They've come close to consigning themselves to the dustbin of technological history by being arrogant and relying on marketing instead of actual good tech to sell their products. Why does anybody wait breathlessly for their product announcements anymore?
*laugh* Yeah, I don't think Microsoft will ever have very good security. Their company just doesn't have the internal culture of disbelief in the quality of their own products for them to ever have decent security. In order to be secure, you have to always be looking for the ways in which you can be hacked, and have to fundamentally believe they exist. That will never happen at Microsoft.
*nod* Judging from the number of ssh attempted login scans, there are a fair number of comprimised Linux boxes out there.:-(
I'm starting to get really annoyed with Open Source people patting themselves on the back over security when stuff like that last thing where the people tried to get someone responsible for Linux kernel development to accept a security related patch, and ended up having to get an article on Slashdot before it happened.
Security doesn't just magically happen. The Open Source development model is the only way to go if you want real security, but it actually requires effort on the part of maintainers to make it happen.
As I said somewhere else, I have my desktop up and running all the time with 20-120 windows up. It's annoying to have to run around and shut all those things down and save the state just so I can run a game, so I don't.
That description fits me pretty well too. Though, I don't care much about uptime exactly. I just have my desktop running all the time, and it's kind of upsetting to have to shut it down. I lose half the context that way.
But yes, if a game doesn't exist for Linux, I don't buy it.:-( And I've bought copies of about 80% of the commercial Linux games ever made.
Support for asynchronous IO is spotty and somewhat ill-concieved. It should be possible to write an application that is completely event driven, even down to disk IO. The only event I can see that may be impossible for an application to schedule ahead of the time it needs to results is a page-in. In particular, it should be possible to do the exact same form of asynchronous IO on every single file descriptor resource a process can own.
The filesystem API needs to be changed so that filesystems that support full ACID semantics can be used. This, IMHO, is the biggest barrier to high-quality distributed filesystems.
The IO system needs some means of doing 0-copy IO that works for every single file descriptor resource a process could own.
Once the above are implemented, a slimmed down, core API needs to be designed and all the old standard Unix calls implemented in terms of it.
Patents exist to convince people to publish how their devices work so other people can learn, and thereby improve them, or other things they are doing. They do not exist to force people to come up with different ways of doing something to avoid the patent.
I so love the "His Dark Materials" series. It's such a subversive tweak in the nose to all that I hate about Christianity in America (in fact, in the world in general). Christian fundamentalists in America would so go for the cutting device to separate people from their daemons. That's actually the only thing I've ever read about in a novel that's nearly made me sick to my stomach.
To some extent, all the villains are among 'the weak' because they do not follow the moral code of the supers. I did not feel strongly that the villains always lacked superpowers or were attempting to rise above their station in any way other than that they were trying to exert their powers in a way that was harming everybody else.
*laugh* Yeah, but that wireless signal generally doesn't broadcast through thickish walls really well unless you really turn up the gain, and then you run the risk of damaging your ears.:-)
I won't use Bluetooth, and I won't use wireless keyboards, and I'm very leary of wireless speakers and sound. Why? Security.
I have not seen one single wireless standard that actually took security seriously enough to for the protocol to be reasonably secure. They've all had glaring flaws. I have not seen one implementation of The Resurrecting Duckling Protocol for personal wireless devices, despite that being a decent choice that's not at all hard to set up or for lay people to understand. The state of wireless security is abysmal, and I see no signs that it's getting better.
Heck, most digital cell phones aren't even encrypted.
This problem is directly caused by the use of insecure human-readable names, and the use of IP addresses as identifiers. Both things don't work on the Internet. You need names that can be mathematically verified to be owned by the party you're communicating with. Names should be public keys.
If the purpose of a patent is to convince people to publish knowledge of how their inventions work, why is it so hard for anybody but a patent lawyer to understand a patent? If it's purpose is to disseminate information, and thus encourage the progress of science and the useful arts, shouldn't the patent be written in a language that's geared towards the engineers who work in the field?
It seems to me that the current purpose of patents is more a legal weapon to use against competitors. It's purpose is no longer seen as a way to encourage the dissemination of information, rather it's purpose is to restrict the freedom of everybody but the patent holder without the patent holder having given anything in return.
So, what will you do for your fun when all the forums in the world die because you and your ilk persist in making them unpleasant places to be? Would you just vastly prefer that people not try to gather in large groups and communicate with one another?
I will blatantly state that people who are close to me in social networks that matter to me are people who's deaths affect me more and I'm more concerned with. I don't like that people die in general. I don't like that they all too often die because of the willful actions of another human being. But, when push comes to shove, the people who are close to me in social networks that matter to me are people who's deaths I'm going to actively mourn.
I've met RMS personally. It's quite likely that I know several people who are friends with the person who died. His passing saddens me.
It upsets me that people in a forum devoted to the community those people were a part of make crass jokes about the situation and people involved. It's rude and insulting.
So, because I don't care about the deaths of everybody in the world, my caring about the death of some particular people that happened to be (relatively) closely linked in a social network I care very much about is false and hypocritical?
Besides, when confronted with the deaths of people who's names I never knew, and who's friends names I never knew, and who's friends friends names I never knew, I don't make snarky sarcastic comments. I at least manage the humanity to be silent and at least momentarily sad that such things happen.
Yeah, Slashdot isn't the real world. None of the things you say in these forums are ever supposed to have actual consequences anywhere. People online aren't really people.
You can use the vulnerability also to try to probe the internal details of a protocol implementation to attempt to learn keys and things. Several OpenSSL vulnerabilities have been based on timing attacks on error handling. If you can generate two payloads that have the same hash, you can get past a level of verification, and possibly learn something from how long it takes the system to reject your packet.
Also, you can prefix two identical packets with different sets of chosen garbage bytes and have them hash the same. It's also possible (though I'm not at all sure) that you could insert the different sequences of bytes into the middle of two otherwise identical packets, or suffix those packets with them, and still have them hash the same. Any of these may open up interesting vulnerabilities in various protocols.
I base this conclusion (and subsequent speculation) on knowing that MD5 and SHA1 are vulnerable to length extension attacks because the internal state of the algorithm is easily determined from the final value. So, you can just backtrack from the final value to the internal state that generated it, then start adding bytes.
I don't really understand the mathemtics behind the problem they've found with MD5, but it seems to me like it might open up the possibility of being able to manufacture one sequence that has the same hash as another sequence that you have no control over. And if that can be done, MD5 isn't safe for practically anything people use MD5 for currently.
I just don't like seeing algorithms that have proven problems being encouraged for use. There's a lot of misunderstanding of cryptography out there. I would rather people treat algorithm breakage with unreasonable paranoia rather than having them try to find the set of things it's still good for. Especially when there are replacement algorithms that are just as widespread, and have not yet been broken.
I think people should toss it out anyway. It doesn't matter that it can be OK for some things and not others. What matters is that it no longer satisfies the requirements for a secure hash function. This means, that for some set of purposes you'd use a secure hash function, it's no longer good.
This means, every time you think about using MD5, you have to decide if it's secure for that purpose or not. And that will sometimes not be a very easy question. It's best just to scrap the entire thing, and quit using it completely than to try to educate everybody about all the things it is and isn't good for now.
*sigh* I should've thought things through carefully before I posted and made my remarks much more careful and bounded. But, I still think my main point is valid.
Slashdot Mirror
I find the overrated and troll modifiers to be amusing. I guess Slashdot is like everywhere else, and contentious opinions are just as unwanted.
They've come close to consigning themselves to the dustbin of technological history by being arrogant and relying on marketing instead of actual good tech to sell their products. Why does anybody wait breathlessly for their product announcements anymore?
*laugh* Yeah, I don't think Microsoft will ever have very good security. Their company just doesn't have the internal culture of disbelief in the quality of their own products for them to ever have decent security. In order to be secure, you have to always be looking for the ways in which you can be hacked, and have to fundamentally believe they exist. That will never happen at Microsoft.
*nod* Judging from the number of ssh attempted login scans, there are a fair number of comprimised Linux boxes out there. :-(
I'm starting to get really annoyed with Open Source people patting themselves on the back over security when stuff like that last thing where the people tried to get someone responsible for Linux kernel development to accept a security related patch, and ended up having to get an article on Slashdot before it happened.
Security doesn't just magically happen. The Open Source development model is the only way to go if you want real security, but it actually requires effort on the part of maintainers to make it happen.
If you have an opportunity to, chuck it and use Subversion instead.
And communist theory has very little to do with reality.
As I said somewhere else, I have my desktop up and running all the time with 20-120 windows up. It's annoying to have to run around and shut all those things down and save the state just so I can run a game, so I don't.
That description fits me pretty well too. Though, I don't care much about uptime exactly. I just have my desktop running all the time, and it's kind of upsetting to have to shut it down. I lose half the context that way.
But yes, if a game doesn't exist for Linux, I don't buy it. :-( And I've bought copies of about 80% of the commercial Linux games ever made.
And Saddam took 15-20 years, where we've only had 2 so far. Give it time.
The defense of 'everybody does it' is not a defense. I notice that you make no attempt to actually debunk any of the stories he mentioned above.
No, actually, it's not.
Patents exist to convince people to publish how their devices work so other people can learn, and thereby improve them, or other things they are doing. They do not exist to force people to come up with different ways of doing something to avoid the patent.
I so love the "His Dark Materials" series. It's such a subversive tweak in the nose to all that I hate about Christianity in America (in fact, in the world in general). Christian fundamentalists in America would so go for the cutting device to separate people from their daemons. That's actually the only thing I've ever read about in a novel that's nearly made me sick to my stomach.
To some extent, all the villains are among 'the weak' because they do not follow the moral code of the supers. I did not feel strongly that the villains always lacked superpowers or were attempting to rise above their station in any way other than that they were trying to exert their powers in a way that was harming everybody else.
*laugh* Yeah, but that wireless signal generally doesn't broadcast through thickish walls really well unless you really turn up the gain, and then you run the risk of damaging your ears. :-)
I won't use Bluetooth, and I won't use wireless keyboards, and I'm very leary of wireless speakers and sound. Why? Security.
I have not seen one single wireless standard that actually took security seriously enough to for the protocol to be reasonably secure. They've all had glaring flaws. I have not seen one implementation of The Resurrecting Duckling Protocol for personal wireless devices, despite that being a decent choice that's not at all hard to set up or for lay people to understand. The state of wireless security is abysmal, and I see no signs that it's getting better.
Heck, most digital cell phones aren't even encrypted.
This problem is directly caused by the use of insecure human-readable names, and the use of IP addresses as identifiers. Both things don't work on the Internet. You need names that can be mathematically verified to be owned by the party you're communicating with. Names should be public keys.
If the purpose of a patent is to convince people to publish knowledge of how their inventions work, why is it so hard for anybody but a patent lawyer to understand a patent? If it's purpose is to disseminate information, and thus encourage the progress of science and the useful arts, shouldn't the patent be written in a language that's geared towards the engineers who work in the field?
It seems to me that the current purpose of patents is more a legal weapon to use against competitors. It's purpose is no longer seen as a way to encourage the dissemination of information, rather it's purpose is to restrict the freedom of everybody but the patent holder without the patent holder having given anything in return.
So, what will you do for your fun when all the forums in the world die because you and your ilk persist in making them unpleasant places to be? Would you just vastly prefer that people not try to gather in large groups and communicate with one another?
I will blatantly state that people who are close to me in social networks that matter to me are people who's deaths affect me more and I'm more concerned with. I don't like that people die in general. I don't like that they all too often die because of the willful actions of another human being. But, when push comes to shove, the people who are close to me in social networks that matter to me are people who's deaths I'm going to actively mourn.
I've met RMS personally. It's quite likely that I know several people who are friends with the person who died. His passing saddens me.
It upsets me that people in a forum devoted to the community those people were a part of make crass jokes about the situation and people involved. It's rude and insulting.
So, because I don't care about the deaths of everybody in the world, my caring about the death of some particular people that happened to be (relatively) closely linked in a social network I care very much about is false and hypocritical?
Besides, when confronted with the deaths of people who's names I never knew, and who's friends names I never knew, and who's friends friends names I never knew, I don't make snarky sarcastic comments. I at least manage the humanity to be silent and at least momentarily sad that such things happen.
Yeah, Slashdot isn't the real world. None of the things you say in these forums are ever supposed to have actual consequences anywhere. People online aren't really people.
You can use the vulnerability also to try to probe the internal details of a protocol implementation to attempt to learn keys and things. Several OpenSSL vulnerabilities have been based on timing attacks on error handling. If you can generate two payloads that have the same hash, you can get past a level of verification, and possibly learn something from how long it takes the system to reject your packet.
Also, you can prefix two identical packets with different sets of chosen garbage bytes and have them hash the same. It's also possible (though I'm not at all sure) that you could insert the different sequences of bytes into the middle of two otherwise identical packets, or suffix those packets with them, and still have them hash the same. Any of these may open up interesting vulnerabilities in various protocols.
I base this conclusion (and subsequent speculation) on knowing that MD5 and SHA1 are vulnerable to length extension attacks because the internal state of the algorithm is easily determined from the final value. So, you can just backtrack from the final value to the internal state that generated it, then start adding bytes.
I don't really understand the mathemtics behind the problem they've found with MD5, but it seems to me like it might open up the possibility of being able to manufacture one sequence that has the same hash as another sequence that you have no control over. And if that can be done, MD5 isn't safe for practically anything people use MD5 for currently.
I just don't like seeing algorithms that have proven problems being encouraged for use. There's a lot of misunderstanding of cryptography out there. I would rather people treat algorithm breakage with unreasonable paranoia rather than having them try to find the set of things it's still good for. Especially when there are replacement algorithms that are just as widespread, and have not yet been broken.
I think people should toss it out anyway. It doesn't matter that it can be OK for some things and not others. What matters is that it no longer satisfies the requirements for a secure hash function. This means, that for some set of purposes you'd use a secure hash function, it's no longer good.
This means, every time you think about using MD5, you have to decide if it's secure for that purpose or not. And that will sometimes not be a very easy question. It's best just to scrap the entire thing, and quit using it completely than to try to educate everybody about all the things it is and isn't good for now.
*sigh* I should've thought things through carefully before I posted and made my remarks much more careful and bounded. But, I still think my main point is valid.
Even the ability to manufacture collisions is bad.
Since I'm tired of writing essentially the same thing over and over again, here's a link as to why.