and it takes a substantial amount of time just to get into the framework, and that's probably why they don't use LINCOS.
I have the same problem here in Europe with movies. I'd gladly pay $3, perhaps even more, to watch a good 70ies movie in high-definition over the Net if I could choose among many thousands of movies (because I've already seen almost all well-known movies, so it really needs to be a huge list to choose from).
But the annoying thing is that there is absolutely NO way to legally stream over the net ANY kind of movies where I live, not even new ones. It's really annoying. I have a 100/10 fiber optics connection and have been waiting for years and there still is no such service here. Meanwhile, I can at least choose from a huge list of movies on 'pirate' streaming sites, although all of them are in bad quality. (The reason I put 'pirate' in scare quotes is because they are the only ones who actually deliver the service.)
So time Warner & Co loose their customers at large and criminalize them at the same time...even though they could make billions of $$$. What a bunch of morons...
I agree with the OP and want to mention another issue.
Common encryption algorithms can be detected heuristically with high accuracy. Moreover, the original implementation/source code of the encryption can usually be identified. Perhaps the developers did not want the adversary to find out which implementation they used and for obvious reasons didn't want to use their own implementation. Also, when you use encryption, keys on the C&C endpoints are linked to the malware in a way that cannot plausibly denied -- not very desirable either.
I'm amazed that "Facebook" needs about 1000 engineers for their site. I'd have thought that a team of 3-4 engineers could achieve the same effect. Honestly, I'm not joking. Then again, I haven't looked at their site for more than a year and no longer have an account, so perhaps its by now powered by rocket science.
Slashdot Mirror
No.
AC is completely right, but the answer is too short. Here is the long answer:
No, but as a professional computer scientist you need to go to conferences because it's part of your job.
Some ideas how you could voice your protest indirectly. Things like this work, because company divisions send feedback to upper management and stores hate products with high return rates.
1.) Buy a SONY product from a local store, play around with it, be sure to have extra-greasy fat fingers when doing that, and then return the product within the official return period pointing out that you don't agree with the EULA (which was in the box, possibly just as a link).
Repeat at the next store.
2.) Write a friendly, formal sounding letter to SONY telling them that you have bought a PS3 (or whatever else you have from them), but realized upon closer examination that the EULA is completely unacceptable to you and might even be illegal in your country. Tell them explicitly that you do NOT agree with the license but, of course, wish to continue to use their product. Send them a copy of the license with your suggested changes, asking them to sign an agreement to accept these changes. If they don't agree, ask for a full refund.
3.) Open technical support tickets at SONY customer support (or call up), asking them for directions how to install LINUX on their device. If they say it can't run linux, be disappointed that this wasn't mentioned on the box and ask them for information on how to return the product for a full refund. Ask them for the postal mail address of the responsible legal department for subsequent correspondence.
4.) Close web/forum/service accounts you have with SONY (whatever it is), asking them to never send you mail again and to delete all the data about you stored on their servers. Point out that future correspondence need to be sent via postal mail and point out email anti-spam laws and privacy protection laws. Works at least in Europe, where there are strict anti-spam and privacy protection laws in place by now.
Of course, I'm only speaking hypothetically here. We all want to be good customers, don't we?
A quick Google search revealed that (statistically) every 30 seconds a child in Africa dies because of Malaria. Other causes of death are pneumonia, diarrhea, measles, and malnutrition. Most of these deaths are preventable.
I just can't believe I've been modded troll for pointing this out.
They would buy both if they were paid fairly for their work and therefore had the money to afford expensive, first-world gimmicks. Meanwhile, school books and malaria medicine would also do.
Na, Geocities was much cooler. It had dark corners and silent backwaters, nobody used his real name, and the company didn't constantly try to steal your data or lock you into their money making scheme.
In other words, Facebook is what AOL was in the 90s....
What exactly is your issue with Android?
I've recently had the pleasure of playing around with an Android device. So, let's see...
It wasn't able to correctly recognize the foreign-language hardware keyboard...no accent characters.I would have needed to root it in a rather complicated way, potentially bricking the device during the process, just in order to change the keyboard settings! (That was the Toshiba AC100 and I've returned it.) Moreover, the "marketplace" didn't look very interesting to me, there is just too much proprietary crap software for Android there. I'm really not interested at all in having to pay for software on my phone and would prefer to have access to all the applications available on one of the large Linux distros. Even worse, I had to get a Google account in order to use the "marketplace", even though I was only interested in free applications. That sucks. Now, what else there is...Android also has an ugly "corporate drone" GUI design and look-and-feel that I personally dislike. Lots of shiny buttons, but I want to be able to choose and adjust the look of my phone's GUI as I like. Perhaps this possible with Android, I just didn't find an obvious way to do it. Android also seems to have a tendency to submit data to 3rd party sites without asking me (e.g. to Google, correct me if I'm wrong). I'm not even using Google as a search engine and certainly don't want any Google searchbar on my phone. Finally, I'm using Emacs for my work, notes, schedules, coding, and so on, but Emacs doesn't seem to run on Android.
What I want is a phone running Ubuntu or some other decent Linux distro. The phone could look similar to a N900 but perhaps the keyboard should have one or two additional more modifier keys. Once one of these is out, I'll buy it.
(This is not a joke, it's my honest opinion. Sorry if it disturbs some people...and no, I'm not RMS.)
Sure, but how do you know that it's implemented correctly without auditing the source code?
I'm sure that the developer is competent, but as history has shown over and over competent and experienced implementers of cryptographic modules also make serious mistakes. Moreover, the Patriot act can be used to force a US developer, no matter how idealistic and good-willing he might be, to include a back-door and prevent him ever from telling anyone about it. My point of view is that for this reason alone you cannot trust proprietary, closed-source encryption software, particularly when it is developed in the US.
At least the app should allow for checking arbitrary test vectors.
It's not open source. The vast majority of all proprietary encryption products are flawed or intentionally flawed. In fact, I would say that nearly all of the products that have been scrutinized by experts (i.e. reverse engineered, etc.) have turned out to be seriously flawed. The ones that don't appear to have buggy implementations just haven't interested anyone enough yet to take a closer look.
If this document is genuine, this company "Palantir" has suggested and supports activities that are not only criminal in Europa but also in the US. We're talking about libel and slander, "cyber-terrorist" attacks on foreign it business and infrastructure (servers hosted in Sweden, France), and so on.
I don't know whether the document itself gives enough grounds for a lawsuits, probably not, but if these guys do anything of what they suggest or even aid in it, and it can be traced back to them, I feel a lawsuit coming in 3...2...1...
By the way, how are the investigations of the DoS attacks against Wikileaks server going? Any news on that?
I think your concern is that the hashes somehow converge after repeated iterations. No, that doesn't happen with cryptographic hashes.
No, I was really just worried about entropy loss, as I wrote. There was an extensive discussion about this many years ago at sci.crypt and the general consensus was that iterated hashing results in entropy loss---albeit a very, very slow one. Whether this could be used for any practical attack is another matter. I don't know.
Anyway, if you use a symmetric block cipher for intermediary steps (after first hashing) there should be no additional loss of entropy and so such a scheme for iterated hashing seems to have advantages over iterating the secure hash only as in PBKDF2. (I'm not convinced that, as another poster seems to have suggested, secure hash functions do not have collisions for input the same size as the output---although that would certainly be a nice property if it could be proved for such a function.)
You haven't convinced me yet. I have definitely heard otherwise from experts (but I'm myself not an expert on this).
Hash functions are generally many to one and have collisions. Doesn't that already suffice to prove that each application must result in a loss of entropy even when the input has the same size as the output block size? (I don't see the relation to the dispersion qualities of the function that you mention.) I recall having once read that the entropy of repeated iterations of the same secure hash function converges to n/2, where n is the original entropy. Doesn't Schneier say something like that, too?
I'm skeptical about schemes like PBKDF2. Doesn't the passphrase loose entropy each time you hash it? Instead, for iterated hashing it's probably better to use a one of the methods of transforming a conventional block cipher into a hash function. Anyway, what you should worry about is not so much the hashing itself but the entropy of the passphrase.
For example, I doubt many human-invented passphrases would stand a chance against a cleverly-generated, terabyte-sized dictionary. Heck, most people use "1234" anyway, don't they?
I've just bought a Toshiba AC-100 at a reduced price and spent 4 hours trying to figure out how to install flash for watching videos (hint: not possible). Okay, so flash is evil, perhaps I should force myself to live without it even though its used everywhere. Then I spent another 4 hours and numerous factory resets trying to figure out how to enter accented characters---the keyboard is Portuguese and has accents, but for some bizarre reason they are not combined with the character. On Ubuntu I'd just change the keyboard settings, but on Android there is no such setting (no, ctrl-space does not work). Of course, I could press "a" very long to get a menu and choose the accent in that menu---a really good option for someone who makes a living by writing texts. Oh and by the way, there is no word processor or text editor on the AC-100. And, of course, Toshiba had the glorious idea not to include the market place app so you cannot install new apps from market.android.com and have to use their crappy clone with about 50 apps instead.
Quite honestly, if I had the money I would definitely sue companies for pushing out clearly unfinished and dysfunctional products like the AC-100. I'm tired and too busy for being an unpaid beta tester, and putting GNU/linux on the device is not always a solution. (In case of the AC-100 it's still very complicated even for a tech-savvy person like me and you can accidentally brick the device because the factory reset does not work as it should.)
Could someone make a page with the personal phone numbers of the CEOs of companies like Toshiba, so people can call them up for customer support? Just an idea...
Anyway, thanks for your attention ;-) I'll return the device tomorrow.
I'm not on Facebook...cancelled my account more than a year ago.
A well, FreeBSD kernel is what I've meant, of course...sorry!
I used to run NetBSD on an old PP Mac booted from a zip drive in the nineties. It was running great but since then I haven't looked at it again. I know that the 3 free BSDs (open-, free- and net-) are security audited and support old hardware very well. But I wonder what advantages the kernel itself brings. So my potentially stupid questionis:
What's the advantage of running Debian with a BSD kernel instead of linux?
They would deserve it more than Obama, which doesn't necessarily imply that they'd deserve it.
Nope, I only get spam from Facebook.
I concur. I tried to become a member and wasn't allowed to. OpenLeaks is not open but closed. Useless.
In my humble opinion, people working on projects called "Future Terrorism Project" at research institutes with names like "the Foundation for Defense of Democracies" should just shut up. I mean, really, shut up!
Instead of musing about a message protocol, they should rather spend their time learning and improving LINCOS. Freudenthal's system is still the de facto standard for communication with aliens but has only occasionally been worked on by enthusiasts and NASA employees. LINCOS is in dire need of an overhaul, including a more modern transcription notation, and the second volume has never been finished. The original book is hard to get and it takes a substantial amount of time just to get into the framework, and that's probably why they don't use LINCOS.
I have the same problem here in Europe with movies. I'd gladly pay $3, perhaps even more, to watch a good 70ies movie in high-definition over the Net if I could choose among many thousands of movies (because I've already seen almost all well-known movies, so it really needs to be a huge list to choose from).
But the annoying thing is that there is absolutely NO way to legally stream over the net ANY kind of movies where I live, not even new ones. It's really annoying. I have a 100/10 fiber optics connection and have been waiting for years and there still is no such service here. Meanwhile, I can at least choose from a huge list of movies on 'pirate' streaming sites, although all of them are in bad quality. (The reason I put 'pirate' in scare quotes is because they are the only ones who actually deliver the service.)
So time Warner & Co loose their customers at large and criminalize them at the same time...even though they could make billions of $$$. What a bunch of morons...
I agree with the OP and want to mention another issue.
Common encryption algorithms can be detected heuristically with high accuracy. Moreover, the original implementation/source code of the encryption can usually be identified. Perhaps the developers did not want the adversary to find out which implementation they used and for obvious reasons didn't want to use their own implementation. Also, when you use encryption, keys on the C&C endpoints are linked to the malware in a way that cannot plausibly denied -- not very desirable either.
I'm amazed that "Facebook" needs about 1000 engineers for their site. I'd have thought that a team of 3-4 engineers could achieve the same effect. Honestly, I'm not joking. Then again, I haven't looked at their site for more than a year and no longer have an account, so perhaps its by now powered by rocket science.