Yes, but even if it's not a good source of entropy, it can be combined with other sources of entropy, and the combination, if properly done, should be stronger than either.
OTOH, I'm not someone who either has or claims to have that kind of skill.
That's NOT the entire point. One of the points, but not the only one. Let's not lose perspective here.
So what's going on is that Linus isn't convinced that this is a problem that needs fixing. And because of this he isn't going to do so. Maybe he's right, maybe he's wrong. Certainly many people could make the change if they wanted to. Red Hat certainly could, and probably would if they though their customers wanted it. Debian could, and probably would if they were convinced their ideals demanded it. Ubuntu could. Probably SUSE. Maybe even Slackware. Convince any one of those, and you'll get a distro that implements that decision. But they are demanding that Linux make this change at the root of the tree...and NONE of the groups I mentioned have been convinced.
Things are a bit different than you realize. Now the news is centrally owned. If a story appears that is politically undesirable, ALL the major news media downplay it. During the VietNam era, citizen protests were heard. Now...well, they aren't suppressed physically any more harshly, but just about nobody hears about them...which makes them rather pointless. During the VietNam era a comedian could stage a mock campaign for president on TV. Today, that's just not feasible. ETC.
When news is managed, you don't really need to manage actions tightly. And when you do, you can suppress people hearing about it. If the local police abuse their power and use tasers to torture someone, and then shoot him to death, you hear about it locally. Not nationally...unless it makes a point that the powers that be wish to be made. During the 1960's-70's an equivalent, or even a less brutal act, would be likely to be heard nation-wide. (Think Medgar Evers.)
No direct comparison is possible, and this doesn't speak directly to foreign policy anyway, but the news is much more managed now than then. (And a part of the reason for doing away with the draft is so that there would be less objection by citizens who were wealthy enough to manage to be heard.)
In a plurality rules system, if there are only three choices, then a candidate can get elected with 33.333334% of the vote. (Well, yeah, it's unlikely. But voting for the minority party you support most is, in effect, a vote for one of the top two parties that is least like what you want to support.)
This is why elections should require a majority. There are various such systems. None are perfect, but plurality rules is nearly the worst. My preference is for Condorcet Voting, but Instant Runoff Voting is much easier to explain, and so is probably a better real system. Basically you rank the candidates you find acceptable, and in each round the candidate with the lowest number of votes is eliminated. This is done with one actual vote (i.e., when you rank them). At the end of a round, if you top preference was for a candidate who has been eliminated, then your secondary (tertiary, etc.) choice is used instead when counting the votes. The rounds end when some candidate gets a majority.
So you're saying "They do it too". OK. I agree with that. But that doesn't invalidate what I said.
(OTOH, it is possible that this incident is why I remembered Airbus and Boeing in this context. Perhaps it was a different pair of companies.)
I'm having a bit of trouble tracking down the origina incident that I was remembering, but I did find: http://www.economist.com/node/304958 containing:
The second accusation, that the Echelon surveillance system is now used for commercial gain, is particularly controversial and harder to prove. A report compiled last October for the European Parliament (which preceded the Campbell report) concluded that "there is wide-ranging evidence" that governments "utilise communications intelligence to provide commercial advantages to companies". It suggested that satellites used by telephone companies are monitored by sites in Britain, America, Canada, Australia and New Zealand, while cables under sea and on land, as well as microwave tower networks, are also tapped. Such monitoring is increasingly useful, because of the growing use of e-mail, faxes and the Internet by businesses to communicate. The Campbell report agreed that there is âoewide-ranging evidenceâ suggesting governments use spies to benefit companies.
And THAT is why it can't be trusted unless it's Open Source. (There are other reasons why Open Source isn't sufficient, but it's a minimum requirement.)
What you fail to understand is that most people on this board are unsikilled in politics, and are skilled in technology. If we try a political effort, are chances are small. Those who are skilled in politics will, we hope, be pursuing that endeavor. We are skilled technologically. Perhaps we can come up with some answer.
It may not be a good hope, but it's a better chance than a geek going into politics. You play to your own personal strengths. Be aware of your weaknesses, and know yourself well enough to not trust your reactions in that area.
I don't recall the exact reference, but there has been at least one instance where a European company found rather convincing evidence that US intellignece data was used to benefit a US company bidding against a European company. I believe that the European company was Airbus, which seems to imply that the US company was probably Boeing.
Not necessarily. This could well be something secure against everyone but Google. Of course, if Google is able to decrypt it, they may be required to share the information with various governments, but perhaps they expect due recompense in some form.
Nobody seem to doubt that Google will be able to decrypt it. That's not what "end-to-end" should mean, but that's what people seem to believe it will mean. And proving that this is wrong, if it is, will be quite difficult.
A valid poiint. The number of people who could reasonably be expected to detect weak cryptography is very small. It's still easier if they have the source available. But there's also the problem of ensuring that the program being run matches the source code that was inspected.
Unless it's an approach where Google CAN'T decrypt the information. And that requires proof, which is probably not available. At a minimum it requires Open Source, but you also need to be able to prove that the software being run matches the source that is offered. And unless there's a secure method of key exchange I don't see how this could possibly work.
I don't know about currently, but in the past I believe that NO Linux system was secure. Think of a cross between login and rainbow tables.
That said, I find it amazing that simple precautions that could be default aren't even easy. E.g., after the first failed login you need to wait 2 seconds before you can try again. Square the delay for each successive failure. (2, 4, 16,... seconds) (It's still reasonable to log failures, but if you don't keep the penetration from happening, the log can just disappear.)
If you're going to play it THAT way, then the exploits go back to assembler and every early digital computer. (Analog computers had different weaknesses.)
But please remember that early Fortrans (e.g. IBSYS FORTRANII) discouraged using pointers at all. I will grant that they didn't check array bounds, but the location of the array WRT the rest of the program was not guaranteed, and was subject to being changed with different compiler options. I don't know COBOL well enough to really comment, but it's my impression that arbitrary use of pointers was even more difficult in COBOL than in FORTRAN. Don't know about variants like FARGO.
Ken Thompson's exploit was different in nature, in that it required a more sophisticated compiler.
P.S.: Many "C-ish" compilers from the early 1970's, e.g. Lifeboat-C for the I8008, came with source code in assembler, and compiled to assembler.
While there is evidence that the CIA has extensive business interests that could support it independent of US funding (not only illegal drug trafficing, but also many legitimate businesses), I know of no such evidence WRT the NSA.
I'm sorry, but this doesn't feel like Yahoo telling as much truth as they are allowed. This feels like some kind of game. I'm just not sure WHAT kind of game. It could be that they want the government off their backs, it could be that they want to suppor the Republicans, it could be something else...and something else has a wide range of options.
Also, is there any particular reason to believe that they are telling the truth? Or that the person who put the report together would even KNOW the truth?
That said, yes, this feels like some kind of PR play. Just what kind I'm not sure.
Actually, I believe the answer is yes. This is subject, however, to the House Rules, which are decided upon by the House itself. I believe this means the House Rules Committee.
P.S.: This actually may no longer be true, but it was true around 1875 (plus or minus quite a bit). And I've never heard that it changed. In the actual case the Representative eventually resigned to allow the Governor to appoint a replacement for the benefit of his party.
If you really want to secure Debian, you can. Of course it will take a bit of extra work. AND you will need to stop updating via apt-get. AND...
There are many good reasons why end-user systems aren't secure against high-powered intruders.
P.S.: You *ARE* aware that repositories don't validate the signatures as matching the owner's key aren't you? At least not for anyone who can get a CA signing authority to say the key is valid.
Rule of thumb: Don't put systems you wish to secure on the internet. Use a separate computer, and transfer files to/from it by burning CDs. Even then make sure that none of the files transferred have executable content. In that case any stable version of Debian should suffice. Of course, if this *were* to become common practice, someone would probably find a hole in it, but it would be difficult without physical intrusion.
I think you overstate a basically correct case. I doubt that commercial software is, on the average, less reliable that pirated software. Less useful seems more frequently to be the correct statement, if I judge things correctly.
OTOH, as I use FOSS software almost entirely, this is a judgement formed by reading posts on places like Slashdot. So YMMV.
I'm not really convinced that it's good practice to change passwords frequently. They need to be long, unpredictable, and memorable. That makes good ones hard to come by. If they aren't memorable, they'll just be written down. In fact they'll NEED to be written down if you change them very often.
Yes, but even if it's not a good source of entropy, it can be combined with other sources of entropy, and the combination, if properly done, should be stronger than either.
OTOH, I'm not someone who either has or claims to have that kind of skill.
That's NOT the entire point. One of the points, but not the only one. Let's not lose perspective here.
So what's going on is that Linus isn't convinced that this is a problem that needs fixing. And because of this he isn't going to do so. Maybe he's right, maybe he's wrong. Certainly many people could make the change if they wanted to. Red Hat certainly could, and probably would if they though their customers wanted it. Debian could, and probably would if they were convinced their ideals demanded it. Ubuntu could. Probably SUSE. Maybe even Slackware. Convince any one of those, and you'll get a distro that implements that decision. But they are demanding that Linux make this change at the root of the tree...and NONE of the groups I mentioned have been convinced.
That brick wall is questionable. Antennas need to be conductive. You could, however, probably hide an antenna *within* a brick wall.
Things are a bit different than you realize. Now the news is centrally owned. If a story appears that is politically undesirable, ALL the major news media downplay it. During the VietNam era, citizen protests were heard. Now...well, they aren't suppressed physically any more harshly, but just about nobody hears about them...which makes them rather pointless. During the VietNam era a comedian could stage a mock campaign for president on TV. Today, that's just not feasible. ETC.
When news is managed, you don't really need to manage actions tightly. And when you do, you can suppress people hearing about it. If the local police abuse their power and use tasers to torture someone, and then shoot him to death, you hear about it locally. Not nationally...unless it makes a point that the powers that be wish to be made. During the 1960's-70's an equivalent, or even a less brutal act, would be likely to be heard nation-wide. (Think Medgar Evers.)
No direct comparison is possible, and this doesn't speak directly to foreign policy anyway, but the news is much more managed now than then. (And a part of the reason for doing away with the draft is so that there would be less objection by citizens who were wealthy enough to manage to be heard.)
In a plurality rules system, if there are only three choices, then a candidate can get elected with 33.333334% of the vote. (Well, yeah, it's unlikely. But voting for the minority party you support most is, in effect, a vote for one of the top two parties that is least like what you want to support.)
This is why elections should require a majority. There are various such systems. None are perfect, but plurality rules is nearly the worst. My preference is for Condorcet Voting, but Instant Runoff Voting is much easier to explain, and so is probably a better real system. Basically you rank the candidates you find acceptable, and in each round the candidate with the lowest number of votes is eliminated. This is done with one actual vote (i.e., when you rank them). At the end of a round, if you top preference was for a candidate who has been eliminated, then your secondary (tertiary, etc.) choice is used instead when counting the votes. The rounds end when some candidate gets a majority.
So you're saying "They do it too". OK. I agree with that. But that doesn't invalidate what I said.
(OTOH, it is possible that this incident is why I remembered Airbus and Boeing in this context. Perhaps it was a different pair of companies.)
I'm having a bit of trouble tracking down the origina incident that I was remembering, but I did find:
http://www.economist.com/node/304958
containing:
The second accusation, that the Echelon surveillance system is now used for commercial gain, is particularly controversial and harder to prove. A report compiled last October for the European Parliament (which preceded the Campbell report) concluded that "there is wide-ranging evidence" that governments "utilise communications intelligence to provide commercial advantages to companies". It suggested that satellites used by telephone companies are monitored by sites in Britain, America, Canada, Australia and New Zealand, while cables under sea and on land, as well as microwave tower networks, are also tapped. Such monitoring is increasingly useful, because of the growing use of e-mail, faxes and the Internet by businesses to communicate. The Campbell report agreed that there is âoewide-ranging evidenceâ suggesting governments use spies to benefit companies.
which suggests that my memory was not incorrect.
And THAT is why it can't be trusted unless it's Open Source. (There are other reasons why Open Source isn't sufficient, but it's a minimum requirement.)
What you fail to understand is that most people on this board are unsikilled in politics, and are skilled in technology. If we try a political effort, are chances are small. Those who are skilled in politics will, we hope, be pursuing that endeavor. We are skilled technologically. Perhaps we can come up with some answer.
It may not be a good hope, but it's a better chance than a geek going into politics. You play to your own personal strengths. Be aware of your weaknesses, and know yourself well enough to not trust your reactions in that area.
I don't recall the exact reference, but there has been at least one instance where a European company found rather convincing evidence that US intellignece data was used to benefit a US company bidding against a European company. I believe that the European company was Airbus, which seems to imply that the US company was probably Boeing.
That being the case, I believe he was lying.
Not necessarily. This could well be something secure against everyone but Google. Of course, if Google is able to decrypt it, they may be required to share the information with various governments, but perhaps they expect due recompense in some form.
Nobody seem to doubt that Google will be able to decrypt it. That's not what "end-to-end" should mean, but that's what people seem to believe it will mean. And proving that this is wrong, if it is, will be quite difficult.
A valid poiint. The number of people who could reasonably be expected to detect weak cryptography is very small. It's still easier if they have the source available. But there's also the problem of ensuring that the program being run matches the source code that was inspected.
Unless it's an approach where Google CAN'T decrypt the information. And that requires proof, which is probably not available. At a minimum it requires Open Source, but you also need to be able to prove that the software being run matches the source that is offered. And unless there's a secure method of key exchange I don't see how this could possibly work.
I don't know about currently, but in the past I believe that NO Linux system was secure. Think of a cross between login and rainbow tables.
That said, I find it amazing that simple precautions that could be default aren't even easy. E.g., after the first failed login you need to wait 2 seconds before you can try again. Square the delay for each successive failure. (2, 4, 16, ... seconds) (It's still reasonable to log failures, but if you don't keep the penetration from happening, the log can just disappear.)
You mean "...what it is claimed that a TPM does." I doubt that anyone posting knows what it actually does. (Possibly someone reading here does.)
If you're going to play it THAT way, then the exploits go back to assembler and every early digital computer. (Analog computers had different weaknesses.)
But please remember that early Fortrans (e.g. IBSYS FORTRANII) discouraged using pointers at all. I will grant that they didn't check array bounds, but the location of the array WRT the rest of the program was not guaranteed, and was subject to being changed with different compiler options. I don't know COBOL well enough to really comment, but it's my impression that arbitrary use of pointers was even more difficult in COBOL than in FORTRAN. Don't know about variants like FARGO.
Ken Thompson's exploit was different in nature, in that it required a more sophisticated compiler.
P.S.: Many "C-ish" compilers from the early 1970's, e.g. Lifeboat-C for the I8008, came with source code in assembler, and compiled to assembler.
While there is evidence that the CIA has extensive business interests that could support it independent of US funding (not only illegal drug trafficing, but also many legitimate businesses), I know of no such evidence WRT the NSA.
When you talk about how democracy is supposed to work, you are corred. Many people do suppose that it works that way.
At least as implemented in the US (and, AFAIK, in other countries) it doesn't.
I'm sorry, but this doesn't feel like Yahoo telling as much truth as they are allowed. This feels like some kind of game. I'm just not sure WHAT kind of game. It could be that they want the government off their backs, it could be that they want to suppor the Republicans, it could be something else...and something else has a wide range of options.
But it doesn't feel like straight reporting.
Also, is there any particular reason to believe that they are telling the truth? Or that the person who put the report together would even KNOW the truth?
That said, yes, this feels like some kind of PR play. Just what kind I'm not sure.
Nah, it was in a US History class. But I did find it quite interesting.
Actually, I believe the answer is yes. This is subject, however, to the House Rules, which are decided upon by the House itself. I believe this means the House Rules Committee.
P.S.: This actually may no longer be true, but it was true around 1875 (plus or minus quite a bit). And I've never heard that it changed. In the actual case the Representative eventually resigned to allow the Governor to appoint a replacement for the benefit of his party.
If you really want to secure Debian, you can. Of course it will take a bit of extra work. AND you will need to stop updating via apt-get. AND...
There are many good reasons why end-user systems aren't secure against high-powered intruders.
P.S.: You *ARE* aware that repositories don't validate the signatures as matching the owner's key aren't you? At least not for anyone who can get a CA signing authority to say the key is valid.
Rule of thumb: Don't put systems you wish to secure on the internet. Use a separate computer, and transfer files to/from it by burning CDs. Even then make sure that none of the files transferred have executable content. In that case any stable version of Debian should suffice. Of course, if this *were* to become common practice, someone would probably find a hole in it, but it would be difficult without physical intrusion.
I doubt it. If they were, why would they need that quantum computer they're ordering. It probably (currently) takes them hours or days.
OTOH, perhaps they just want to be prepared for the backdoors going away.
I think you overstate a basically correct case. I doubt that commercial software is, on the average, less reliable that pirated software. Less useful seems more frequently to be the correct statement, if I judge things correctly.
OTOH, as I use FOSS software almost entirely, this is a judgement formed by reading posts on places like Slashdot. So YMMV.
I'm not really convinced that it's good practice to change passwords frequently. They need to be long, unpredictable, and memorable. That makes good ones hard to come by. If they aren't memorable, they'll just be written down. In fact they'll NEED to be written down if you change them very often.