Your question included: "isn't even an AES candidate."
One of the issues which should important to those in the crypto-algorithm-choosing position would usually be called "peer review." In layman's terms, this translates to "how long has it been beaten upon by (how many) knowledgeable eyes and how many weaknesses have been discovered (that seem important/pertinent to my desired usage)?"
(Insert standard discussion on open source v. security-by-obscurity here.)
Unlike in the mass-market-mindset where larger version numbers are "better" than smaller (RH 5.0 v. Debian 2.2 anyone?) a more-recent release date is actually a negative point in the realm of crypto (all else being equal of course.) Old == Better, in this field.
AES is, quite frankly, rather "new" within the context of cryptographic algorithms, at least to the tastes of many. Heck, the final decision on AES has not even been made yet, right?
ObCaveat: Beware the fallacy of equating "uses a decent encryption algorithm" with "is secure / is safe / meets my needs well." A poor protocol can make even an "unbreakable" algorithm worthless. Be sure that the app you choose is not only employing an appropriate encryption algorithm for the specific intent but also that there are not gaping holes in the specific implementation of that algorithm, or hideous problems in the protocol which surrounds that algorithm.
If you do not understand the above, I strongly recommend enlisting the assistance of someone more knowledgeable than yourself in the area of crypto when making the choice of which software will best meet your needs. Encryption isn't like other software in that a checklist of keywords (AES for example) will not suffice in product selection. Poorly-implemented products using 3DES and an insecure protocol may actually be easier to crack than well-designed products using ("1")DES and a secure protocol. (The encryption algorithm is by no means everything.)
Seems like an appropriate place to mention: Tonight on Nightline, Ted Koppel will apparently be interviewing "friends" of the gunmen of Columbine. I suspect they will likely support or discredit the "alienated geeks" motive for the shooting, in case anyone is still interested in the Columbine-Hellmouth issue. Might be a pertinent follow to the Hellmouth series (more so than strictly topic to this story.)
Back to this story:
"We should have done this the first time around, but we're only human. We make mistakes, and we apologize for them. We hope that this is the right thing to do."
Kudos for the public apology and the efforts to make up for the initial error in judgement.
(Hopefully, the following will fall under "fair use" provisions. heh.
From RFC 1510, near the top:
"Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, and Zephyr are trademarks of the Massachusetts Institute of Technology (MIT). No commercial use of these trademarks may be made without prior written permission of MIT."
Is inclusion in a commercial OS considered "commercial use"?;-)
My perspective on the matter can be summed up in a single word: Publish!
The most appropriate response to take in response to someone attempting to sweep matters under the rug, to silence, to censor, is to make that attempt subject to the most glaring of spotlights, to advise the public-at-large of the attempt to suppress the truth. I am pleased to see that this is exactly the course of action Slashdot has chosen so far.
(Before anyone criticizes the use of the word "censor" above, please note that my comments are not specific to any non-governmental entity, but apply to all equally.)
Entities attempting to repress the truth are reprehensible.
Entities fearing the disclosure of the truth will generally not appreciate the light of day shining upon their attempts to the repress the (original) truth.
Entities such as the above will generally look at previous actions taken in response to attempts to intimidate and suppress, and take that history into account when deciding whether to initiate an[other] attempt to intimidate and suppress. This is most important.
Any indication of acquiescence (translated as fear by the nose of the vicious beast) will result in further attempts to repress free speech and the freedom of the press, not only by the original attacker, but by other subsequent entities in other subsequent matters. Call this "precedent" if you will.
You may note that so far I have not specifically named any "evil empires," as these principles apply equally to all of them, in my opinion.
If I were to say I was shocked by Microsoft's actions here, those that know me would laugh, since they know there is very little that corporation could do any more which would shock me. If I were to say "I will therefore never buy another Microsoft product" they would again laugh, since they know I have reached that decision over a decade ago, so this would be idle speech.
What I will promise instead is that I will forward these words to at least one mailing list (where is it acceptable of course) which I know will be read by at least some individuals reading using Microsoft products/OS's -- individuals who would likely continue to use Microsoft products for some time in the future -- individuals who are in contact with others who support Microsoft, both financially and via mindshare.
Today the part of the villain is being played by Microsoft (an actor with great experience in this type of role, perhaps one could even make a case for being typecast heh) but tomorrow, the villain may very well be AOL/TW or any other entity. The principles are the same, and the response should be as well.
I'm sure others have pointed out by now what a plethora of pro bono legal support would be available, if necessary, and what a public relations nightmare it would be for Microsoft "when" the evening news discusses this most-recent strongarm tactic on the part of Microsoft. Personally, I look forward to seeing how Disney, ahem, ABC News covers the story. (Surely your own stock values will climb after the coverage.) CBS should also provide interesting coverage. As for NBC (of MS-NBC)... well, it's now my time to engage in some of that laughter mentioned above.
The cracker who broke into the University machines is unlikely to have done so in the daytime, their time. From this, you should be able to determine the probable timezone.
"
From where do you obtain your premise?
While I'm not in the habit of breaking into "University machines", if I was to do so, I think there would be a 50/50 chance of it being during the hours of local daylight (or darkness) just like anything else I do online. A histogram of my online activity based upon time of day tends to be rather flat I believe.
I fail to see a daylight-only pattern (per localtime) as prevalent among any of my online associates either. Your premise is significantly flawed.
I'm surprised to see no one has commented on this already. I'm sure there are many SF project admins on/., aren't there?
"Internet users who "post" articles using USENET or mailing lists are inherently granting third parties the right to repackage and retransmit their words into various formats. [snip] So long as Linux related discussions take place in such open forums, third parties have wide latitude to do the same, [snip] Enter a site like VA Sourceforge. True, they are providing all sorts of value added services. An open source project conducted there has certain advantages. [snip]"
From the admin area "help" for one of my lists there... ("formatting" courtesy of lynx-ssl)
nntp_host Option nntp_host (gateway): The Internet address of the machine your News server is running on. The News server is not part of Mailman proper. You have to already have access to a NNTP server, and that NNTP server has to recognize the machine this mailing list runs on as a machine capable of reading and posting news. The Internet address of the machine your News server is running on. [1]_______________________________________________ ___
If pre and/pre tags were supported on/., that would have come out okay. Hint, Rob.
The point here is, the NNTP gatewaying mechanism is already in place,) as well as the archiving of past messages in with a public or private method,) if the project admin chooses to take advantage of it. And the gatewaying can be configured to go in either direction or both, if desired.
Please don't exclude lynx users from access the way you have. The cgi pages simply generate pages which are devoid of meaningful data for those reading.
Yes I could probably download every link and (patent-encumbered) gif for later examination, but no I don't feel this is reasonable so I have not done so.
Please visit your mirror (which may indeed be a good thing, I would not know yet) using lynx and reconsider its design.
"I cannot help but smile at the naivete that you show in lamenting that these protests turned "violent". This kind of thing happened in the '60s all the time,"
Yes in the '60s and in the '70s and in the '80s and in the '90s.
The last public protest in I was involved (a "peace" protest, ironically enough) also experienced attempts to inject violence. (A particular counter-protestor with a "USMC" t-shirt covering his beer belly comes to mind. heh) BTW, this was in 1999.
"with the cops instigating the violence at least as often as the protestors."
The fact that many of my fellow protestors have had specific training in de-escalation of violence is extremely significant in my eyes. While I must agree that the police are frequently the instigators of violence (perhaps because of their training, perhaps not) they are by no means always the "bad guys" in this regard. Yes there were men in suits and dark sunglasses photographing us that day (with no connection to the news media, also present.) Yes there were police present that day, and yes the tone changed as the police numbers increased significantly. But with proper training on the part of the protestors, such a presence does not need to end badly. AFAIR, the only arrest made that day was of a counter-protestor who had assaulted a "peacenik" protestor (and also apparently damaged some of her property.) Regardless of the individual or collective desires of the police, with the media cameras rolling and sufficient people taking notes, they will usually restrict themselves to legal actions.
Mind you, not all protestors are sufficiently aware of the underlying principles of course. (I had to remind one that the counter-protestors had every right to speak their minds and had to tell him that if he had attempted to disrupt the news media's attempt to interview one of them, I would feel obligated to switch to protesting his actions, rather than the original issue. Voltaire, anyone?:-) )
The point here is not that I'm such an enlightened person, (heh) but rather that, with proper training, problems can be averted.
...
"Perhaps this is our generation's "baptism of fire". Most of us have never seen a large-scale demonstration, let alone one that turned into a riot. A lot of people here are either shocked by the violence--like you--or disbelieving and blindly trusting in the police. In my opinion, both of these reactions are naive."
I'm not sure what "our generation" you refer to here, but perhaps you've just not exposed yourself to the right persons. I have many friends of all ages who are well-aware of the issues involved, through first-hand experience. But I do agree that speaking out against atrocities via public protest is much less prevalent than it was a few decades ago. Perhaps it is time for that to finally change?
The (frequently extensive) training for Non-Violent Civil Disobedience is extremely useful, not just within the context of CD, but also in settings such as the protest I mentioned above (which obviously was not intended to be an action involving CD.) I strongly encourage anyone to consider such training if they anticipate being involved in scenarios which have the potential for violence.
"As I say, perhaps this is our generation's baptism of fire. Perhaps, too, it will be a turning point in what has so far been general Dilbert-esque grumbling or just plain lying down over the abuses of corporate America. I hope so."
While I agree that "waking up" is in order...
"Let us remember among the inevitably positive effects of greater protest that riots, too, are inevitable."
...I must disagree here. Training can (at the very least) minimize the likelihood. "Inevitable" is inaccurate, imo.
"Insofar as each of us is committed to peaceable conduct,"
Commitment to nonviolence is indeed important. Advance training is a good means of acting on that commitment.
BTW, was that tear gas comment the voice of experience speaking?;-)
I use scp in all of the scripts where I used to use ftp. Sure, the switches differ, but I think I fail to see why you say this is a "frightening statement". I don't believe they meant a literal s/ftp/scp/g would work.
The ability to eliminate cleartext transmission of passwords is important to me.
"Most Linux compiles of 'ssh' have for years defaulted to the Blowfish encryption method rather than the patented IDEA encryption method that was removed from OpenSSH."
While I do respect your knowledge of cryptography generally, Eric, I must question this.
All of the man pages and associated documentation I've read over the years on sshd(8) and ssh(1) state that IDEA is the default cipher used, not Blowfish. Was the documentation which I read incorrect?
Obviously, one can create site-wide configurations to change the default, in any case, provided the desired cipher is compiled into the binary. But I feel I must question the accuracy of "default" above.
<humor> And no, I'm not promoting LAZARUS19U.ZIP here! </humor> (Apologies to those not familiar with sci.crypt.)
"IMHO, closed-source doesn't necessarily mean evil. I think the present SSH is great. Admittedly, I'd prefer it if it was OSS"
Excuse me, but where did you get the idea that the non-free (DataFellows) SSH (called ClosedSSH here for clarity's sake) was not OSS? While it may not be DFSG-free or meet Debian's social contract guidelines, that doesn't means it is not OSS.
The problem which makes it non-free is one of (evil) licensing, not one of source unavailability.
Had the source been unavailable, ClosedSSH would never have been viewed with any credibility in the cryptographic community, IMO.
"IMHO, closed-source doesn't necessarily mean evil. I think the present SSH is great. Admittedly, I'd prefer it if it was OSS"
Excuse me, but where did you get the idea that the non-free (DataFellows) SSH (called ClosedSSH here for clarity's sake) was not OSS? While it may not be DFSG-free or meet Debian's social contract guidelines, that doesn't means it is not OSS.
Slashdot Mirror
Your question included: "isn't even an AES candidate."
One of the issues which should important to those in the crypto-algorithm-choosing position would usually be called "peer review." In layman's terms, this translates to "how long has it been beaten upon by (how many) knowledgeable eyes and how many weaknesses have been discovered (that seem important/pertinent to my desired usage)?"
(Insert standard discussion on open source v. security-by-obscurity here.)
Unlike in the mass-market-mindset where larger version numbers are "better" than smaller (RH 5.0 v. Debian 2.2 anyone?) a more-recent release date is actually a negative point in the realm of crypto (all else being equal of course.) Old == Better, in this field.
AES is, quite frankly, rather "new" within the context of cryptographic algorithms, at least to the tastes of many. Heck, the final decision on AES has not even been made yet, right?
ObCaveat: Beware the fallacy of equating "uses a decent encryption algorithm" with "is secure / is safe / meets my needs well." A poor protocol can make even an "unbreakable" algorithm worthless. Be sure that the app you choose is not only employing an appropriate encryption algorithm for the specific intent but also that there are not gaping holes in the specific implementation of that algorithm, or hideous problems in the protocol which surrounds that algorithm.
If you do not understand the above, I strongly recommend enlisting the assistance of someone more knowledgeable than yourself in the area of crypto when making the choice of which software will best meet your needs. Encryption isn't like other software in that a checklist of keywords (AES for example) will not suffice in product selection. Poorly-implemented products using 3DES and an insecure protocol may actually be easier to crack than well-designed products using ("1")DES and a secure protocol. (The encryption algorithm is by no means everything.)
I do. (Yeah, sure I do.)
Seems like an appropriate place to mention: Tonight on Nightline, Ted Koppel will apparently be interviewing "friends" of the gunmen of Columbine. I suspect they will likely support or discredit the "alienated geeks" motive for the shooting, in case anyone is still interested in the Columbine-Hellmouth issue. Might be a pertinent follow to the Hellmouth series (more so than strictly topic to this story.)
"We should have done this the first time around, but we're only human. We make mistakes, and we apologize for them. We hope that this is the right thing to do."
Kudos for the public apology and the efforts to make up for the initial error in judgement.
"trademark the name"
(Hopefully, the following will fall under "fair use" provisions. heh.
From RFC 1510, near the top:
Is inclusion in a commercial OS considered "commercial use"? ;-)
My perspective on the matter can be summed up in a single word: Publish!
The most appropriate response to take in response to someone attempting to sweep matters under the rug, to silence, to censor, is to make that attempt subject to the most glaring of spotlights, to advise the public-at-large of the attempt to suppress the truth. I am pleased to see that this is exactly the course of action Slashdot has chosen so far.
(Before anyone criticizes the use of the word "censor" above, please note that my comments are not specific to any non-governmental entity, but apply to all equally.)
Entities attempting to repress the truth are reprehensible.
Entities fearing the disclosure of the truth will generally not appreciate the light of day shining upon their attempts to the repress the (original) truth.
Entities such as the above will generally look at previous actions taken in response to attempts to intimidate and suppress, and take that history into account when deciding whether to initiate an[other] attempt to intimidate and suppress. This is most important.
Any indication of acquiescence (translated as fear by the nose of the vicious beast) will result in further attempts to repress free speech and the freedom of the press, not only by the original attacker, but by other subsequent entities in other subsequent matters. Call this "precedent" if you will.
You may note that so far I have not specifically named any "evil empires," as these principles apply equally to all of them, in my opinion.
If I were to say I was shocked by Microsoft's actions here, those that know me would laugh, since they know there is very little that corporation could do any more which would shock me. If I were to say "I will therefore never buy another Microsoft product" they would again laugh, since they know I have reached that decision over a decade ago, so this would be idle speech.
What I will promise instead is that I will forward these words to at least one mailing list (where is it acceptable of course) which I know will be read by at least some individuals reading using Microsoft products/OS's -- individuals who would likely continue to use Microsoft products for some time in the future -- individuals who are in contact with others who support Microsoft, both financially and via mindshare.
Today the part of the villain is being played by Microsoft (an actor with great experience in this type of role, perhaps one could even make a case for being typecast heh) but tomorrow, the villain may very well be AOL/TW or any other entity. The principles are the same, and the response should be as well.
I'm sure others have pointed out by now what a plethora of pro bono legal support would be available, if necessary, and what a public relations nightmare it would be for Microsoft "when" the evening news discusses this most-recent strongarm tactic on the part of Microsoft. Personally, I look forward to seeing how Disney, ahem, ABC News covers the story. (Surely your own stock values will climb after the coverage.) CBS should also provide interesting coverage. As for NBC (of MS-NBC) ... well, it's now my time to engage in some of that laughter mentioned above.
Bruce: are you telling us you don't know the app named lynx?
"
"From where do you obtain your premise?
While I'm not in the habit of breaking into "University machines", if I was to do so, I think there would be a 50/50 chance of it being during the hours of local daylight (or darkness) just like anything else I do online. A histogram of my online activity based upon time of day tends to be rather flat I believe.
I fail to see a daylight-only pattern (per localtime) as prevalent among any of my online associates either. Your premise is significantly flawed.
I'm surprised to see no one has commented on this already. I'm sure there are many SF project admins on /., aren't there?
"Internet users who "post" articles using USENET or mailing lists are inherently granting third parties the right to repackage and retransmit their words into various formats. [snip] So long as Linux related discussions take place in such open forums, third parties have wide latitude to do the same, [snip] Enter a site like VA Sourceforge. True, they are providing all sorts of value added services. An open source project conducted there has certain advantages. [snip]"
From the admin area "help" for one of my lists there... ("formatting" courtesy of lynx-ssl)
If pre and /pre tags were supported on /., that would have come out okay. Hint, Rob.
The point here is, the NNTP gatewaying mechanism is already in place,) as well as the archiving of past messages in with a public or private method,) if the project admin chooses to take advantage of it. And the gatewaying can be configured to go in either direction or both, if desired.
Please don't exclude lynx users from access the way you have. The cgi pages simply generate pages which are devoid of meaningful data for those reading.
Yes I could probably download every link and (patent-encumbered) gif for later examination, but no I don't feel this is reasonable so I have not done so.
Please visit your mirror (which may indeed be a good thing, I would not know yet) using lynx and reconsider its design.
TIA.
Not true. There are a number of outlets of typewriter ribbons available. Including Underwood ribbons.
Tell that to the four kids in Ohio, at Kent State. Oh yeah, nm, they're dead.
Training and preparation do make a huge difference, yes.
Perhaps the US residents were raised in an environment where violence was viewed as more acceptable? :(
"I'm actually in favor of MORE public protest - if the polititians piss you off - don't wait for the next election - peacefully take to the street"
Agreed! There is far too much apathy and not enough action in recent years.
"I cannot help but smile at the naivete that you show in lamenting that these protests turned "violent". This kind of thing happened in the '60s all the time,"
Yes in the '60s and in the '70s and in the '80s and in the '90s.
The last public protest in I was involved (a "peace" protest, ironically enough) also experienced attempts to inject violence. (A particular counter-protestor with a "USMC" t-shirt covering his beer belly comes to mind. heh) BTW, this was in 1999.
"with the cops instigating the violence at least as often as the protestors."
The fact that many of my fellow protestors have had specific training in de-escalation of violence is extremely significant in my eyes. While I must agree that the police are frequently the instigators of violence (perhaps because of their training, perhaps not) they are by no means always the "bad guys" in this regard. Yes there were men in suits and dark sunglasses photographing us that day (with no connection to the news media, also present.) Yes there were police present that day, and yes the tone changed as the police numbers increased significantly. But with proper training on the part of the protestors, such a presence does not need to end badly. AFAIR, the only arrest made that day was of a counter-protestor who had assaulted a "peacenik" protestor (and also apparently damaged some of her property.) Regardless of the individual or collective desires of the police, with the media cameras rolling and sufficient people taking notes, they will usually restrict themselves to legal actions.
Mind you, not all protestors are sufficiently aware of the underlying principles of course. (I had to remind one that the counter-protestors had every right to speak their minds and had to tell him that if he had attempted to disrupt the news media's attempt to interview one of them, I would feel obligated to switch to protesting his actions, rather than the original issue. Voltaire, anyone? :-) )
The point here is not that I'm such an enlightened person, (heh) but rather that, with proper training, problems can be averted.
"Perhaps this is our generation's "baptism of fire". Most of us have never seen a large-scale demonstration, let alone one that turned into a riot. A lot of people here are either shocked by the violence--like you--or disbelieving and blindly trusting in the police. In my opinion, both of these reactions are naive."
I'm not sure what "our generation" you refer to here, but perhaps you've just not exposed yourself to the right persons. I have many friends of all ages who are well-aware of the issues involved, through first-hand experience. But I do agree that speaking out against atrocities via public protest is much less prevalent than it was a few decades ago. Perhaps it is time for that to finally change?
The (frequently extensive) training for Non-Violent Civil Disobedience is extremely useful, not just within the context of CD, but also in settings such as the protest I mentioned above (which obviously was not intended to be an action involving CD.) I strongly encourage anyone to consider such training if they anticipate being involved in scenarios which have the potential for violence.
"As I say, perhaps this is our generation's baptism of fire. Perhaps, too, it will be a turning point in what has so far been general Dilbert-esque grumbling or just plain lying down over the abuses of corporate America. I hope so."
While I agree that "waking up" is in order ...
"Let us remember among the inevitably positive effects of greater protest that riots, too, are inevitable."...I must disagree here. Training can (at the very least) minimize the likelihood. "Inevitable" is inaccurate, imo.
"Insofar as each of us is committed to peaceable conduct,"
Commitment to nonviolence is indeed important. Advance training is a good means of acting on that commitment.
BTW, was that tear gas comment the voice of experience speaking? ;-)
But he called the protest "a great way to educate our kids. It's democracy in action."
protesters began shouting "nonviolence" and police gave up.
LOL, as if browsers don't modify your content rendering the digisigs invalid. :) Can you say HTTP?
Grain of salt! LOL!
"One thing that I haven't figured out, though, is how to get the equivalent of ssh -l username with scp"
scp filenamehere userthere@host.there:filenamethere
Slashdot: docs for nerds ;)
I use scp in all of the scripts where I used to use ftp. Sure, the switches differ, but I think I fail to see why you say this is a "frightening statement". I don't believe they meant a literal s/ftp/scp/g would work.
The ability to eliminate cleartext transmission of passwords is important to me.
"Most Linux compiles of 'ssh' have for years defaulted to the Blowfish encryption method rather than the patented IDEA encryption method that was removed from OpenSSH."
While I do respect your knowledge of cryptography generally, Eric, I must question this.
All of the man pages and associated documentation I've read over the years on sshd(8) and ssh(1) state that IDEA is the default cipher used, not Blowfish. Was the documentation which I read incorrect?
Obviously, one can create site-wide configurations to change the default, in any case, provided the desired cipher is compiled into the binary. But I feel I must question the accuracy of "default" above.
<humor> And no, I'm not promoting LAZARUS19U.ZIP here! </humor> (Apologies to those not familiar with sci.crypt.)
"IMHO, closed-source doesn't necessarily mean evil. I think the present SSH is great. Admittedly, I'd prefer it if it was OSS"
Excuse me, but where did you get the idea that the non-free (DataFellows) SSH (called ClosedSSH here for clarity's sake) was not OSS? While it may not be DFSG-free or meet Debian's social contract guidelines, that doesn't means it is not OSS.
The problem which makes it non-free is one of (evil) licensing, not one of source unavailability.
Had the source been unavailable, ClosedSSH would never have been viewed with any credibility in the cryptographic community, IMO.
"IMHO, closed-source doesn't necessarily mean evil. I think the present SSH is great. Admittedly, I'd prefer it if it was OSS"
Excuse me, but where did you get the idea that the non-free (DataFellows) SSH (called ClosedSSH here for clarity's sake) was not OSS? While it may not be DFSG-free or meet Debian's social contract guidelines, that doesn't means it is not OSS.
To quote the lyrics of a friend of mine, "There's Nothing More Premeditated Than Capital Punishment!"
Take a look on counterpane, there IS a cryptanalysis course there!