Orange is very pervasive throughout Ubuntu, but isn't often used elsewhere, at least not in the US. I'm wondering if this is your favorite color, or if it is more popular in South Africa, or if there is some other reason that orange was chosen as Ubuntu's signature color/
Hi, Linus. What do you think the big challenges in OS design will be over the upcoming years? Will Linux be influenced more heavily by mobile devices, servers, or something else? What do you foresee coming along that will have the greatest impact on Linux?
I'm curious what technologies you would like to see developed next, or what you think would be most important to develop next. In other words, what do you think researchers should work on now that would be most significant?
Growing up, Star Trek was one of the things that got me interested in engineering and the sciences. It made me want to see the future, or create it myself. What do you think should be done to inspire the next generation of scientists and engineers?
The thing is, if a group of engineers discusses an idea, sooner or later an idea pops up that everyone at the table agrees is the best possible solution, given the problem to be solved and the resources available to solve it. Then they go put their solution into practice. Politics isn't like this. There are always a few nimrods who will denounce even the sanest solution to any problem as "statist" or "communist" or whatever the appropriate political insult is at the moment, so the end solution is almost never the sanest one.
QUICK: Name the last president we had with an engineering degree.
A: J. Carter
He didn't work out too well, did he?:(
Carter inherited a disastrous economy, which resulted from a prolonged war funded by future earnings. When the bill came due at the end of the decade, the economy had massive problems. Sound familiar?
To get a sense of how long it would take to find a particular key, consider:
The key has n bits, so there are 2^n possible keys that can be enumerated with those bits.
Each processor can test m keys per second. (I'm assuming each processor has the same performance, and ignoring latency between CPU nodes, I/O latency, or anything else that might slow the system down.)
You have access to p processors.
So the time to process all 2^n keys is:
(2^n)/p*m
Note that the value of m doubles once every 18 months (due to Moore's law), so to keep the key finding time constant, you must also add a bit every 18 months. (Adding bits is fairly cheap, but developing faster processors is not!) The value of p is not all that important because p increase linearly as you add more nodes, while n and m increase exponentially. To figure out how long of a key you need for a given algorithm, you simply need to determine the amount of time that you want to keep your data secret for, and choose a number of bits such that (2^n)/p*m is sufficiently large.
I'll let you plug in the numbers and work out the exact times for your favorite system for yourself.:-)
It depends on the algorithm used, the performance of the individual nodes, the number of nodes being used in the attack, etc. Botnets vary wildly in size and performance. The Chinese supercomputer is (most likely) composed of off the shelf Intel or AMD processors. If someone used hardware custom designed to run a brute force attack, it might run much faster. (That's how some of the RSA challenge cracks were done.)
"Is it theoretically possible to derive the server's private key from a session key? How about from multiple session keys?"
Shouldn't be if you are using a well designed algorithm! If you could, that would be a major hole.
Because (assuming that you don't trust the Chinese CA), they would have to use Google's private key in order to produce signed data that was tied to the identity asserted in the certificate issued by the CA that signed for Google.
If you trust a CA that is controlled by the attacker, you're toast. You have to ensure that you do not. (I don't think most people in the world have any idea what a CA is though, let alone how to tell their browsers which ones to trust, so the reality is that any CA's that Mozilla or Google or Microsoft or other browser makers trust (by including them in their browsers by default) are also "trusted" by you.
Breaking modern encryption algorithms using current techniques would take somewhere around the lifetime of the universe. The number of computations required to break a well designed algorithm increase exponentially with the key length. You should always use an algorithm and key length that can be expected to protect your data for longer than the data will remain valuable.
As I indicated in my explanation below, being able to create a certificate does not mean that they can trick you into trusting their site. They must have a cert signed by a root CA that you trust. If you trust the Chinese CA, then you're stuck trusting its assertions. But if you don't, the attack can't work.
Certificates aren't used to encrypt anything. The certificate contains a set of assertions about the subject of the certificate, signed by the certificate issuer. One of those assertions is typically the subject's public key. All the certificate is claiming is that a certain public key is associated with a certain identity, where that identity is claimed by the certification chain starting at some root (in this case, the Chinese CA). If you trust a certain root CA, then you also must trust any assertions made by the children of that CA in the CA hierarchy. If you do not trust that CA, then you won't trust any certification paths that originate at that root.
So is a man in the middle attack possible, as you've described? No. Here's what would actually happen:
1) You request a secure page "https://mail.google.com" 2) Google's server sends you Google's certificate. This is signed (through some CA chain) by a root CA that you (presumably) trust. An attacker could also send you Google's cert, but the attacker doesn't have Google's private key, so anything they encrypt could not be decrypted using Google's public key. 3) You verify that certificate by validating the certificate chain to it. Note that even though China may have a root CA, it doesn't have the private key that was used to generate the certificate. (If China sent you such a cert, it would only validate against the Chinese root CA, which you would have to already trust!) 4) If the attacker attempts to do a man in the middle attack, they can pass you a certificate, but they can't generate data signed by Google, unless you trust China's root CA, because the attacker doesn't have Google's private key.
1) Can China redirect traffic through its network by advertising that it has the lowest cost routing path? (Apparently, yes.) This is a wormhole attack, and is well documented in research literature.
2) Can China record or alter any traffic that passes through its network? If the data is sufficiently well encrypted, it can not read that data, although it can record the cyphertext. The fact that China can issue a certificate does not mean that it can read *your* data. It only means that encrypted data sent to Chinese servers can be read by the holder(s) of the encryption keys used by those servers.
If you are sending data over the net, and want to protect it, be sure that it is encrypted. If you don't care, be aware that anyone might be able to monitor it, even governments of other countries. If you don't trust the Chinese root CA to certify the identity of servers that you go to, don't accept their CA's certificate as an authority for that purpose.
OS X will tell you all of this stuff in the system profiler. In fact, if you install RAM in a non-optimal configuration in a Mac Pro, it will automatically detect it and tell you how to correct the problem for best performance. In the laptops, there is no "wrong" configuration, unless you put the wrong type of RAM in, in which case that RAM slot is disabled or, in the worst case, the system won't boot (in which case UEFI wouldn't help you anyway).
Re:Good way to get your laptop attacked
on
USB 'Dead Drops'
·
· Score: 4, Informative
Good way to get your laptop attacked
on
USB 'Dead Drops'
·
· Score: 5, Informative
So basically, you are being invited to connect a USB device from an unknown source, with unknown code on it, to your machine. There have been many instances of people leaving USB sticks with exploit binaries around for people to find. You find the stick, stick it in your machine, and are promptly exploited. Regardless of whether the creator of the dead drops hasn't done this intentionally themselves (hopefully, they haven't), you have no idea what might have been placed on the sticks by others.
Different profs have different styles of teaching and communicating. Different technologies lend themselves well (or not) to different courses. PowerPoint slides work only so long as they are distributed to the students, but often cause the class to be taught too fast to take detailed notes. A blog wouldn't be useful at all for many courses. Would you find a blog on Roman history useful? What current events would the prof be responding to? How about a course on physics or compilers or crystal structures or genetics? How exactly would a blog help there?
Are the students technically inclined? If not, using technical resources may hurt more than it helps.
What really matters is if the prof can give clear explanations that students who learn in different ways can understand, whether or not the course is paced appropriately for the students, whether it is sufficiently advanced, but not so advanced that the students can't comprehend what is going on, whether assignments teach the students more of what they need to know, whether grading and feedback are timely and helpful, etc. It's not about throwing the latest technology at the students. That doesn't help at all unless it actually enhances how the students learn, or how effectively the prof can deliver the material!
Unfortunately this reasoning doesn't take into account that there are severe health and environmental costs from other forms of power production. When you take into account acid rain, global warming, air pollution, respiratory health effects, environmental damage from mining and oil drilling, and damage to the global ecosystem, Nuclear is likely to be far cheaper over the long term than most other forms of power. You have to look at the total cost of the technology, including obtaining and processing fuel, generating power, emissions, waste disposal, and costs to deal with externalities such as the effects mentioned above. When you take all of this into account, nuclear and solar are a bargain.
That's not what the original poster is asking. They want to rename the files using the time, date, and location metadata in the file itself, rather than ordering them sequentially.
No, you don't need to write a batch file. Automator is graphical. You drag the operations you want into the sequence you want them and click play and it runs.
OS X comes with a graphical scripting tool called Automator. You can set up a batch file rename script with it that will rename every photo in a folder of your choice with the date and time added to the file name, plus a sequence number, and any other text if you desire. I used it to rename over 8000 photos originally named img_xxxx in 2 or 3 minutes.
So just copy them onto a Mac, run the Automator script on them, and copy them back.
The plan is just a way for AT&T to get rid of its least profitable customers. These are the ones who actually *use* the network capacity that they pay for. Most people are light users. They pay a lot of money but don't actually use much capacity. AT&T loves these people, because it's essentially free money. The ones who actually use the service are not very profitable, because AT&T has to provide capacity for them. (Capacity isn't needed if you don't use the network!) So rather than expanding capacity to match demand, they're making it economically infeasible to *use* the capacity that you pay for.
AT&T claims that most people use less than 2 GB/month. That's great, but that's partly because of the lack of good applications for most smartphones. (iPhone users use much more than half the data on the network.) Imagine if AT&T had imposed a cap based on what most people used in 1993. The web would have no pictures. You couldn't afford them. If they based it on what people used in 1996, the web would have no audio or video. You couldn't afford it. Same with most applications used today, network based software distribution, Skype, and many other things we take for granted. The cap makes higher bandwidth applications unaffordable for most users, and will seriously stifle the development of new technologies for mobile device.
When you earn income from a job or investments, that income is normally reported to the IRS. But then you have to report that same income yourself. Why is the data not just sent straight to the IRS, which could automatically calculate your tax bill?
People copy fashions of high end items. Most people can't afford those anyway. They're too expensive. So no sales are lots.
Clothing is a physical good. If you can make one instance of it, you still need to repeat the whole manufacturing process to make more. This is not true of digital information.
The value of a good drops with the availability of the good. Digital information can be replicated infinitely. Clothing is much harder to replicate.
The value of clothing drops dramatically within 3 months because fashions are seasonal. So if you can replicate it after 1 year, no one cares. This is not true of software, movies, music, etc. A lot of IP retains its value for decades or longer.
Slashdot Mirror
Orange is very pervasive throughout Ubuntu, but isn't often used elsewhere, at least not in the US. I'm wondering if this is your favorite color, or if it is more popular in South Africa, or if there is some other reason that orange was chosen as Ubuntu's signature color/
Hi, Linus. What do you think the big challenges in OS design will be over the upcoming years? Will Linux be influenced more heavily by mobile devices, servers, or something else? What do you foresee coming along that will have the greatest impact on Linux?
I'm curious what technologies you would like to see developed next, or what you think would be most important to develop next. In other words, what do you think researchers should work on now that would be most significant?
Oh, and thank you for changing my life!
Growing up, Star Trek was one of the things that got me interested in engineering and the sciences. It made me want to see the future, or create it myself. What do you think should be done to inspire the next generation of scientists and engineers?
The thing is, if a group of engineers discusses an idea, sooner or later an idea pops up that everyone at the table agrees is the best possible solution, given the problem to be solved and the resources available to solve it. Then they go put their solution into practice. Politics isn't like this. There are always a few nimrods who will denounce even the sanest solution to any problem as "statist" or "communist" or whatever the appropriate political insult is at the moment, so the end solution is almost never the sanest one.
QUICK: Name the last president we had with an engineering degree.
A: J. Carter
He didn't work out too well, did he? :(
Carter inherited a disastrous economy, which resulted from a prolonged war funded by future earnings. When the bill came due at the end of the decade, the economy had massive problems. Sound familiar?
It's a bug that the FF developers don't believe exists. Please see https://bugzilla.mozilla.org/show_bug.cgi?id=620723.
To get a sense of how long it would take to find a particular key, consider:
The key has n bits, so there are 2^n possible keys that can be enumerated with those bits.
Each processor can test m keys per second. (I'm assuming each processor has the same performance, and ignoring latency between CPU nodes, I/O latency, or anything else that might slow the system down.)
You have access to p processors.
So the time to process all 2^n keys is:
(2^n)/p*m
Note that the value of m doubles once every 18 months (due to Moore's law), so to keep the key finding time constant, you must also add a bit every 18 months. (Adding bits is fairly cheap, but developing faster processors is not!) The value of p is not all that important because p increase linearly as you add more nodes, while n and m increase exponentially. To figure out how long of a key you need for a given algorithm, you simply need to determine the amount of time that you want to keep your data secret for, and choose a number of bits such that (2^n)/p*m is sufficiently large.
I'll let you plug in the numbers and work out the exact times for your favorite system for yourself. :-)
It depends on the algorithm used, the performance of the individual nodes, the number of nodes being used in the attack, etc. Botnets vary wildly in size and performance. The Chinese supercomputer is (most likely) composed of off the shelf Intel or AMD processors. If someone used hardware custom designed to run a brute force attack, it might run much faster. (That's how some of the RSA challenge cracks were done.)
"Is it theoretically possible to derive the server's private key from a session key? How about from multiple session keys?"
Shouldn't be if you are using a well designed algorithm! If you could, that would be a major hole.
Because (assuming that you don't trust the Chinese CA), they would have to use Google's private key in order to produce signed data that was tied to the identity asserted in the certificate issued by the CA that signed for Google.
If you trust a CA that is controlled by the attacker, you're toast. You have to ensure that you do not. (I don't think most people in the world have any idea what a CA is though, let alone how to tell their browsers which ones to trust, so the reality is that any CA's that Mozilla or Google or Microsoft or other browser makers trust (by including them in their browsers by default) are also "trusted" by you.
Yes. Actually, I am. :-)
Breaking modern encryption algorithms using current techniques would take somewhere around the lifetime of the universe. The number of computations required to break a well designed algorithm increase exponentially with the key length. You should always use an algorithm and key length that can be expected to protect your data for longer than the data will remain valuable.
As I indicated in my explanation below, being able to create a certificate does not mean that they can trick you into trusting their site. They must have a cert signed by a root CA that you trust. If you trust the Chinese CA, then you're stuck trusting its assertions. But if you don't, the attack can't work.
Certificates aren't used to encrypt anything. The certificate contains a set of assertions about the subject of the certificate, signed by the certificate issuer. One of those assertions is typically the subject's public key. All the certificate is claiming is that a certain public key is associated with a certain identity, where that identity is claimed by the certification chain starting at some root (in this case, the Chinese CA). If you trust a certain root CA, then you also must trust any assertions made by the children of that CA in the CA hierarchy. If you do not trust that CA, then you won't trust any certification paths that originate at that root.
So is a man in the middle attack possible, as you've described? No. Here's what would actually happen:
1) You request a secure page "https://mail.google.com"
2) Google's server sends you Google's certificate. This is signed (through some CA chain) by a root CA that you (presumably) trust. An attacker could also send you Google's cert, but the attacker doesn't have Google's private key, so anything they encrypt could not be decrypted using Google's public key.
3) You verify that certificate by validating the certificate chain to it. Note that even though China may have a root CA, it doesn't have the private key that was used to generate the certificate. (If China sent you such a cert, it would only validate against the Chinese root CA, which you would have to already trust!)
4) If the attacker attempts to do a man in the middle attack, they can pass you a certificate, but they can't generate data signed by Google, unless you trust China's root CA, because the attacker doesn't have Google's private key.
There are two problems here:
1) Can China redirect traffic through its network by advertising that it has the lowest cost routing path? (Apparently, yes.) This is a wormhole attack, and is well documented in research literature.
2) Can China record or alter any traffic that passes through its network? If the data is sufficiently well encrypted, it can not read that data, although it can record the cyphertext. The fact that China can issue a certificate does not mean that it can read *your* data. It only means that encrypted data sent to Chinese servers can be read by the holder(s) of the encryption keys used by those servers.
If you are sending data over the net, and want to protect it, be sure that it is encrypted. If you don't care, be aware that anyone might be able to monitor it, even governments of other countries. If you don't trust the Chinese root CA to certify the identity of servers that you go to, don't accept their CA's certificate as an authority for that purpose.
OS X will tell you all of this stuff in the system profiler. In fact, if you install RAM in a non-optimal configuration in a Mac Pro, it will automatically detect it and tell you how to correct the problem for best performance. In the laptops, there is no "wrong" configuration, unless you put the wrong type of RAM in, in which case that RAM slot is disabled or, in the worst case, the system won't boot (in which case UEFI wouldn't help you anyway).
And here is an article on this exploit technique:
http://www.dailytech.com/USB+Drive+Malware+Exploit+Windows+7+Flaw+in+Apparent+Espionage+Effort/article19065.htm
So basically, you are being invited to connect a USB device from an unknown source, with unknown code on it, to your machine. There have been many instances of people leaving USB sticks with exploit binaries around for people to find. You find the stick, stick it in your machine, and are promptly exploited. Regardless of whether the creator of the dead drops hasn't done this intentionally themselves (hopefully, they haven't), you have no idea what might have been placed on the sticks by others.
Different profs have different styles of teaching and communicating. Different technologies lend themselves well (or not) to different courses. PowerPoint slides work only so long as they are distributed to the students, but often cause the class to be taught too fast to take detailed notes. A blog wouldn't be useful at all for many courses. Would you find a blog on Roman history useful? What current events would the prof be responding to? How about a course on physics or compilers or crystal structures or genetics? How exactly would a blog help there?
Are the students technically inclined? If not, using technical resources may hurt more than it helps.
What really matters is if the prof can give clear explanations that students who learn in different ways can understand, whether or not the course is paced appropriately for the students, whether it is sufficiently advanced, but not so advanced that the students can't comprehend what is going on, whether assignments teach the students more of what they need to know, whether grading and feedback are timely and helpful, etc. It's not about throwing the latest technology at the students. That doesn't help at all unless it actually enhances how the students learn, or how effectively the prof can deliver the material!
Unfortunately this reasoning doesn't take into account that there are severe health and environmental costs from other forms of power production. When you take into account acid rain, global warming, air pollution, respiratory health effects, environmental damage from mining and oil drilling, and damage to the global ecosystem, Nuclear is likely to be far cheaper over the long term than most other forms of power. You have to look at the total cost of the technology, including obtaining and processing fuel, generating power, emissions, waste disposal, and costs to deal with externalities such as the effects mentioned above. When you take all of this into account, nuclear and solar are a bargain.
The first generation iPhone came out in 2007, not 2008. That's 3 years.
Death is a form of early termination. Doesn't death let you out of any contracts you are in by law?
That's not what the original poster is asking. They want to rename the files using the time, date, and location metadata in the file itself, rather than ordering them sequentially.
No, you don't need to write a batch file. Automator is graphical. You drag the operations you want into the sequence you want them and click play and it runs.
http://www.macosxautomation.com/automator/
OS X comes with a graphical scripting tool called Automator. You can set up a batch file rename script with it that will rename every photo in a folder of your choice with the date and time added to the file name, plus a sequence number, and any other text if you desire. I used it to rename over 8000 photos originally named img_xxxx in 2 or 3 minutes.
So just copy them onto a Mac, run the Automator script on them, and copy them back.
The plan is just a way for AT&T to get rid of its least profitable customers. These are the ones who actually *use* the network capacity that they pay for. Most people are light users. They pay a lot of money but don't actually use much capacity. AT&T loves these people, because it's essentially free money. The ones who actually use the service are not very profitable, because AT&T has to provide capacity for them. (Capacity isn't needed if you don't use the network!) So rather than expanding capacity to match demand, they're making it economically infeasible to *use* the capacity that you pay for.
AT&T claims that most people use less than 2 GB/month. That's great, but that's partly because of the lack of good applications for most smartphones. (iPhone users use much more than half the data on the network.) Imagine if AT&T had imposed a cap based on what most people used in 1993. The web would have no pictures. You couldn't afford them. If they based it on what people used in 1996, the web would have no audio or video. You couldn't afford it. Same with most applications used today, network based software distribution, Skype, and many other things we take for granted. The cap makes higher bandwidth applications unaffordable for most users, and will seriously stifle the development of new technologies for mobile device.
This is a truly bad idea...
When you earn income from a job or investments, that income is normally reported to the IRS. But then you have to report that same income yourself. Why is the data not just sent straight to the IRS, which could automatically calculate your tax bill?
People copy fashions of high end items. Most people can't afford those anyway. They're too expensive. So no sales are lots.
Clothing is a physical good. If you can make one instance of it, you still need to repeat the whole manufacturing process to make more. This is not true of digital information.
The value of a good drops with the availability of the good. Digital information can be replicated infinitely. Clothing is much harder to replicate.
The value of clothing drops dramatically within 3 months because fashions are seasonal. So if you can replicate it after 1 year, no one cares. This is not true of software, movies, music, etc. A lot of IP retains its value for decades or longer.