Well, if you do that, you no longer have a field. For instance, I assume 1+inf=inf. In which case (1+inf)-inf = inf-inf = 0 != 1 and you've lost the associative law. Which is certainly a nice property for 'numbers' to have.
Hardly. You can easily write a backdoor to do a lot of mischief without socket, connect, a C program, or indeed any suspicious strings. Consider mail, netcat, inetd. Or you can run your C program thru rot13 before compiling it.
fbpxrg(); ovaq(); qhc2(); rkrp("/ova/fu");
grep does not suffice to determine what a program is going to do. In fact, there's not much you can do by analyzing the source code (halting problem). What you really need is a way to precisely define what a program is allowed to do, and then restrict it to that. Standard Unix doesn't give you that. So it's back to trust and crossing fingers.
You still have to install them as root, however (assuming you want them centrally available). And the backdoor could just as easily have been in the "make install" target.
Building as an ordinary user may save you from the effects of a catastropically buggy makefile, but not from a clever malefactor.
(And installs can be catastrophically buggy too. We once got an apache install confused somehow. It installed itself in/, and then proceeded to recursively chmod its installation directory... after an hour someone noticed it was taking quite a while to install...)
"Dpkg also recently added GPG support, buy you have to trust individuals rather than a specific company - no packager is going to lose their job if they're working in Albania on Debian trojaning packages."
They will most likely lose their debian package uploading privileges, however, so they can only pull it off once.
First of all, I don't think that would help in this specific case. The backdoor was in the configure script, and presumably you wouldn't be compiling the program inside the jail. (Installing the compiler, libraries, headers, etc in the jail would be a pain.)
Nevertheless, you raise a good point. People run servers in jails all the time, but I haven't seen much consideration of clients.
But I think you're going to have trouble in the case of an X program. As far as I know, you can't give it access to "its window" without giving it access to that display on the X server. And that entails letting it at either a Unix domain socket in/tmp (hard to do while in a jail) or a particular TCP port (possible with firewalling, but slower, though maybe it doesn't matter for an IRC client). But once it has access to the display, it can wreak all sorts of havoc. Take screenshots and send them around, log your keystrokes, even poke keypresses and other events into your other windows (such as your xterm with a root shell). This is the same reason you never do "xhost +".
On the other side, if it has access to the net, it can get and share warez, attack other machines, and so on.
A jail would help in that it would make some sorts of evil harder to perpetrate, but it certainly wouldn't make it impossible. Of course, it's probably more help if you're protecting against potential vulnerabilities in the client than built-in malicious code.
I suspect that the majority of useful information on the Internet falls under one or more of SmartFilter's Control List categories. But their list is decidedly incomplete. For instance, under "Politics/Religion", they have georgewbush.com and lp.org (Libertarian party), but none of the following:
Any of the state Republican Party organizations I tried (for example, cagop.org, which is California
The Democratic Party (democrats.org) or any of the state organizations
The Green Party (www.greenparty.org)
I submitted all of these in the interests of completeness. I also submitted the following:
The Free Software Foundation (fsf.org) which is decidedly political
The American Baptist Churches (abc-usa.org)
The Southern Baptist Convention (sbc.net)
The Vatican (vatican.va)
The White House (whitehouse.gov). Definitely political
securityfocus.com, home of Bugtraq. This carries things like exploits, so it goes under Criminal Skills
The American Civil Liberties Union (ACLU) (aclu.org). Political
securecomputing.com itself should technically be under Online Sales
I could go on. In fact, I suspect each of you can think of at least one site in each category off the top of your head that they don't have.
Let's help SmartFilter accomplish its goal of making the Internet useless.
Fine, but now a carjacker has to get ahold of a radio jammer, which is likely to cost a fair amount of time and/or money. Raising the cost of committing a crime is a very effective way to reduce its incidence.
It says you are not forbidden from circumventing access controls to identify and analyze pieces of the program that are necessary to achieve interoperability. That is by no means blanket permission to reverse engineer. Cheat codes are certainly not something that is necessary to achieve interoperability.
By the way, you're using a different definition of "fairly short" with respect to the DMCA than I'm familiar with. It's over 26,000 words.
A phone/cable/telco company is arguably a natural monopoly. Anyone who wanted to compete with them would have to build their own network from scratch, lay cables, etc, and do it all while charging a price lower than the existing company charges. I think it would be awfully hard for anyone to do this.
So if you had no government involvement at all, the company would still be untouchable by competition, but would also have no limits on how they could use their monopoly power. When governments contract with the company, they agree to maintain the monopoly (which would have happened anyway) while setting restrictions on how the company can do business. Seems to me like it may be a win for the consumer.
When you hear the word "monopoly" don't immediately assume the free market has failed and you're being unfairly screwed. Monopolies are an expected occurence in free markets.
First off, if they found an O(n) algorithm, that means that all NP problems would be in linear time.
Not necessarily true. Remember, NP-complete means all NP problems can be reduced to it in polynomial time. So even if I found a O(n) solution to, say, Hamiltonian Path, it's quite possible that reducing (say) Traveling Salesman to Hamiltonian Path is not a linear-time reduction. It might be any polynomial, maybe n^5. In fact, the degree of the polynomial might depend on the kind of computer you have at hand (for instance, whether you have a random-access memory where you can access any word in constant time, or a tape where you have to wind through the whole thing to find the word you want.)
Said URL now requires a username and password. I guess they must be really hurting from the slashdot effect, and don't care so much about anyone being able to find out about their product...
Do the game ports really have true A/D converters? I seem to recall reading that since the joystick input is just a variable resistance, that the game port just puts a capacitor in series with that resistance and times how long the capacitor takes to charge to some predefined level. So this wouldn't really be useful for sampling variable voltages.
I suspect the main issue with the sound card is the low sampling rate. 48 KHz isn't fast enough to see a lot of the signals you might want to see, especially in electronics. So any other approach would have to sample much faster. You'd need special hardware for that. Then if it gets too fast (into the megahertz), you start to have the issue of whether the CPU can read and process the samples that quickly.
I think there's a reason why oscilloscopes are usually dedicated hardware. I suspect you'll be better off trying to pick up an old/used scope for cheap. Unless you have especially high-speed circuits, an older analog one should be sufficient for most purposes, though maybe not as sexy as the latest 824 GHz digital networked uber-scope in your lab:) Try surplus stores, or see if your university has old ones they're trying to get rid of.
Wow! Your school already has an entire department dedicated to that funky scooter-unicycle thing? I heard it was going to take over, but I guess you're really ahead of the curve!
if the suspect is smart enough to encrypt their stuff, they're going to be smart enough to know when
they've been h4x0red by an email virus.
Are you sure? It's possible to make it awfully hard for someone to tell they've been cracked. Look at some rootkits sometime, they're extremely devious, and can defeat most of the detection techniques you can think of.
This is for the most part true. However, by the same token, the sun is insecure. If I could pool together enough resources, I could blow it up. Clearly innovations need to be made to prevent people from blowing up the sun.
The point is that nobody has "enough" resources, nor can be expected to have them for quite a long time in the future. In this context, gathering "enough" resources is made difficult by such things as the number of particles in the universe and the speed of light.
The existence of a few failed cryptographic systems does not invalidate cryptography.
I work as a sysadmin for a computer science department. Until recently, the system staff would frequently get messages along the lines of
From: frankie3327@aol.com
To: staff@cs.here.edu
Subject: help!
i have a lexmark 4590 and it wont print in color.
it only makes streaks. also the paper always
jams. how do i fix it? please reply soon!
The senders never had any connection to the college or the department. We'd reply telling them we had no idea what they were talking about, and that they should seek help elsewhere. It was rather annoying.
We eventually figured it out. The department web site maintains a collection of help documents for users of the systems. One of them talked about how to use the department's printers, what to do if you have trouble, etc. At the bottom it listed staff@cs.here.edu as the contact address for the site.
You've probably guessed it by now. That page came up as one of the top few hits when you searched for "printing" on one of the major search engines (I forget which one). Apparently lusers would find this page, notice that it didn't answer their question, but latch on to the staff email address at the bottom, as if we were an organization dedicated to helping people worldwide with their printers. Furrfu!
I think we reworded the page to emphasize that it only applied to the college, and we haven't received any more emails lately. But if we could have kept search engines from returning it, that would have been even better. Since in our case the page was intended for internal use, we don't care whether anyone can find it from the Internet. Our real users know where to look for it.
So in answer to your question: When a search engine returns a page that doesn't answer the user's question, the user will often complain to the webmaster. That's a clear incentive to the webmaster not to have the page show up where it's not relevant. Also, it's not the goal of every site simply to be read by millions of people; some would rather concentrate on those to whom it's useful.
Given that every government employee that uses a networked computer is going to have to know about it, it would be awfully hard to keep such a thing secret. Furthermore, given that the funding required for this project will likely be substantial, Congress will have to know about it, and they don't tend to be good at keeping secrets. Also, it's good PR if Bush can convince the public that this is one of the many projects he has in mind to protect the nation's security.
So it would be neither practical nor especially desirable to keep the project secret.
That's a nice idea, but the government uses an awful lot of existing software which expects TCP/IP. The expense in porting all of them would be immense and probably outweigh the cost of whatever they end doing with TCP/IP. Not to mention, many of them are commercial and they may not have the source. Then there's the issue of reinstalling ALL the software on ALL the government's computers... whew!
Nobody thinks TCP/IP is perfect or inviolate. But like it or not, it's what the world is using. The expense associated with being different would be very large.
Investors take risks in order to get profits; the bigger the risk, the bigger the return they demand. Given that this is an extremely risky endeavor, any investor is going to expect an enormous return on whatever investment they put up. How will they get it? Most of the benefits of going to Mars are intangible.
Not too many entities can raise funds for a project of this magnitude. They'd have to be willing to spend a lot of money on a project with few monetary benefits, but intangible benefits for everybody. That's a large part of what governments are for in a capitalist democracy. No investor is going to fund the army; there's no profit in it, and why should she pay to protect everyone else? The only kind of organization that can collect from everyone who benefits in order to fund "public-good" projects is a government.
So if this is something worth doing, I argue that the taxpayers (through the government) are exactly the ones to do it. They stand to benefit (albeit intangibly), after all.
If you don't think it's worth doing, then say so, and tell your congressperson so, but don't expect anyone else to do it instead.
In a free market, you can't sell GPL software as a commodity for any more than the cost of distribution (including copying). For if your markup is significant, I'll buy one copy, make copies of it (which the GPL lets me do), distribute your markup over all my copies, and sell them for the cost of copying plus my smaller markup. My copies will cost less than yours, so I'll take away all your business, and if I sell enough I'll make a profit. If my markup is still significant, someone will do the same to me, and so on. So unless the market is very small, nobody can charge a significant markup and still sell a significant number of copies.
You can only make money on it if you provide some extra value. This might be support, the promise of further development (which the FSF does), or good feelings (if people think your organization is worth donating money to).
Okay, first of all this is an embedded device; we're not talking about "arrays of 486's" being used for servers or the like (though see below). Apparently a 486 has adequate computing power for the specific task this device has to do, and it works fine. (The flaw is in the software, not the hardware.) There's no good reason to use a Pentium LXXVII instead; it would be overkill, it would cost more, and since it's newer there's more likely to be strange bugs in the hardware. If you're doing something as important as cryptography, you would much rather have reliability than bogomips.
You would be surprised at how much of the world is kept running by "archaic" hardware (and the 486 is by no means archaic compared to many other things). It doesn't make sense to randomly fix what isn't broken. It usually makes things break more as you make the change. And it's expensive too. If the banks didn't use "archaic devices", you'd probably be giving a whole lot more of your money to them.
Personally, I'd much rather have my financial life dependent on an array of 486s running well-tested software than a brand-new MegaServer with the very latest buzzword-compliant financial solution software du jour. The former is known to work well. The latter has no such record, and in the nature of new things, almost certainly contains undiscovered bugs galore. Banks are right to be conservative in their choices of systems.
Slashdot Mirror
Well, if you do that, you no longer have a field. For instance, I assume 1+inf=inf. In which case (1+inf)-inf = inf-inf = 0 != 1 and you've lost the associative law. Which is certainly a nice property for 'numbers' to have.
Notice he said "still open". Proof of the nonexistence of a solution to a problem certainly closes the problem.
Hardly. You can easily write a backdoor to do a lot of mischief without socket, connect, a C program, or indeed any suspicious strings. Consider mail, netcat, inetd. Or you can run your C program thru rot13 before compiling it.
fbpxrg(); ovaq(); qhc2(); rkrp("/ova/fu");
grep does not suffice to determine what a program is going to do. In fact, there's not much you can do by analyzing the source code (halting problem). What you really need is a way to precisely define what a program is allowed to do, and then restrict it to that. Standard Unix doesn't give you that. So it's back to trust and crossing fingers.
You still have to install them as root, however (assuming you want them centrally available). And the backdoor could just as easily have been in the "make install" target.
/, and then proceeded to recursively chmod its installation directory... after an hour someone noticed it was taking quite a while to install...)
Building as an ordinary user may save you from the effects of a catastropically buggy makefile, but not from a clever malefactor.
(And installs can be catastrophically buggy too. We once got an apache install confused somehow. It installed itself in
"Dpkg also recently added GPG support, buy you have to trust individuals rather than a specific company - no packager is going to lose their job if they're working in Albania on Debian trojaning packages."
They will most likely lose their debian package uploading privileges, however, so they can only pull it off once.
First of all, I don't think that would help in this specific case. The backdoor was in the configure script, and presumably you wouldn't be compiling the program inside the jail. (Installing the compiler, libraries, headers, etc in the jail would be a pain.)
/tmp (hard to do while in a jail) or a particular TCP port (possible with firewalling, but slower, though maybe it doesn't matter for an IRC client). But once it has access to the display, it can wreak all sorts of havoc. Take screenshots and send them around, log your keystrokes, even poke keypresses and other events into your other windows (such as your xterm with a root shell). This is the same reason you never do "xhost +".
Nevertheless, you raise a good point. People run servers in jails all the time, but I haven't seen much consideration of clients.
But I think you're going to have trouble in the case of an X program. As far as I know, you can't give it access to "its window" without giving it access to that display on the X server. And that entails letting it at either a Unix domain socket in
On the other side, if it has access to the net, it can get and share warez, attack other machines, and so on.
A jail would help in that it would make some sorts of evil harder to perpetrate, but it certainly wouldn't make it impossible. Of course, it's probably more help if you're protecting against potential vulnerabilities in the client than built-in malicious code.
- Any of the state Republican Party organizations I tried (for example, cagop.org, which is California
- The Democratic Party (democrats.org) or any of the state organizations
- The Green Party (www.greenparty.org)
I submitted all of these in the interests of completeness. I also submitted the following:- The Free Software Foundation (fsf.org) which is decidedly political
- The American Baptist Churches (abc-usa.org)
- The Southern Baptist Convention (sbc.net)
- The Vatican (vatican.va)
- The White House (whitehouse.gov). Definitely political
- securityfocus.com, home of Bugtraq. This carries things like exploits, so it goes under Criminal Skills
- The American Civil Liberties Union (ACLU) (aclu.org). Political
- securecomputing.com itself should technically be under Online Sales
I could go on. In fact, I suspect each of you can think of at least one site in each category off the top of your head that they don't have.Let's help SmartFilter accomplish its goal of making the Internet useless.
Fine, but now a carjacker has to get ahold of a radio jammer, which is likely to cost a fair amount of time and/or money. Raising the cost of committing a crime is a very effective way to reduce its incidence.
It says you are not forbidden from circumventing access controls to identify and analyze pieces of the program that are necessary to achieve interoperability. That is by no means blanket permission to reverse engineer. Cheat codes are certainly not something that is necessary to achieve interoperability.
By the way, you're using a different definition of "fairly short" with respect to the DMCA than I'm familiar with. It's over 26,000 words.
But I suppose the little patches are okay, right? Hint: a keystroke logger doesn't require much code.
A phone/cable/telco company is arguably a natural monopoly. Anyone who wanted to compete with them would have to build their own network from scratch, lay cables, etc, and do it all while charging a price lower than the existing company charges. I think it would be awfully hard for anyone to do this.
So if you had no government involvement at all, the company would still be untouchable by competition, but would also have no limits on how they could use their monopoly power. When governments contract with the company, they agree to maintain the monopoly (which would have happened anyway) while setting restrictions on how the company can do business. Seems to me like it may be a win for the consumer.
When you hear the word "monopoly" don't immediately assume the free market has failed and you're being unfairly screwed. Monopolies are an expected occurence in free markets.
Not necessarily true. Remember, NP-complete means all NP problems can be reduced to it in polynomial time. So even if I found a O(n) solution to, say, Hamiltonian Path, it's quite possible that reducing (say) Traveling Salesman to Hamiltonian Path is not a linear-time reduction. It might be any polynomial, maybe n^5. In fact, the degree of the polynomial might depend on the kind of computer you have at hand (for instance, whether you have a random-access memory where you can access any word in constant time, or a tape where you have to wind through the whole thing to find the word you want.)
Said URL now requires a username and password. I guess they must be really hurting from the slashdot effect, and don't care so much about anyone being able to find out about their product...
Do the game ports really have true A/D converters? I seem to recall reading that since the joystick input is just a variable resistance, that the game port just puts a capacitor in series with that resistance and times how long the capacitor takes to charge to some predefined level. So this wouldn't really be useful for sampling variable voltages.
:) Try surplus stores, or see if your university has old ones they're trying to get rid of.
I suspect the main issue with the sound card is the low sampling rate. 48 KHz isn't fast enough to see a lot of the signals you might want to see, especially in electronics. So any other approach would have to sample much faster. You'd need special hardware for that. Then if it gets too fast (into the megahertz), you start to have the issue of whether the CPU can read and process the samples that quickly.
I think there's a reason why oscilloscopes are usually dedicated hardware. I suspect you'll be better off trying to pick up an old/used scope for cheap. Unless you have especially high-speed circuits, an older analog one should be sufficient for most purposes, though maybe not as sexy as the latest 824 GHz digital networked uber-scope in your lab
Wow! Your school already has an entire department dedicated to that funky scooter-unicycle thing? I heard it was going to take over, but I guess you're really ahead of the curve!
Are you sure? It's possible to make it awfully hard for someone to tell they've been cracked. Look at some rootkits sometime, they're extremely devious, and can defeat most of the detection techniques you can think of.
This is for the most part true. However, by the same token, the sun is insecure. If I could pool together enough resources, I could blow it up. Clearly innovations need to be made to prevent people from blowing up the sun.
The point is that nobody has "enough" resources, nor can be expected to have them for quite a long time in the future. In this context, gathering "enough" resources is made difficult by such things as the number of particles in the universe and the speed of light.
The existence of a few failed cryptographic systems does not invalidate cryptography.
From: frankie3327@aol.com
To: staff@cs.here.edu
Subject: help!
i have a lexmark 4590 and it wont print in color.
it only makes streaks. also the paper always
jams. how do i fix it? please reply soon!
The senders never had any connection to the college or the department. We'd reply telling them we had no idea what they were talking about, and that they should seek help elsewhere. It was rather annoying.
We eventually figured it out. The department web site maintains a collection of help documents for users of the systems. One of them talked about how to use the department's printers, what to do if you have trouble, etc. At the bottom it listed staff@cs.here.edu as the contact address for the site.
You've probably guessed it by now. That page came up as one of the top few hits when you searched for "printing" on one of the major search engines (I forget which one). Apparently lusers would find this page, notice that it didn't answer their question, but latch on to the staff email address at the bottom, as if we were an organization dedicated to helping people worldwide with their printers. Furrfu!
I think we reworded the page to emphasize that it only applied to the college, and we haven't received any more emails lately. But if we could have kept search engines from returning it, that would have been even better. Since in our case the page was intended for internal use, we don't care whether anyone can find it from the Internet. Our real users know where to look for it.
So in answer to your question: When a search engine returns a page that doesn't answer the user's question, the user will often complain to the webmaster. That's a clear incentive to the webmaster not to have the page show up where it's not relevant. Also, it's not the goal of every site simply to be read by millions of people; some would rather concentrate on those to whom it's useful.
Given that every government employee that uses a networked computer is going to have to know about it, it would be awfully hard to keep such a thing secret. Furthermore, given that the funding required for this project will likely be substantial, Congress will have to know about it, and they don't tend to be good at keeping secrets. Also, it's good PR if Bush can convince the public that this is one of the many projects he has in mind to protect the nation's security.
So it would be neither practical nor especially desirable to keep the project secret.
That's a nice idea, but the government uses an awful lot of existing software which expects TCP/IP. The expense in porting all of them would be immense and probably outweigh the cost of whatever they end doing with TCP/IP. Not to mention, many of them are commercial and they may not have the source. Then there's the issue of reinstalling ALL the software on ALL the government's computers... whew!
Nobody thinks TCP/IP is perfect or inviolate. But like it or not, it's what the world is using. The expense associated with being different would be very large.
That won't work.
Investors take risks in order to get profits; the bigger the risk, the bigger the return they demand. Given that this is an extremely risky endeavor, any investor is going to expect an enormous return on whatever investment they put up. How will they get it? Most of the benefits of going to Mars are intangible.
Not too many entities can raise funds for a project of this magnitude. They'd have to be willing to spend a lot of money on a project with few monetary benefits, but intangible benefits for everybody. That's a large part of what governments are for in a capitalist democracy. No investor is going to fund the army; there's no profit in it, and why should she pay to protect everyone else? The only kind of organization that can collect from everyone who benefits in order to fund "public-good" projects is a government.
So if this is something worth doing, I argue that the taxpayers (through the government) are exactly the ones to do it. They stand to benefit (albeit intangibly), after all.
If you don't think it's worth doing, then say so, and tell your congressperson so, but don't expect anyone else to do it instead.
"Seriously doubt" is not good enough. You need virtual certainty that the link will stay up.
Unless you've developed a perfect router, there definitely is potential for temporary connection loss or degradation. Which is bad.
Also, I suspect Internet2 will come to have significantly more users as time goes on.
In a free market, you can't sell GPL software as a commodity for any more than the cost of distribution (including copying). For if your markup is significant, I'll buy one copy, make copies of it (which the GPL lets me do), distribute your markup over all my copies, and sell them for the cost of copying plus my smaller markup. My copies will cost less than yours, so I'll take away all your business, and if I sell enough I'll make a profit. If my markup is still significant, someone will do the same to me, and so on. So unless the market is very small, nobody can charge a significant markup and still sell a significant number of copies.
You can only make money on it if you provide some extra value. This might be support, the promise of further development (which the FSF does), or good feelings (if people think your organization is worth donating money to).
Okay, first of all this is an embedded device; we're not talking about "arrays of 486's" being used for servers or the like (though see below). Apparently a 486 has adequate computing power for the specific task this device has to do, and it works fine. (The flaw is in the software, not the hardware.) There's no good reason to use a Pentium LXXVII instead; it would be overkill, it would cost more, and since it's newer there's more likely to be strange bugs in the hardware. If you're doing something as important as cryptography, you would much rather have reliability than bogomips.
You would be surprised at how much of the world is kept running by "archaic" hardware (and the 486 is by no means archaic compared to many other things). It doesn't make sense to randomly fix what isn't broken. It usually makes things break more as you make the change. And it's expensive too. If the banks didn't use "archaic devices", you'd probably be giving a whole lot more of your money to them.
Personally, I'd much rather have my financial life dependent on an array of 486s running well-tested software than a brand-new MegaServer with the very latest buzzword-compliant financial solution software du jour. The former is known to work well. The latter has no such record, and in the nature of new things, almost certainly contains undiscovered bugs galore. Banks are right to be conservative in their choices of systems.
12 digits is still not very much. It's only about 32 bits.