With respect, you're completely wrong primarily because you haven't defined "secure communication". In your head you probably have a vague idea about what this means, probably something along the lines of the traffic being encrypted. However, anyone who knows virtually anything about cryptographic protocols understands that, in practice and for virtually all applications, merely encrypting data sent across a link does not give overall security. Authentication of the remote site is, with very few exceptions, just as important as encryption. There are very, very few applications where having an encrypted conversation with an unauthenticated party is of any value. It's not relevant when sending your credit card details, your bank account number and PIN or even logging into some miscellaneous website. Any sites that apply for SSL certificates just for encrypting traffic probably don't understand this principle either -- but that is clear because (rightly or wrongly) if they really just cared about encryption then they would just use self-signed certificates anyway. Note that the weakness involved in the authentication performed by CAs prior to issuing certificates is an entirely separate issue although the problems this has highlighted why authentication is a vital prerequisite to virtually any secure communication.
- Spend more money on your lens than on your body. In fact, don't get a cheap kit lens that comes with a camera. Buy a decent body that has the features you need but don't throw away money on a poor quality lens. If you can't afford the lenses you need right now, save. But don't waste money on a poor quality lens. I was given this advice when I bought my first 35mm SLR. I ignored it (on grounds of cost) and now I've had to replace the lens anyway with one that produces decent image quality. While zooms are flexible, primes are often great value for money in terms of image quality.
- When you buy a 35mm SLR you aren't buying a camera. You're buying a system. While there are good arguments for all the systems, IMO the Canon EOS system is the one with the best options for the future. A big part of the reason for this is Canon's current dominance of the digital SLR market. If you buy into the EOS system, you have a clear upgrade path to a DSLR. Yes, Nikon 35mm lenses will work with their DSLRs but Nikon seems to be headed down the path to sub-35mm digital sensors as a standard and is therefore bringing out lenses which will not work on your film SLR. (Canon have done this too but not for any serious lens, just as a way of selling cheap cameras.) Canon's clear intention is towards full-frame DSLR sensors and ultimately that's what most photographers want. Anyway, it's a complex issue and my overall point is, be careful what system you choose. It's not the body that matters but the lenses and there are really only two big 35mm system at the moment (Canon and Nikon) and Canon's EOS seems like the one with the best future. All the people who've bought into the other systems will now flame me but look into the facts for yourself. One opinion:
The article talks about implementing passports incorporating biometric data.
THIS IS TRUE OF EVERY SINGLE PASSPORT TODAY!
Every passport contains a photo of the person to who it belongs. This photo is (supposedly) certified by the government who issues the passport. Incorproating additional biometric data won't make it more secure, it just increases the cost.
Why don't these people actually get someone who knows something about security to check these ideas over before they get turned into laws?
I was working with AbiWord last night trying to help my girlfriend prepare a lab report. Quite honestly, it sucked badly. I really don't think you can say any word processor that can't create and work with tables is at version 1.0.
It only sucked slightly less than KWord which wasn't even able to properly list the documents available in a directory in the Open dialog.
OpenOffice might be 20 times larger but it's probably more than 20 times better.
When someone writes a virus, they very often get it wrong. (Of course, this is just an extension of programmers making their usual mistakes.) As most people know, the Internet Worm had a bug which caused it to bring down machines but this wasn't actually what the author intended. Similarly many of the contemporary worms contain bugs which alter their impact from what their authors actually intended. Nonetheless, they are still very damaging -- sometimes more so due to these mistakes!
If people start writing "benevolent" worms to fix these problems, they very likely aren't going to get it right the first time. Or even the second. It's hard to debug this sort of code because it's hard to actually predict how it will perform out there on the great sprawling mass of today's hetergenous Internet. They will most likely release buggy code that will cause more damage than it will solve. Naturally this is just one problem and there are undoubtedly others but I hope people don't end up going down this path. At least until some official, well-thought out plan is established.
This piece didn't really seem all that complete since there were a couple of things that should have been mentioned. The first one was that the standard did not mandate just an 128-bit key length but also required key lenghts of 192- and 256-bits. An 128-bit block size was also required.
Secondly it should have been mentioned that Rijndael had the smallest "security margin" of the AES finalists. (At least I'm pretty sure it was the smallest, I don't have the papers here to confirm.) What this means is that out of the number of rounds (essentially iterations) of the cipher, it has proportionally the most broken of any of the finalists. While none of these represent real-life attacks they do give some indication of a confidence level for the future. Remember, as Bruce likes to say, "attacks always get better."
Finally it should be noted that this is only a standard for a block cipher so calling it a "encryption standard" is a little misleading. It would be nice also to have an official stream cipher standard and public key encryption standard.
Here here! I've never seen Kurt Seifried say anything new or interesting. He just re-hashes what has been known for years in the most sensationalist way that he can. From what I can tell its just to get more visitors to the SecurityPortal site (to sell more banner ads) and to gratify his ego. It would be different if he at least knew what he was talking about but the vague (yet ominous) way he explains concepts clearly exposes his lack of insight.
I see a lot of people recommending the use of DDD. In my experience the DDD program can never stay running long enough to give me any useful debugging information! All the versions I've ever used just crash constantly and are buggy in other areas too. Am I doing something wrong?
As an alternative, the Insight GUI component of GDB 5.0 has been MUCH more stable for me, although I don't know if it is any good at debugging threaded applications.
It's interesting to see Moglen and other posters recommending that we encrypt as much as possible. I wonder how this is proposed to be done:
We can't encrypt when browsing the web unless the remote site supports SSL so we basically don't get a choice here.
We can't encrypt everything in general using something like IPsec because of the administrative overhead required at BOTH ends.
We can't habitually encrypt our email unless the person we are emailing have a public key (and one that we can trust!). I can't think of anyone I know personally who has a public key and/or uses PGP et al.
I appreciate the overall purpose of the recommendation but encrypting everything is just not possible today. Even encrypting small amounts (like email) is awkward and inconvenient in the RARE situations where it is possible. It seems like people who know nothing about cryptography like to jump up and down and say how encryption solves all these problems and we should all be using it. Encryption doesn't solve any problems, it just moves them around -- often at considerably increased overhead costs.
As a side note, it's interesting that Moglen seemed to suggest that SSH is secure while SSL is not when, in fact, it would appear to be the opposite. SSL as a protocol is much better designed and more secure than SSH. Defeating the SSH protocol would probably require significantly less work for an attacker than trying to break even 40-bit RC4 SSL.
Certification isn't *useless*. But it's true value is questionable and this is essentially because, while it may provide the *functionality* you need to enforce the appropriate security policy, it doesn't provide the *assurance*. The higher levels of TCSEC provide assurance that the *design* of the functionality meets the security policy but they DO NOT provide any assurance that the implementation meets this policy. As anyone who knows anything about computer security vulnerability knows, the majority of security problems are implementation errors/oversights.
All those people who, along with ESR, said "it doesn't matter if we call it 'Open Source' to impress the suits, so long we know what we mean" have a lot to answer for. From browsing the posts on this story it's amazing how many people suddenly don't give a damn about Free software anymore. Statements that we should just be grateful for whatever crumbs the software hoarders choose to give us. Statements that 'open source' can just mean 'available source code' and people trying to assuage their consciences by saying "Open Source != open source" are completely ridiculous. Why can't these people just go away and use some other operating system? I don't think I want to be part of a community of operating system users who don't care about Free software anymore.
Sure they can use multiple licenses but why would you pay to license software you could get freely? Without going and re-reading the OSD, I seem to recall a clause which prevents people from restricting who may use the software released as "open source". Hence you cannot prevent someone from using the open source version of software and try to force them to pay for non-free software.
Can't you read? The person you "corrected" just told you that you have to explicitly run the script for it to be effective. You then say that you "clicked the attachment" (i.e., you explicitly ran the script) and that it "infected your computer". You've told someone they are wrong and then backed up what they've said!
This article gets it exactly right. I've always told people that the only purpose to MySQL is to provide an SQL interface to data* -- it's not even in the same country as a relational DBMS.
The only real ommission in this article was that they didn't mention that MySQL is proprietary software -- it is NOT Free software ("Open Source" tm) by any stretch of the imagination. I don't know how many responses I've seen to the recent ZDNet article which cite MySQL as an example of "Open Source". These people should get their facts straight before they start making public statements on behalf of the Free software community.
* Actually, you can now do this with Perl so MySQL has become even more irrelevant.
In terms of running Kerberized client software there is probably no advantage of one operating system over another. As for running a Kerberos keyserver, I would say OpenBSD is likely to be a superior choice than most (if not all) other operating systems. This is because the keyserver is the major weak link in the Kerberos chain: if the key server is compromised then all user's passwords are also immediately compromised. Therefore a system like OpenBSD which attains a very high level of security is probably better than other general purpose systems, even if these systems (like Linux and FreeBSD) can be made quite secure.
Oh please, Brett. What have you contributed to GNU/Linux lately? If it's more significant than gcc, gdb, emacs,... (and the existence of the rest of the GNU software) then maybe you have right to spout these ridiculous comments. If, on the other hand, you're just some ZDNET luser, perhaps you should go and bother someone else. Honestly, the objectives of the GNU project are very plain and openly stated. If you don't like them, use another operating system. (btw, this is all very off-topic. the problem is with Debian's license being subverted which doesn't just include GPL software... or do you have a problem with all types of free software too?)
Yes, IPv6 includes security but who's actually using IPv6 at this point in time? (very few people). IPsec is the generic approach, originally for use in IPv6 but now also (hopefully) to be included in IPv4 stacks as well. It's good to see Linux leading the way in these new areas - is anyone aware of other OS's that have implementations of IPsec?
I'm not a lawyer so someone please tell me why the debate isn't "Do people have the right to have secrets and other private matters?" That seems to me a more reasonable assertion that "code is speech". Code might be speech (valid arguments for) but it might just be a device (valid arguments against). Doesn't anyone else feel that the real question should be whether or not we have the right to keep certain things to ourselves? After all, that's what the US government is saying: "We are in control, you aren't allowed to have anything that you keep from us." A rather odd idea when you consider what democracy is supposed to be about...
Of course, I'm not from the US but since a lot of software is, this is a hassle for everyone.
I hate to point out the obvious, but this illustrates the problem with the term "open source". While "free software" is ambiguous, "open source" is just plain inaccurate so companies like Microsoft can come along and decide on a new definition for it and most people won't realise that it's wrong.
Sure, "open source" is just as strictly defined as "free software" but because the term doesn't accurately describe what it actually means this allows people to be able to get away (in terms of public perception) with creating their own definitions.
Ummm... this is getting confusing - I remember the good ol' days where there were a handful of comments for each story and you could read them all in flat mode and... $oldmanramble
Anyway, is someone going to write a Slashdot HOWTO now?:)
Bruce Perens just put into words (as he so often does) things that I have been thinking for a long time. Right at the start of this "Open Source" disaster, rms stressed that he thought we should be talking MORE about freedom and not less - I'm glad someone else with some public visibility has stepped forward and said the same thing.
esr started this whole mess when *he* decided that he was going to rename our entire community. And his contribution to our community at this point? Well, he wrote part of fetchmail... (plus the New Hacker's Dictionary - if you count that). Almost everything he's said and done since that point has been to draw attention to himself and to inflate his ego further.
Sure, rms is someone with extreme views that can be hard for many people to accept. But in terms of his contribution to our community he's done a helluva lot more than esr. (started the GNU project, wrote most of gcc,gdb etc., devised the GPL, formed the FSF and on and on). I'm glad someone like Bruce Perens has now stepped forward to help move our focus back to where it should be - on freedom and not on pandering to the whims of companies and businesses.
Slashdot Mirror
...luckily they don't have cryptography in Russia!
With respect, you're completely wrong primarily because you haven't defined "secure communication". In your head you probably have a vague idea about what this means, probably something along the lines of the traffic being encrypted. However, anyone who knows virtually anything about cryptographic protocols understands that, in practice and for virtually all applications, merely encrypting data sent across a link does not give overall security. Authentication of the remote site is, with very few exceptions, just as important as encryption. There are very, very few applications where having an encrypted conversation with an unauthenticated party is of any value. It's not relevant when sending your credit card details, your bank account number and PIN or even logging into some miscellaneous website. Any sites that apply for SSL certificates just for encrypting traffic probably don't understand this principle either -- but that is clear because (rightly or wrongly) if they really just cared about encryption then they would just use self-signed certificates anyway. Note that the weakness involved in the authentication performed by CAs prior to issuing certificates is an entirely separate issue although the problems this has highlighted why authentication is a vital prerequisite to virtually any secure communication.
Two pieces of advice:
r -n ikon.shtml
- Spend more money on your lens than on your body. In fact, don't get a cheap kit lens that comes with a camera. Buy a decent body that has the features you need but don't throw away money on a poor quality lens. If you can't afford the lenses you need right now, save. But don't waste money on a poor quality lens. I was given this advice when I bought my first 35mm SLR. I ignored it (on grounds of cost) and now I've had to replace the lens anyway with one that produces decent image quality. While zooms are flexible, primes are often great value for money in terms of image quality.
- When you buy a 35mm SLR you aren't buying a camera. You're buying a system. While there are good arguments for all the systems, IMO the Canon EOS system is the one with the best options for the future. A big part of the reason for this is Canon's current dominance of the digital SLR market. If you buy into the EOS system, you have a clear upgrade path to a DSLR. Yes, Nikon 35mm lenses will work with their DSLRs but Nikon seems to be headed down the path to sub-35mm digital sensors as a standard and is therefore bringing out lenses which will not work on your film SLR. (Canon have done this too but not for any serious lens, just as a way of selling cheap cameras.) Canon's clear intention is towards full-frame DSLR sensors and ultimately that's what most photographers want. Anyway, it's a complex issue and my overall point is, be careful what system you choose. It's not the body that matters but the lenses and there are really only two big 35mm system at the moment (Canon and Nikon) and Canon's EOS seems like the one with the best future. All the people who've bought into the other systems will now flame me but look into the facts for yourself. One opinion:
http://www.luminous-landscape.com/essays/whithe
The article talks about implementing passports incorporating biometric data.
THIS IS TRUE OF EVERY SINGLE PASSPORT TODAY!
Every passport contains a photo of the person to who it belongs. This photo is (supposedly) certified by the government who issues the passport. Incorproating additional biometric data won't make it more secure, it just increases the cost.
Why don't these people actually get someone who knows something about security to check these ideas over before they get turned into laws?
I was working with AbiWord last night trying to help my girlfriend prepare a lab report. Quite honestly, it sucked badly. I really don't think you can say any word processor that can't create and work with tables is at version 1.0.
It only sucked slightly less than KWord which wasn't even able to properly list the documents available in a directory in the Open dialog.
OpenOffice might be 20 times larger but it's probably more than 20 times better.
When someone writes a virus, they very often get it wrong. (Of course, this is just an extension of programmers making their usual mistakes.) As most people know, the Internet Worm had a bug which caused it to bring down machines but this wasn't actually what the author intended. Similarly many of the contemporary worms contain bugs which alter their impact from what their authors actually intended. Nonetheless, they are still very damaging -- sometimes more so due to these mistakes!
If people start writing "benevolent" worms to fix these problems, they very likely aren't going to get it right the first time. Or even the second. It's hard to debug this sort of code because it's hard to actually predict how it will perform out there on the great sprawling mass of today's hetergenous Internet. They will most likely release buggy code that will cause more damage than it will solve. Naturally this is just one problem and there are undoubtedly others but I hope people don't end up going down this path. At least until some official, well-thought out plan is established.
This piece didn't really seem all that complete since there were a couple of things that should have been mentioned. The first one was that the standard did not mandate just an 128-bit key length but also required key lenghts of 192- and 256-bits. An 128-bit block size was also required.
Secondly it should have been mentioned that Rijndael had the smallest "security margin" of the AES finalists. (At least I'm pretty sure it was the smallest, I don't have the papers here to confirm.) What this means is that out of the number of rounds (essentially iterations) of the cipher, it has proportionally the most broken of any of the finalists. While none of these represent real-life attacks they do give some indication of a confidence level for the future. Remember, as Bruce likes to say, "attacks always get better."
Finally it should be noted that this is only a standard for a block cipher so calling it a "encryption standard" is a little misleading. It would be nice also to have an official stream cipher standard and public key encryption standard.
Here here! I've never seen Kurt Seifried say anything new or interesting. He just re-hashes what has been known for years in the most sensationalist way that he can. From what I can tell its just to get more visitors to the SecurityPortal site (to sell more banner ads) and to gratify his ego. It would be different if he at least knew what he was talking about but the vague (yet ominous) way he explains concepts clearly exposes his lack of insight.
As an alternative, the Insight GUI component of GDB 5.0 has been MUCH more stable for me, although I don't know if it is any good at debugging threaded applications.
- We can't encrypt when browsing the web unless the remote site supports SSL so we basically don't get a choice here.
- We can't encrypt everything in general using something like IPsec because of the administrative overhead required at BOTH ends.
- We can't habitually encrypt our email unless the person we are emailing have a public key (and one that we can trust!). I can't think of anyone I know personally who has a public key and/or uses PGP et al.
I appreciate the overall purpose of the recommendation but encrypting everything is just not possible today. Even encrypting small amounts (like email) is awkward and inconvenient in the RARE situations where it is possible. It seems like people who know nothing about cryptography like to jump up and down and say how encryption solves all these problems and we should all be using it. Encryption doesn't solve any problems, it just moves them around -- often at considerably increased overhead costs.As a side note, it's interesting that Moglen seemed to suggest that SSH is secure while SSL is not when, in fact, it would appear to be the opposite. SSL as a protocol is much better designed and more secure than SSH. Defeating the SSH protocol would probably require significantly less work for an attacker than trying to break even 40-bit RC4 SSL.
Certification isn't *useless*. But it's true value is questionable and this is essentially because, while it may provide the *functionality* you need to enforce the appropriate security policy, it doesn't provide the *assurance*. The higher levels of TCSEC provide assurance that the *design* of the functionality meets the security policy but they DO NOT provide any assurance that the implementation meets this policy. As anyone who knows anything about computer security vulnerability knows, the majority of security problems are implementation errors/oversights.
All those people who, along with ESR, said "it doesn't matter if we call it 'Open Source' to impress the suits, so long we know what we mean" have a lot to answer for. From browsing the posts on this story it's amazing how many people suddenly don't give a damn about Free software anymore. Statements that we should just be grateful for whatever crumbs the software hoarders choose to give us. Statements that 'open source' can just mean 'available source code' and people trying to assuage their consciences by saying "Open Source != open source" are completely ridiculous. Why can't these people just go away and use some other operating system? I don't think I want to be part of a community of operating system users who don't care about Free software anymore.
Sure they can use multiple licenses but why would you pay to license software you could get freely? Without going and re-reading the OSD, I seem to recall a clause which prevents people from restricting who may use the software released as "open source". Hence you cannot prevent someone from using the open source version of software and try to force them to pay for non-free software.
Can't you read? The person you "corrected" just told you that you have to explicitly run the script for it to be effective. You then say that you "clicked the attachment" (i.e., you explicitly ran the script) and that it "infected your computer". You've told someone they are wrong and then backed up what they've said!
The only real ommission in this article was that they didn't mention that MySQL is proprietary software -- it is NOT Free software ("Open Source" tm) by any stretch of the imagination. I don't know how many responses I've seen to the recent ZDNet article which cite MySQL as an example of "Open Source". These people should get their facts straight before they start making public statements on behalf of the Free software community.
* Actually, you can now do this with Perl so MySQL has become even more irrelevant.
In terms of running Kerberized client software there is probably no advantage of one operating system over another. As for running a Kerberos keyserver, I would say OpenBSD is likely to be a superior choice than most (if not all) other operating systems. This is because the keyserver is the major weak link in the Kerberos chain: if the key server is compromised then all user's passwords are also immediately compromised. Therefore a system like OpenBSD which attains a very high level of security is probably better than other general purpose systems, even if these systems (like Linux and FreeBSD) can be made quite secure.
Because we wouldn't be here without them.
Oh please, Brett. What have you contributed to GNU/Linux lately? If it's more significant than gcc, gdb, emacs, ... (and the existence of the rest of the GNU software) then maybe you have right to spout these ridiculous comments. If, on the other hand, you're just some ZDNET luser, perhaps you should go and bother someone else. Honestly, the objectives of the GNU project are very plain and openly stated. If you don't like them, use another operating system. (btw, this is all very off-topic. the problem is with Debian's license being subverted which doesn't just include GPL software... or do you have a problem with all types of free software too?)
Yes, IPv6 includes security but who's actually using IPv6 at this point in time? (very few people). IPsec is the generic approach, originally for use in IPv6 but now also (hopefully) to be included in IPv4 stacks as well. It's good to see Linux leading the way in these new areas - is anyone aware of other OS's that have implementations of IPsec?
I'm not a lawyer so someone please tell me why the debate isn't "Do people have the right to have secrets and other private matters?" That seems to me a more reasonable assertion that "code is speech". Code might be speech (valid arguments for) but it might just be a device (valid arguments against). Doesn't anyone else feel that the real question should be whether or not we have the right to keep certain things to ourselves? After all, that's what the US government is saying: "We are in control, you aren't allowed to have anything that you keep from us." A rather odd idea when you consider what democracy is supposed to be about...
Of course, I'm not from the US but since a lot of software is, this is a hassle for everyone.
I hate to point out the obvious, but this illustrates the problem with the term "open source". While "free software" is ambiguous, "open source" is just plain inaccurate so companies like Microsoft can come along and decide on a new definition for it and most people won't realise that it's wrong.
Sure, "open source" is just as strictly defined as "free software" but because the term doesn't accurately describe what it actually means this allows people to be able to get away (in terms of public perception) with creating their own definitions.
Ummm... this is getting confusing - I remember the good ol' days where there were a handful of comments for each story and you could read them all in flat mode and... $oldmanramble
:)
Anyway, is someone going to write a Slashdot HOWTO now?
"MS isn't good at ports"
I'd suggest: "MS isn't good at software."
If you could shrink-wrap and sell marketing off the shelf, THEN you'd really see a monopoly.
We have our rms and our esr - we need to know Bruce Peren's middle name now so we can have our bXp...
Bruce Perens just put into words (as he so often does) things that I have been thinking for a long time. Right at the start of this "Open Source" disaster, rms stressed that he thought we should be talking MORE about freedom and not less - I'm glad someone else with some public visibility has stepped forward and said the same thing.
esr started this whole mess when *he* decided that he was going to rename our entire community. And his contribution to our community at this point? Well, he wrote part of fetchmail... (plus the New Hacker's Dictionary - if you count that). Almost everything he's said and done since that point has been to draw attention to himself and to inflate his ego further.
Sure, rms is someone with extreme views that can be hard for many people to accept. But in terms of his contribution to our community he's done a helluva lot more than esr. (started the GNU project, wrote most of gcc,gdb etc., devised the GPL, formed the FSF and on and on). I'm glad someone like Bruce Perens has now stepped forward to help move our focus back to where it should be - on freedom and not on pandering to the whims of companies and businesses.
Congratulations again Bruce!