I can send a Word document to the laser printer in the mail room set in Times New Roman 12pt just as easily as my boss can.
Right, but those are not the only possible scenarios. If I had some enemy X and I wanted to forge a typewritten letter by X indicating an intent to commit a murder, I'd have a hard time doing it in a way that couldn't be disputed in court. On the other hand, it's much easier to fake an EMAIL indicating an intent to murder.
Re:Info on what exactly SHA-1 is ...
on
SHA-1 Broken
·
· Score: 1
You mean differential cryptanalysis? What they did was manipulate the values of the S-boxes in a way that made the mapping immune to differential cryptanalysis. It wasn't a "weakness" in the cipher. The NSA (actually, the IBM team who was working for them) discovered differential before anybody else, and decided to strengthen the cipher against it in case somebody else discovered it. As a matter of fact, it was discovered soon thereafter.
Re:Not a problem (yet)
on
SHA-1 Broken
·
· Score: 1
I have a question.
In the space of 160-bit strings, are there collisions? That is, is SHA-1 a bijection from 160-bit space onto 160-bit space? I also have the same question about MD5:-)
Re:Not a problem (yet)
on
SHA-1 Broken
·
· Score: 1
I believe there is a cryptographic result that if you combine two hashes into a "superhash" you do NOT increase the difficulty as much as you might naively think. I don't know enough to even give a reference, perhaps somebody can help?
It's very easy in this field to think you've found a good idea, then somebody really smart comes and shows it isn't as good as you thought...
RTFA, moron. Otellini knew from the outset that it would eventually be made public. He posted his blog entries with full knowledge of that fact.
In other words, your point that "this will probably mean that businesses will become less adoptive of technology to exchange ideas" is absolutely wrong, because he KNEW the stuff would be "leaked" and did it anyway. That means he EMBRACED it.
Maybe they consider transporting dead inventory from the warehouse to the dump to be "shipping" it?;-)
Re:Not quite the end of the world
on
SHA-1 Broken
·
· Score: 1
As others have pointed out, I can create 2 documents, X and Y, have a target sign one, then substitute the other. His digital signature will be valid for both. Great - it takes only 2^69 attempts to get a collision - I'm sure the chances that the X and Y found will both be valid English documents
Except that digital signatures are only RARELY applied to English documents (or documents in any human language for that matter). Do you know the most common use of PKI cryptography? Digital certificates.
Digital certificates include all sorts of "superfluous" information that most people don't look at. For example, the address of the issuant. In order to forge a certificate you only have to make sure the OWNER'S NAME is correct. The other data can be complete garbage, as far as a web browser is concerned. Which means it's not that hard to create fake certificates in somebody else's name (say, Microsoft Corp). This is the real risk here.
You are REALLY digging here and you have still failed to prove that spyware is "lethal"
Obviously Firestone was a bad example because you are deliberately looking past the real point here. Okay, assume the tires were NOT killing anybody. Just totalling peoples' cars. Is that a closer equivalence for you? The fact remains that charging to fix it would have been a fucking joke.
Now quit your disingenuous line of argumentation and step up to the plate with something real.
That's a nice little straw man you've got there. Last I checked, spyware doesn't kill people.
The fact that Firestone was killing people was not my point. The fact is they released a faulty product and it would have been a fucking joke to attempt to charge to fix it.
You're deliberately looking past my real point. In other words, you're the one with the straw man.
The same goes for paper documents, what's your point?
The difference is that it is trivial to create a fake electronic document. Paper documents have inherent security features, like the paper and ink they are printed with, the typeface, the minute flaws in the printing machinery, etc.
A person who might not have been willing to fake a paper document (because of the risks of being detected) might be much more willing to fake an electronic one.
Tires blowing out due to design flaws can end someone's life. Spyware infecting a computer due to design flaws can cause someone to format their hard-drive.
Don't be naive. The risks of spyware go far beyond lost data. I could write a piece of software than installed itself on my enemy's system and downloaded a bunch of kiddy porn. Or, I could install something onto the workstation of an FBI agent and manipulate data pertaining to a capital investigation. Or I could leak the identities of government agents. Need I continue?
Spyware is a lethal risk. Just because nobody has written spyware of the sort I just described (actually, it probably does exist, we just don't know about it) doesn't mean the risk isn't there.
You've got some valid points, but I've got to say that as a linux user, I'd be a little leery of of anything they developed for linux, at least until I had a chance to dissect it.
No need to dissect it, just run strace and see what it's doing. There's nothing of any consequence a program can do that won't be revealed by strace.
MS hadn't ever released a statement committing to a pricing-model for MSAS. At most they had said they were investigating the options. Now they have finished their investigation, and the price is $0.
It did not require an investigation. Do you think that when Firestone produced a whole run of shitty tires that blew up and killed people that they "investigated" whether they should charge to get them replaced?
Maybe the law doesn't require Microsoft to warrant their products, but in all ethical and moral senses it is required. To even entertain the idea of charging for it is unethical.
Now, are we all going to whine that MSFT shouldn't be distributing software with their OS to combat spyware because it "may" edge out competition in the spyware removal market or are we just going to complain that they considered charging people to use it when they aren't now?
Uhhh... I don't think anybody's complaining that it'll "edge out" the competition. I'm all for the complete elimination of this entire industry. Spyware should not exist, and solutions to Spyware shouldn't be necessary.
Here's why it's psychotic for them to have even considered charging for it: remember those Firestone tires that were blowing up left and right and killing people? What if Firestone had "considered" charging people to get those tires replaced? "On second thought, we figured it'd be nice to fix them for free." NO SHIT, Firestone/Microsoft.
To even entertain a glimmer of a notion of a possibility of a thought of charging for this would have been moronic.
to your final point - I agree we should strive to have a minimum impact - but that requires that our positive intervention match our negative impact.
What negative impact are you referring to in this case? Are we creating giant waves that didn't exist before, necessitating a system to mitigate the effects of those waves?
You seem to be claiming that wave action is continually ruining coastal habitat, but I'm fairly sure coastal habitats have existed for billions of years before humans were around to "save" them.
Sounds similar to people who want to extinguish every last forest fire -- because, you know, forests didn't exist before humanity, they all burned to the ground without our benevolent manipulations...
I agree we need to counteract our negative effects on the environment, but I hardly see how wave action is a consequence of human action.
So I guess after that Enron debacle you've decided to forgo the use of electric power altogether? I mean, it's all run by a bunch of liars and thieves.
Then I think we understand each other. You're arguing that the concept of "maintainability" is inherently unquantifiable, or that it's too vague a term to be quantified. I mostly agree with that. What I was taking issue with is the statement that the sin(sqrt(...)) was essentially just mathematical voodoo. It actually tries to represent something that we intuitively know to be true -- too few comments are bad, too many comments are bad, but it's better to have too many than too few.
So, you agree then: the maintainability index is bullshit because nobody has established that it actually tells us anything about the maintainability of software.
I agree with everything about your statement except the "bullshit." Do you really divide the world into two halves like that, where everything that isn't statistically solid is "bullshit?"
In fact I'm having a hard time imagining a type of metric that you WOULD consider valid. Care to explain?
Use inheritance and virtual inline functions. Inline functions run as fast as macros, and inheritance is a lot cleaner than using function pointers.
I would agree, but the language (C, of course) doesn't offer them.
I'd like to see a piece of code that by hand-unrolling runs 7 times faster and can't be functionalized.
I wasn't exactly clear what I was talking about. The 7 times improvement is against the original, naive version of the function. The optimized version with unrolling is about 20% faster than the one without unrolling. Both are monumentally faster than the naive implementation.
Seldom is that the case nowadays in modern languages. You sound like you're writing in pure C, though;)
I'd venture to assert that the ONLY way to write high-performance graphics code is in C (or assembler). Unfortunately, it's the entire PRODUCT that's written in C, not just the performance sensitive parts. It's hard hard hard to convince anybody to change it.
It's a really hard thing to convince the marketers that "We're going to spend a year rewriting the product from scratch and when we're done it'll be exactly the same as before." They don't understand that eventually the thing is just going to collapse into a heap. And right now, there's so much pressure from marketing we have no time to work on anything else.
I'd hardly call it a death march, but something needs to happen soon.
Watts are named after a person, so you should capitalize appropriately.
Wrong. No physics text I've ever seen has capitalized "watts" or "joules" or "farads" or "coulombs" or "ohms" or "newtons" or any other physical unit -- except if it came at the beginning of a sentence.
What WOULD be inappropriate would be to diverge pointlessly from the common practices in the field. And common practice does not capitalize the units.
New Mexico is a bad location for photovoltaics. It's really hot, and PV efficiency goes down as the temperature increases.
Here in Oregon, a place most people think of as perpetually overcast and raining, you can actually get about the same amount of energy from a PV cell as you would in New Mexico (averaged over the year), simply because it's cooler here and the efficiencies go up.
Hint -- if you're in the market for solar cells, try to get the ones which are made from reprocessed semiconductor waste. Semiconductor manufacture is a very dirty process (lots of nasty chemicals) so it's good to try to reduce the amount of waste, and reuse as much material as possible.
Right, but those are not the only possible scenarios. If I had some enemy X and I wanted to forge a typewritten letter by X indicating an intent to commit a murder, I'd have a hard time doing it in a way that couldn't be disputed in court. On the other hand, it's much easier to fake an EMAIL indicating an intent to murder.
You mean differential cryptanalysis? What they did was manipulate the values of the S-boxes in a way that made the mapping immune to differential cryptanalysis. It wasn't a "weakness" in the cipher. The NSA (actually, the IBM team who was working for them) discovered differential before anybody else, and decided to strengthen the cipher against it in case somebody else discovered it. As a matter of fact, it was discovered soon thereafter.
I'm sorry, did the adult words burn you?
In the space of 160-bit strings, are there collisions? That is, is SHA-1 a bijection from 160-bit space onto 160-bit space? I also have the same question about MD5 :-)
It's very easy in this field to think you've found a good idea, then somebody really smart comes and shows it isn't as good as you thought...
Sounds like you're investing all your faith in one man. Bad plan.
Right on. I personally only try to do business with companies which are customer HOSTILE.
My God, get off it. "Customer focus" is a real, important concept. Would you prefer more companies which are self-focused?
In other words, your point that "this will probably mean that businesses will become less adoptive of technology to exchange ideas" is absolutely wrong, because he KNEW the stuff would be "leaked" and did it anyway. That means he EMBRACED it.
Maybe they consider transporting dead inventory from the warehouse to the dump to be "shipping" it? ;-)
Except that digital signatures are only RARELY applied to English documents (or documents in any human language for that matter). Do you know the most common use of PKI cryptography? Digital certificates.
Digital certificates include all sorts of "superfluous" information that most people don't look at. For example, the address of the issuant. In order to forge a certificate you only have to make sure the OWNER'S NAME is correct. The other data can be complete garbage, as far as a web browser is concerned. Which means it's not that hard to create fake certificates in somebody else's name (say, Microsoft Corp). This is the real risk here.
Obviously Firestone was a bad example because you are deliberately looking past the real point here. Okay, assume the tires were NOT killing anybody. Just totalling peoples' cars. Is that a closer equivalence for you? The fact remains that charging to fix it would have been a fucking joke.
Now quit your disingenuous line of argumentation and step up to the plate with something real.
The fact that Firestone was killing people was not my point. The fact is they released a faulty product and it would have been a fucking joke to attempt to charge to fix it.
You're deliberately looking past my real point. In other words, you're the one with the straw man.
The difference is that it is trivial to create a fake electronic document. Paper documents have inherent security features, like the paper and ink they are printed with, the typeface, the minute flaws in the printing machinery, etc.
A person who might not have been willing to fake a paper document (because of the risks of being detected) might be much more willing to fake an electronic one.
Don't be naive. The risks of spyware go far beyond lost data. I could write a piece of software than installed itself on my enemy's system and downloaded a bunch of kiddy porn. Or, I could install something onto the workstation of an FBI agent and manipulate data pertaining to a capital investigation. Or I could leak the identities of government agents. Need I continue?
Spyware is a lethal risk. Just because nobody has written spyware of the sort I just described (actually, it probably does exist, we just don't know about it) doesn't mean the risk isn't there.
No need to dissect it, just run strace and see what it's doing. There's nothing of any consequence a program can do that won't be revealed by strace.
It did not require an investigation. Do you think that when Firestone produced a whole run of shitty tires that blew up and killed people that they "investigated" whether they should charge to get them replaced?
Maybe the law doesn't require Microsoft to warrant their products, but in all ethical and moral senses it is required. To even entertain the idea of charging for it is unethical.
Uhhh... I don't think anybody's complaining that it'll "edge out" the competition. I'm all for the complete elimination of this entire industry. Spyware should not exist, and solutions to Spyware shouldn't be necessary.
Here's why it's psychotic for them to have even considered charging for it: remember those Firestone tires that were blowing up left and right and killing people? What if Firestone had "considered" charging people to get those tires replaced? "On second thought, we figured it'd be nice to fix them for free." NO SHIT, Firestone/Microsoft.
To even entertain a glimmer of a notion of a possibility of a thought of charging for this would have been moronic.
What negative impact are you referring to in this case? Are we creating giant waves that didn't exist before, necessitating a system to mitigate the effects of those waves?
You seem to be claiming that wave action is continually ruining coastal habitat, but I'm fairly sure coastal habitats have existed for billions of years before humans were around to "save" them.
Sounds similar to people who want to extinguish every last forest fire -- because, you know, forests didn't exist before humanity, they all burned to the ground without our benevolent manipulations...
I agree we need to counteract our negative effects on the environment, but I hardly see how wave action is a consequence of human action.
So I guess after that Enron debacle you've decided to forgo the use of electric power altogether? I mean, it's all run by a bunch of liars and thieves.
Then I think we understand each other. You're arguing that the concept of "maintainability" is inherently unquantifiable, or that it's too vague a term to be quantified. I mostly agree with that. What I was taking issue with is the statement that the sin(sqrt(...)) was essentially just mathematical voodoo. It actually tries to represent something that we intuitively know to be true -- too few comments are bad, too many comments are bad, but it's better to have too many than too few.
No, I'm suggesting we all code in programming languages instead of forcing everything to be like human language.
I agree with everything about your statement except the "bullshit." Do you really divide the world into two halves like that, where everything that isn't statistically solid is "bullshit?"
In fact I'm having a hard time imagining a type of metric that you WOULD consider valid. Care to explain?
I would agree, but the language (C, of course) doesn't offer them.
I'd like to see a piece of code that by hand-unrolling runs 7 times faster and can't be functionalized.
I wasn't exactly clear what I was talking about. The 7 times improvement is against the original, naive version of the function. The optimized version with unrolling is about 20% faster than the one without unrolling. Both are monumentally faster than the naive implementation.
Seldom is that the case nowadays in modern languages. You sound like you're writing in pure C, though ;)
I'd venture to assert that the ONLY way to write high-performance graphics code is in C (or assembler). Unfortunately, it's the entire PRODUCT that's written in C, not just the performance sensitive parts. It's hard hard hard to convince anybody to change it.
It's a really hard thing to convince the marketers that "We're going to spend a year rewriting the product from scratch and when we're done it'll be exactly the same as before." They don't understand that eventually the thing is just going to collapse into a heap. And right now, there's so much pressure from marketing we have no time to work on anything else.
I'd hardly call it a death march, but something needs to happen soon.
Wrong. No physics text I've ever seen has capitalized "watts" or "joules" or "farads" or "coulombs" or "ohms" or "newtons" or any other physical unit -- except if it came at the beginning of a sentence.
What WOULD be inappropriate would be to diverge pointlessly from the common practices in the field. And common practice does not capitalize the units.
Here in Oregon, a place most people think of as perpetually overcast and raining, you can actually get about the same amount of energy from a PV cell as you would in New Mexico (averaged over the year), simply because it's cooler here and the efficiencies go up.
Hint -- if you're in the market for solar cells, try to get the ones which are made from reprocessed semiconductor waste. Semiconductor manufacture is a very dirty process (lots of nasty chemicals) so it's good to try to reduce the amount of waste, and reuse as much material as possible.