"Ownership" implies control. If you own Amtrak, may I suggest you go down to Amtrak and order them to allow photography and institute a policy of training all of their employees not to interfere with photography. Lets see where that gets you.;-)
Kaminski is an internet Meme. Complaining that a security story mentions him is like complaining that Cmdr Taco isn't related to sex godesses (who would you most like to have home for a beer? Jolie / Johansson / Pressly / Bundchen / Aston / Casta / Cmdr Taco). You just seem like a total pervy loser.
It's been possible to send SMS via GPRS for a long time
Possible in theory, but it mostly doesn't work in real life. Many mobiles have broken support for this. Many networks have broken support for this. If your customer changes from one mobile with support to another without it's a complete pain to make sure everything works right. Finally, even in this case, the SMS mostly travels over the SS7 network which is not well designed for user data.
Personally I like that SMS is expensive. I don't get SMS spam and it means that mostly I know that an SMS contact is something important. I agree with you, however, that SMS is a totally stupid thing and everybody should be using email or instant messaging instead.
paranoid much? he didn't say anthing "anti-free market". He criticised USDA for one thing and Monsato for another. He actually specifically criticised Monsato for interfering with a free market by using their money in order to destroy it.
Wrong.. Brazil has a policy of exact reciprocity with border regulations and (at least in theory; I think they often don't care in practice) takes Americans finger prints. Even more interesting, the UK is beginning to do exactly the same thing (take fingerprints of non-citizens), following on from the US example. US people are of course, not citizens of the UK.
However, part of your point is right. It's very difficult to get people to fight something where most of the time they aren't aware of a direct influence on their freedom.
city I live in is large beige expanse with no streets
Open. As in you can edit it. As in; once you've edited it you own the data and it will never be restricted from you and if they start to try to force adverts down your throat, you can just download it and keep it. If it's blank where you live, then go on and fix it.
Yes, I know that won't really be an answer later open street map is being advertised as a map service. Right now, however, it's a service where you can build mapping data and they aren't hiding that in any way.
There's no need. The evil bit applies at the IP level so it isn't encrypted. You just block it with a pf rule. Anyway, once you've invited the packet inside there isn't much you can do. Not even onion routing will scare it away, so internal controls make little difference.
If some new hash function was equally scrutinized and no attacks were discovered, you wouldn't say MD5 was better
agreed. but the point is that the new ones haven't been scrutinised.
The only security advantage it has over any other cipher is the far greater attention it has received.
well, that's a big advantage. For example, a hash function could have a weakness that there are certain "special" values which are very bad but detectable. By always using the hash with salt and then trying again if a bad value came up, I could avoid that weakness. The currently known "weakness" of MD5 means we know which particular usages are really bad (validating large messages from a potential enemy) and which usages aren't yet bad (checking I still have the same known file I had before).
does 'start phasing out now' really count as a rule that makes it possible to use MD5 in a safe way?
I'd say the alternative isn't safe:-) Right now I guess that MD5 cracking, even by the military / NSA is quite limited. If I have a hash I want to be valid for the next two years, I'd not be too worried about it (of course I may be completely wrong, but that's life..). On the other hand, if I'm generating a hash now, that I plan to use in twenty years time; I'd look a avoiding MD5 and using SHA256. So, yes, I do think 'start phasing out now' is a good reasonably safe way to use MD5. At the very least you'll have a good idea which applications you need to be able to change if MD5 gets completely broken. In the end, this is all about your definition of safe. Good enough to make sure nobody messes with your porn collection: yes (unless you've been reading Slashdot for a long time in which case this might be a touchy issue). Good enough for use in your planned invasion of California: probably not.
Actually, it's probably much better to have MD5 which is known broken in understood ways, than Jo3#a$# which is broken but we don't know how, where and why. There are fairly simple rules for MD5 (start phasing out now; only use in situations where you in some way control the input, not your adversary) which make it possible to use in a relatively safe way. If you don't know what way the hash is broken you don't know how to avoid those problems. Having said that, SHA256 should probably be considered the minimum for a temporarily secure system with a lifetime limited until something better has been available and tested. As Mr Schneier says "attacks only get better; they never get worse".
It's also not a surprise that some hashes got broken. There are many entries and they come from all types of cryptographer from teenager to aged expert; from unknown to known mostly by initials (e.g. A, S or R). There was not much hope that all of them would be of good quality.
Why one year in particular? It seems to me that mother boards are not like milk which goes off when they past it's best before date. Surely it either breaks (in which case you need a replacement now) or it works. If it works, why do you need to replace it? Are you using Windows and they stop delivering drivers or something? I thought Microsoft policy was to include support for most popular hardware by default? If not, maybe you should just convert it to a Linux computer in which case support seems to continue indefinitely.
It's a funny thing, but my experience with BSD in a corporate environment is that it doesn't end up as much of a success. There are some exceptions, but even in the case of OS-X, Apple seems to have completely failed to build the community they wanted at the beginning. Most other cases, starting with BSD/OS (BSD 386) and going through IPSO, Ipsilon's home grown BSD based OS, and many others you haven't heard of (AlchemyOS etc.) end up completely dead. Even Microsoft's TCP stack seems to have been rewritten with little BSD left behind.
I think the reason the BSD code dies is precisely because of it's non copyleft license. The companies mostly know that the best way to handle maintenance is to contribute back to the original developer. However, that's not a requirement of the license and so needs to be agreed to by the corporate lawyers. Separately for each contribution. The always want a justification and it just isn't worth any programmer's effort. With GPL code, the fact you have to give back makes the justification very easy to provide. That puts the corporate developers easily in touch with the "community" of other developers on that software and makes the development end up more successful. I'd love to hear other explanations for this. The main data point I have is that across a bunch of different projects I have seen, it always seems that the GPL ones have an active process for contributing back and have developers who are active and known in the original development community. On the other hand the BSD ones, even though they've included a number of former BSD developers don't seem to and those developers seem to give up on making contributions back to the original system.
I know that's CISCO, in this case is probably not really getting as much benefit from this as they could if they followed the GPL, but I think there gets to be a general perception that Linux leads to success and BSD leads to dead ends. People select software based on that perception
Packet count has already been mentioned, but there's also a latency question. The first packet you send in UDP can already carry information. That means you get the answer in one round trip. In TCP you can only send information with the SYN/ACK packet (the second round trip) so you get double the latency or more. Even worse, this applies to all of the queries in a recursive request being carried out for you by your nearby DNS server so it can easily be three extra round trips per DNS query.
This is important because for many web requests the DNS query will be a large portion of the time taken to get the page. The balance is very random, but it is almost exactly what customers judge the speed of their internet on.
Actually, the way it works with most people is that they use their GPS to get to where they are going (or at least part way). The battery then dies and so they can't get back. This is especially true of GPS built into a phone since (at least in my case) the GPS normally dies because I talk so much.
It's probably much safer to force people to use a map and a compass. GPS should only be there for convenience and/or backup. I guess you've almost come up with about the only sensible argument why the Egyptian government should actually ban GPS. At least GPS without at least a week's battery life and a 5 hour warning before it dies.
For large parts of Africa and especially Northern Africa, used cars, often originally imported from Europe in a used state, are the default for most people. This is being changed a bit by cheap cars from China / India but I think it's still true. You can reasonably guess most "new" cars are bought by people who are richer than you are. As such they can probably afford GPS.
Unvaccinated, breastfed kids don't generally get sick. (very rarely)
Yes; that's so true. In fact in the past, say 1000 years ago, when there were no vaccines and all kids were breast fed, there used to be no infant mortality at all. </sarcasm>
Interesting. Thanks. Also almost impossible for me to confirm or read more about using internet resources... I found only this reference which only mentions the 19th century. Got any more nice links about that?
I believe your torrent client normally knows only about a few other users. It's not a large enough sample for you to have a good chance of having someone close. You need the tracker to deliberately distribute some neighbours to you.
the most interesting thing about it is that you can't always see it. The software Groklaw uses will still show your comment to your own IP address. I actually commented a few times about things I thought PJ might delete (criticism of her ban on "politics", where she doesn't really define what that means) and then checked if this was true. Sure enough; I had stepped over the line. From my own IP address I could see the comment. From all other IP addresses I tried it was invisible. Kind of cool really. Makes the Chinese govt. seem deeply unsubtle.
the real question however, is what's the alternative. Groklaw covers things that seem difficult to find in the same quality elsewhere. It's a bit like CNN. It's got it's US/conservative bias, but it's also got the money to cover things that few others can afford to cover.
You are correct in almost everything else. DRM, however, is something that isn't done by the govt, but it would never exist without their support. DRM breaks the US copyright pack from the US constitution (you can interfere with free speech, but only as long as you produce many copyable works which will be free in a short time after the copyright runs out). DRM would be completely irrelevant if it were legal to make copies of DRM media and distribute them in any format the copier wishes.
As ever; the "free market" is a regulatory construction and a useful tool but in the end it's at least partly a creation of the govt. If nothing else by providing a police force which stops the people with the biggest tanks (trust me your "second amendment guns will be totally irrelevant in this case) coming and taking your stuff without paying.
We are specifically prohibited from speculating about anything in email because it can be a part of discovery.
.
If they did it, for example, "because we find it leads to unclear communication" or "because it could be unfairly used against the company, then fine. However, they are doing it deliberately to hide "from descovery" it and they said it themselves. Now that is deliberately planning a lawsuit (otherwise where would discovery come from?) and at the same time hiding evidence. That can definitely be used to help show bad faith.
Have a look up on recent discussions about this. If you have any sense you are going to plead the fifth anyway even if the policeman is your long lost brother come back to revenge you for some ancient family rival's insult.. If you are going to look bad anyway, you might as well be bad.:-P
Slashdot Mirror
"Ownership" implies control. If you own Amtrak, may I suggest you go down to Amtrak and order them to allow photography and institute a policy of training all of their employees not to interfere with photography. Lets see where that gets you. ;-)
Kaminski is an internet Meme. Complaining that a security story mentions him is like complaining that Cmdr Taco isn't related to sex godesses (who would you most like to have home for a beer? Jolie / Johansson / Pressly / Bundchen / Aston / Casta / Cmdr Taco). You just seem like a total pervy loser.
It's been possible to send SMS via GPRS for a long time
Possible in theory, but it mostly doesn't work in real life. Many mobiles have broken support for this. Many networks have broken support for this. If your customer changes from one mobile with support to another without it's a complete pain to make sure everything works right. Finally, even in this case, the SMS mostly travels over the SS7 network which is not well designed for user data.
Personally I like that SMS is expensive. I don't get SMS spam and it means that mostly I know that an SMS contact is something important. I agree with you, however, that SMS is a totally stupid thing and everybody should be using email or instant messaging instead.
.anti-free market bullshit,
paranoid much? he didn't say anthing "anti-free market". He criticised USDA for one thing and Monsato for another. He actually specifically criticised Monsato for interfering with a free market by using their money in order to destroy it.
This doesn't effect me as I am a citizen.
Wrong.. Brazil has a policy of exact reciprocity with border regulations and (at least in theory; I think they often don't care in practice) takes Americans finger prints. Even more interesting, the UK is beginning to do exactly the same thing (take fingerprints of non-citizens), following on from the US example. US people are of course, not citizens of the UK.
However, part of your point is right. It's very difficult to get people to fight something where most of the time they aren't aware of a direct influence on their freedom.
city I live in is large beige expanse with no streets
Open. As in you can edit it. As in; once you've edited it you own the data and it will never be restricted from you and if they start to try to force adverts down your throat, you can just download it and keep it. If it's blank where you live, then go on and fix it.
Yes, I know that won't really be an answer later open street map is being advertised as a map service. Right now, however, it's a service where you can build mapping data and they aren't hiding that in any way.
Maybe not all internet resources, but snopes have been building up their reputation for years and that counts for something or other.
There's no need. The evil bit applies at the IP level so it isn't encrypted. You just block it with a pf rule. Anyway, once you've invited the packet inside there isn't much you can do. Not even onion routing will scare it away, so internal controls make little difference.
If some new hash function was equally scrutinized and no attacks were discovered, you wouldn't say MD5 was better
agreed. but the point is that the new ones haven't been scrutinised.
The only security advantage it has over any other cipher is the far greater attention it has received.
well, that's a big advantage. For example, a hash function could have a weakness that there are certain "special" values which are very bad but detectable. By always using the hash with salt and then trying again if a bad value came up, I could avoid that weakness. The currently known "weakness" of MD5 means we know which particular usages are really bad (validating large messages from a potential enemy) and which usages aren't yet bad (checking I still have the same known file I had before).
does 'start phasing out now' really count as a rule that makes it possible to use MD5 in a safe way?
I'd say the alternative isn't safe :-) Right now I guess that MD5 cracking, even by the military / NSA is quite limited. If I have a hash I want to be valid for the next two years, I'd not be too worried about it (of course I may be completely wrong, but that's life..). On the other hand, if I'm generating a hash now, that I plan to use in twenty years time; I'd look a avoiding MD5 and using SHA256. So, yes, I do think 'start phasing out now' is a good reasonably safe way to use MD5. At the very least you'll have a good idea which applications you need to be able to change if MD5 gets completely broken. In the end, this is all about your definition of safe. Good enough to make sure nobody messes with your porn collection: yes (unless you've been reading Slashdot for a long time in which case this might be a touchy issue). Good enough for use in your planned invasion of California: probably not.
Actually, it's probably much better to have MD5 which is known broken in understood ways, than Jo3#a$# which is broken but we don't know how, where and why. There are fairly simple rules for MD5 (start phasing out now; only use in situations where you in some way control the input, not your adversary) which make it possible to use in a relatively safe way. If you don't know what way the hash is broken you don't know how to avoid those problems. Having said that, SHA256 should probably be considered the minimum for a temporarily secure system with a lifetime limited until something better has been available and tested. As Mr Schneier says "attacks only get better; they never get worse".
It's also not a surprise that some hashes got broken. There are many entries and they come from all types of cryptographer from teenager to aged expert; from unknown to known mostly by initials (e.g. A, S or R). There was not much hope that all of them would be of good quality.
Why one year in particular? It seems to me that mother boards are not like milk which goes off when they past it's best before date. Surely it either breaks (in which case you need a replacement now) or it works. If it works, why do you need to replace it? Are you using Windows and they stop delivering drivers or something? I thought Microsoft policy was to include support for most popular hardware by default? If not, maybe you should just convert it to a Linux computer in which case support seems to continue indefinitely.
If your security policy relies on users not being able to install software but the users can install software, you have a problem; not Google.
It's a funny thing, but my experience with BSD in a corporate environment is that it doesn't end up as much of a success. There are some exceptions, but even in the case of OS-X, Apple seems to have completely failed to build the community they wanted at the beginning. Most other cases, starting with BSD/OS (BSD 386) and going through IPSO, Ipsilon's home grown BSD based OS, and many others you haven't heard of (AlchemyOS etc.) end up completely dead. Even Microsoft's TCP stack seems to have been rewritten with little BSD left behind.
I think the reason the BSD code dies is precisely because of it's non copyleft license. The companies mostly know that the best way to handle maintenance is to contribute back to the original developer. However, that's not a requirement of the license and so needs to be agreed to by the corporate lawyers. Separately for each contribution. The always want a justification and it just isn't worth any programmer's effort. With GPL code, the fact you have to give back makes the justification very easy to provide. That puts the corporate developers easily in touch with the "community" of other developers on that software and makes the development end up more successful. I'd love to hear other explanations for this. The main data point I have is that across a bunch of different projects I have seen, it always seems that the GPL ones have an active process for contributing back and have developers who are active and known in the original development community. On the other hand the BSD ones, even though they've included a number of former BSD developers don't seem to and those developers seem to give up on making contributions back to the original system.
I know that's CISCO, in this case is probably not really getting as much benefit from this as they could if they followed the GPL, but I think there gets to be a general perception that Linux leads to success and BSD leads to dead ends. People select software based on that perception
Packet count has already been mentioned, but there's also a latency question. The first packet you send in UDP can already carry information. That means you get the answer in one round trip. In TCP you can only send information with the SYN/ACK packet (the second round trip) so you get double the latency or more. Even worse, this applies to all of the queries in a recursive request being carried out for you by your nearby DNS server so it can easily be three extra round trips per DNS query.
This is important because for many web requests the DNS query will be a large portion of the time taken to get the page. The balance is very random, but it is almost exactly what customers judge the speed of their internet on.
Actually, the way it works with most people is that they use their GPS to get to where they are going (or at least part way). The battery then dies and so they can't get back. This is especially true of GPS built into a phone since (at least in my case) the GPS normally dies because I talk so much.
It's probably much safer to force people to use a map and a compass. GPS should only be there for convenience and/or backup. I guess you've almost come up with about the only sensible argument why the Egyptian government should actually ban GPS. At least GPS without at least a week's battery life and a 5 hour warning before it dies.
For large parts of Africa and especially Northern Africa, used cars, often originally imported from Europe in a used state, are the default for most people. This is being changed a bit by cheap cars from China / India but I think it's still true. You can reasonably guess most "new" cars are bought by people who are richer than you are. As such they can probably afford GPS.
Unvaccinated, breastfed kids don't generally get sick. (very rarely)
Yes; that's so true. In fact in the past, say 1000 years ago, when there were no vaccines and all kids were breast fed, there used to be no infant mortality at all. </sarcasm>
Interesting. Thanks. Also almost impossible for me to confirm or read more about using internet resources... I found only this reference which only mentions the 19th century. Got any more nice links about that?
I believe your torrent client normally knows only about a few other users. It's not a large enough sample for you to have a good chance of having someone close. You need the tracker to deliberately distribute some neighbours to you.
saw the type of deleting
the most interesting thing about it is that you can't always see it. The software Groklaw uses will still show your comment to your own IP address. I actually commented a few times about things I thought PJ might delete (criticism of her ban on "politics", where she doesn't really define what that means) and then checked if this was true. Sure enough; I had stepped over the line. From my own IP address I could see the comment. From all other IP addresses I tried it was invisible. Kind of cool really. Makes the Chinese govt. seem deeply unsubtle.
the real question however, is what's the alternative. Groklaw covers things that seem difficult to find in the same quality elsewhere. It's a bit like CNN. It's got it's US/conservative bias, but it's also got the money to cover things that few others can afford to cover.
Yeah but they won't have exams records dating back to their founding!Yeah but they won't have exams records dating back to their founding!
Why not?
The govt is what is causing this decline in standards to begin with.
or in other words, the current UK govt (and the previous Tory one) are the disease.
DRM is not a government mandate,
You are correct in almost everything else. DRM, however, is something that isn't done by the govt, but it would never exist without their support. DRM breaks the US copyright pack from the US constitution (you can interfere with free speech, but only as long as you produce many copyable works which will be free in a short time after the copyright runs out). DRM would be completely irrelevant if it were legal to make copies of DRM media and distribute them in any format the copier wishes.
As ever; the "free market" is a regulatory construction and a useful tool but in the end it's at least partly a creation of the govt. If nothing else by providing a police force which stops the people with the biggest tanks (trust me your "second amendment guns will be totally irrelevant in this case) coming and taking your stuff without paying.
It's in this bit
We are specifically prohibited from speculating about anything in email because it can be a part of discovery.
.
If they did it, for example, "because we find it leads to unclear communication" or "because it could be unfairly used against the company, then fine. However, they are doing it deliberately to hide "from descovery" it and they said it themselves. Now that is deliberately planning a lawsuit (otherwise where would discovery come from?) and at the same time hiding evidence. That can definitely be used to help show bad faith.
Have a look up on recent discussions about this. If you have any sense you are going to plead the fifth anyway even if the policeman is your long lost brother come back to revenge you for some ancient family rival's insult.. If you are going to look bad anyway, you might as well be bad. :-P