What part of this: "When you buy a copy of something you have rights in the copy, that's it. No metaphysical rights to listen, reproduce additional copies, etc." do you think I'm misunderstanding?
Saying "No... rights to... reproduce additional copies" is a lie.
When a lawyer tells a guy he has no rights to make copies, he is WRONG. Everyone explicitly has the right to make copies for any of several purposes. Your quote makes that VERY clear. So, thanks.
you seem to have a general misunderstanding about the basic principles of copyright law. When you buy a copy of something you have rights in the copy, that's it. No metaphysical rights to listen, reproduce additional copies, etc. I don't know what gives you this idea.
It seems strange to me that a copyright lawyer hasn't heard of the fair use rights granted by US copyright law (Title 17, section 107).
The person asking the legal question is better informed than the lawyer!
That's true. But since a lot of these things are discovered by researchers in countries with failed economies (like former USSR), $10kUS would be worth keeping quiet about.
And I am sure avoiding a 0-day exploit is worth more than $10k to MS.
Did you see the word "first" in there? The suggestion is that anyone who independently discovers and reports the vulnerability before the patch is released gets paid. That gives MS motivation to patch more quickly.
And if they decide to never patch, there is nothing to stop the researcher from publishing it 0-day, anyway.
But I didn't say this was what is best for everyone. I said this would be a good one for MS, because they would get all the time they need to fix the problems, and encourage people to come to them first.
If I were deciding policy for MS or any other big vendor, I would publish a "hush money" policy on security vulnerabilities.
Basically, it would go like this:
"If you discover a vlunerability and report it only to us, when we eventually release the patch, we will give you credit for discovering it (what researchers really want), and we will give you $10,000. If you report it to anyone else before we release the patch, you will get no money and no credit."
I think the usual use of this is on crowds which have become violent and are looting or vandalizing.
Before we had nonlethal weapons, such crowds where beaten with clubs, bitten by dogs, sprayed by fire hoses, or sometimes shot with real bullets.
In some cases, corrupt leaders have ordered these (occasionally deadly) tactics be used on peaceful crowds.
I would think most people in charge here would be interested in the looting-type crowds. But with either type, I would rather the government use non-lethal weapons.
if you're a shareholder and you don't like what the corporation is doing you can sell and invest in some other corporation -- that's the whole point of a public company!
No! The point of a public company is that if you don't like what management is doing, you vote for a new Board which will replace the management with someone you DO like.
If you buy shares, you OWN part of the company. The CEO works on your (plural, collective) terms, you don't work on his!
The FEDERAL government should start an X.509 PKI. It should issue CA keys all the state governments. They can pass them down to the birth-certificate-issuing level. Then, instead of a birth certificate, you get a credit card with a smart card which has a key signed up through the federal one.
Any COTS smart card reader could verify that you are legit.
This would cost a little bit of money initially, but it would pay for itself thousands of times over due to the reduction it fraud.
It isn't perfect--it is as close as we could get, though. CRL distribution? Hell, it could be broadcast over AM radio, from GPS sats, whatever. Not a big deal.
Whether you have been a victim of identity fraud or not, YOU ARE PAYING FOR IT in terms of increased costs on everything you buy. Federal PKI is the solution to identity fraud.
Sure, if by "everyone," you mean "a small minority."
But I'm always willing to share insight with the sightless masses.
Actually, I'm doing you a favor. Just like someone would be doing the President a favor if they mentioned to him that he was pronouncing "nucular" incorrectly.
Since when was there a slashdot captcha box? I've never seen this.
Re:Peer review, One-Time Pads, and Strong Crypto
on
Crypto Snake Oil
·
· Score: 1
I never suggested anyone use OTP. I said it was the only one that was provably secure. Everything else relies on the fundamental tennet of cryptography.
I'd say that if the software is popular and open, then yes, you'll probably have fairly good security.
It sounds like we are mostly in agreement.
So an expensive piece of commercial niche software (i.e. impopular) will be secure even if very few people looked at the code, if the vendor prioritized security and spent money on hiring good people to do so.
I can't disagree with what you are saying. But when evaluating products, I have no way of knowing for sure "if the vendor prioritized secrity and spent money."
If I were stuck in academia and trying to make a name for myself in crypto, I would begin by trying to find flaws in something that is popular and open source. I'm not the only person who thinks that way, I'm sure.
You really do sound paranoid. Unless you are totally ignorant, you must know that any math/copsci student who could show a well-established crypto system is easily breakable would have his career set for life.
So you must think it is possible that every time one of these students publishes a paper on a fast way to factor large numbers, he vanishes, never to be seen again. How many people vanished from the math dept. of your school? That just doesn't happen. Unlless "they" (meaning all of academia) are also in on it.
Come on, think it through. It's unreasonable.
Re:Still not too bad
on
Crypto Snake Oil
·
· Score: 2, Informative
Peer reviewed does not equal security. It could be there are several known flaws in something that's had "peer reviews"...
Yes, "it could be" that many unlikely things are true. But they are still unlikely.
Are you new to cryptogology? It seems you are unfamiliar with the fundamental tenet of cryptography: "If lots of smart people have failed to solve a problem, then it probably will not be solved anytime soon."
You seem to think peer review doesn't have much to do with cryptography, but I would argue that it is the most important thing. If you expect an algorithm to be "provably" secure, then the only algorithm you have any business using is OTP.
Because it is unreasonable to expect you to hire "lots of smart people" to review any crypto you use, the next best thing is to go for using a solution that lots of people (in general) use, and assume that a subset of those people were smart:-)
You really should pick up this book as a basic intro to crypto.
Re:Still not too bad
on
Crypto Snake Oil
·
· Score: 5, Interesting
I would say that there is an inverse relation (at least somewhat) between price of crypto software and real security.
The cheaper the software is, the greater the number of people who could have peer-reviewed it for correctness. The more open the software, likewise.
Really expensive software could only have been peer-reviewed by a small number of people, while free, open source software could have been reviewed by a huge number of people.
I recently was asked to recommend a way for my CEO and several other executives to securie thier IMs. I recommended gaim + gaim-encryption because it was all open source and free, so if there were a flaw in the crypto implementation, it would likely have been discovered already.
I also made sure the CEO knew that he was using open source software, and I told him why. He was totally down with it:-)
Re:There's a gene that confers some resistance...
on
Humanity Gene Found?
·
· Score: 1
The same mutation that gave some europeans immunity to the plague also blocks HIV. Don't you watch PBS? Bad geek!
Some newer CDs and audio DVDs come with support for 6-speaker sound systems. Is this even possible with records?
Also, can iTunes (AAC) or MP3 or WMA do surround sound?
Cat? Cat is for girlie-men! If ye had anything hangin between those skinny legs, ye'd write using copy con!
If "hacker" is a term for skill, then it holds no moral value. A "good" hacker is just as much a hacker as a "bad" hacker.
And good hackers are hardly ever newsworthy...
What part of this: "When you buy a copy of something you have rights in the copy, that's it. No metaphysical rights to listen, reproduce additional copies, etc." do you think I'm misunderstanding?
... rights to ... reproduce additional copies" is a lie.
Saying "No
Or are you AC because you are trolling?
When a lawyer tells a guy he has no rights to make copies, he is WRONG. Everyone explicitly has the right to make copies for any of several purposes. Your quote makes that VERY clear. So, thanks.
Google's real motto is to make money by producing the least annoying, most effective advertising.
In the advertising world, annoying == evil. With that terminology, google does no evil.
But in the REAL world, evil means a lot more. At best, google can claim they are less evil than most.
It seems strange to me that a copyright lawyer hasn't heard of the fair use rights granted by US copyright law (Title 17, section 107).
The person asking the legal question is better informed than the lawyer!
That's true. But since a lot of these things are discovered by researchers in countries with failed economies (like former USSR), $10kUS would be worth keeping quiet about.
And I am sure avoiding a 0-day exploit is worth more than $10k to MS.
Did you see the word "first" in there? The suggestion is that anyone who independently discovers and reports the vulnerability before the patch is released gets paid. That gives MS motivation to patch more quickly.
And if they decide to never patch, there is nothing to stop the researcher from publishing it 0-day, anyway.
But I didn't say this was what is best for everyone. I said this would be a good one for MS, because they would get all the time they need to fix the problems, and encourage people to come to them first.
If I were deciding policy for MS or any other big vendor, I would publish a "hush money" policy on security vulnerabilities.
Basically, it would go like this:
"If you discover a vlunerability and report it only to us, when we eventually release the patch, we will give you credit for discovering it (what researchers really want), and we will give you $10,000. If you report it to anyone else before we release the patch, you will get no money and no credit."
I think the usual use of this is on crowds which have become violent and are looting or vandalizing.
Before we had nonlethal weapons, such crowds where beaten with clubs, bitten by dogs, sprayed by fire hoses, or sometimes shot with real bullets.
In some cases, corrupt leaders have ordered these (occasionally deadly) tactics be used on peaceful crowds.
I would think most people in charge here would be interested in the looting-type crowds. But with either type, I would rather the government use non-lethal weapons.
No! The point of a public company is that if you don't like what management is doing, you vote for a new Board which will replace the management with someone you DO like.
If you buy shares, you OWN part of the company. The CEO works on your (plural, collective) terms, you don't work on his!
The FEDERAL government should start an X.509 PKI. It should issue CA keys all the state governments. They can pass them down to the birth-certificate-issuing level. Then, instead of a birth certificate, you get a credit card with a smart card which has a key signed up through the federal one.
Any COTS smart card reader could verify that you are legit.
This would cost a little bit of money initially, but it would pay for itself thousands of times over due to the reduction it fraud.
It isn't perfect--it is as close as we could get, though. CRL distribution? Hell, it could be broadcast over AM radio, from GPS sats, whatever. Not a big deal.
Whether you have been a victim of identity fraud or not, YOU ARE PAYING FOR IT in terms of increased costs on everything you buy. Federal PKI is the solution to identity fraud.
How much would you save on paper costs, vs how much would you pay to fix all the paper jams from wrinkled paper going back in the printer?
"everyone else capitializes it these days"
Sure, if by "everyone," you mean "a small minority."
But I'm always willing to share insight with the sightless masses.
Actually, I'm doing you a favor. Just like someone would be doing the President a favor if they mentioned to him that he was pronouncing "nucular" incorrectly.
What do you think SPAM stands for?
Since when was there a slashdot captcha box? I've never seen this.
I never suggested anyone use OTP. I said it was the only one that was provably secure. Everything else relies on the fundamental tennet of cryptography.
It sounds like we are mostly in agreement.
I can't disagree with what you are saying. But when evaluating products, I have no way of knowing for sure "if the vendor prioritized secrity and spent money."
If I were stuck in academia and trying to make a name for myself in crypto, I would begin by trying to find flaws in something that is popular and open source. I'm not the only person who thinks that way, I'm sure.
Care to explain that a little bit further?
Which books would you want to see on someone's bookshelf for you to consider respecting them?
You really do sound paranoid. Unless you are totally ignorant, you must know that any math/copsci student who could show a well-established crypto system is easily breakable would have his career set for life.
So you must think it is possible that every time one of these students publishes a paper on a fast way to factor large numbers, he vanishes, never to be seen again. How many people vanished from the math dept. of your school? That just doesn't happen. Unlless "they" (meaning all of academia) are also in on it.
Come on, think it through. It's unreasonable.
Yes, "it could be" that many unlikely things are true. But they are still unlikely.
Are you new to cryptogology? It seems you are unfamiliar with the fundamental tenet of cryptography: "If lots of smart people have failed to solve a problem, then it probably will not be solved anytime soon."
You seem to think peer review doesn't have much to do with cryptography, but I would argue that it is the most important thing. If you expect an algorithm to be "provably" secure, then the only algorithm you have any business using is OTP.
Because it is unreasonable to expect you to hire "lots of smart people" to review any crypto you use, the next best thing is to go for using a solution that lots of people (in general) use, and assume that a subset of those people were smart
You really should pick up this book as a basic intro to crypto.
I would say that there is an inverse relation (at least somewhat) between price of crypto software and real security.
:-)
The cheaper the software is, the greater the number of people who could have peer-reviewed it for correctness. The more open the software, likewise.
Really expensive software could only have been peer-reviewed by a small number of people, while free, open source software could have been reviewed by a huge number of people.
I recently was asked to recommend a way for my CEO and several other executives to securie thier IMs. I recommended gaim + gaim-encryption because it was all open source and free, so if there were a flaw in the crypto implementation, it would likely have been discovered already.
I also made sure the CEO knew that he was using open source software, and I told him why. He was totally down with it
The same mutation that gave some europeans immunity to the plague also blocks HIV. Don't you watch PBS? Bad geek!