I'm not siding with these ^%$^%$£$% who carelessly copied the source code of a GPLd program and refused to release the derivative work under the GPL, but the clause about the attempt to void the rights granted by the GPL has been debated before. It's not quite clear how they'd void the license, given that the company making StarMessenger or someotherstupidmessenger can simply download a new copy of the program and get a fresh license for using it. This is not a contract either.
Not to mention that a truly secure card reader would cost a lot more than $25. $150 would be much more realistic. To be even somewhat secure, it would need to at least have a display and its own network connection, which adds quite a bit to the cost.
No a `fully secure' card reader costs $25 today and expect prices to keep falling as demand goes up. To be somwhat secure? You still don't seem to get the idea of the signing operation of a transaction done on a card. I suggest you read up on how a JavaCard works.
Customers generally don't need to ship stuff to 20 different addresses, and it's not difficult to call your bank and have them add another authorized address. Most places will still ship to an alternate address, they will just call you first to confirm. Having to use special card reader hardware would be much more of a hassle.
No customers don't have to ship items to 20 addresses, but I'm not about to to register all my acquaintances' addresses to the credit card, just because I want to send them gifts directly.
Your system has exactly the same problem. There is no foolproof way to identify a person remotely. Plus, your system is now susceptible to spyware: put some software on the customer's machine to hijack the card reader and you can do what you want with the credit card. If anything, it's LESS secure.
I believe you're just trying to knock me here, rather than actually first read up and understand how the system works. Read up on how a Java Card works. I'll explain once more for your benefit. The cryptographic signing operation takes place on the card. Your private key is stored on the card and there is no way you can extract the key from the card. You can only present a transaction to the card and have it signed, and retrieve the signed transaction. The signature is only valid for one transaction, done by a particular vendor only, because the signed data contains the transaction ID, the price which it's paying. The signature-request which is supplied to the card contains the price the person would pay for, the vendor details and the transaction ID. This is displayed *on the card* before a customer makes a payment by choosing an option *on the card*. These cards will not be significantly more expensive to manufacture in quantity. Remember card sized calculators? That was back in 1980.
No the system does not have the same problem, nor is it susceptible to spyware. You can hijack a card reader, but you can't hijack the card itself which needs to do the signing after reading the users' input *on the card* which is only powered by the card reader, which also provides the reader interface for communicating with the PC. The card reader is otherwise stupid. No other software on the PC has the private key to do this signing. Even if you were to tap the wire communication, you still cannot fool the system. If you do not follow this, I suggest you read up on even user land items like PGP Corporation's introduction to cryptography which should be reasonable for a newbie to follow. Read on digital signatures and how they are not susceptible to man/monkey in the middle attacks (when the card's public key is known and trusted by the bank), which is exactly what you're claiming by hijacking the card reader.
Not to mention most merchants won't ship to anywhere other than your billing address without verification from you, which pretty much makes obtaining merchandise in a fraudulent manner next to impossible.
Goods aren't the only things purchased with credit cards. Many Internet services such as iTunes or dating websites have nothing to ship. Think of Amazon gift certificates.
Your scheme would require hundreds of dollars in hardware in order to buy stuff, and you would have to drag around a card reader with you everywhere (I often make online purchases from random places). I'd say a system like that would pretty much kill off e-commerce. Also, maybe you have smartcards in Europe, but I've yet to see a single smartcard-based credit card here in the US. Virtually all credit cards here are regular magstripes.
Perhaps you have not understood how this would be implemented and used. Let me explain. You already use a card reader when paying for a lot of goods and services. When you go to a restaurant and pay with your card, they put it in a card reader. The same way, a computer can also read data from cards by having a device attached. Now, coming to the topic of lugging that device everywhere you go---you do not have to. By the time such a system takes off (and trust me, eventually we will use some sort of system which resembles the one I've described as nothing else is secure enough), many desktops will have a card reader attached, for various purposes such as authentication of your identity instead of a username/password. The transaction(vendor, price, transaction ID) will be displayed on the *card* and you can pretty much buy items using any reader as the signing operations take place inside your card which you carry around, just like you carry your current credit card around.
How much more would all this cost? Not much more than the amount of insurance which these financial institutions end up paying due to frauds caused by using an insecure system. A card reader currently costs US $25, which a bank can afford to provide to a customer for better security.
The burden of using a system should not be upto a vendor or a customer (e.g., shipping to the cardholder address only). It makes it incredibly inconvenient. The other day I ordered a DVD drive and wanted it shipped to my office address and the stockist just wouldn't. How can I send a gift to a person in another country? The current system is not right, and there'll be something which'll fix it.
The current system is incredibly stupid, because it doesn't verify a person. It merely identifies a person's card with a card number, and this identity can be adopted by anyone masquerading as that person.
Banks and financial institutions need to start using public-key encryption to authenticate a user rather than a card number and expiry date. Many visa/master cards already come as smart cards these days and it should be easy to upgrade them to operate as a JavaCard for example. Couple this with a USB card reader issued by the bank. A website can then ask for a signed payment (to be signed in a chip inside the card) valid for a short time period and only usable once in the transaction only. You verify it by looking at the reader, or a display on the card itself and reading the name of the store you're making the payment for, and press a button on the card or on the reader to grant/deny it. In this way, no external software outside the card is involved with granting money which can be tampered with. The signature takes place in the card. No credit card numbers stored. Payment made. Everyone's happy.
"You know what I found? Right in the kernel, in the heart of the operating system, I found a developer's comment that said, 'Does this belong here?' "Lok says. "What kind of confidence does that inspire? Right then I knew it was time to switch."
I completely agree with that. Photographers need to become more aware that their raw photographs are proprietary and there may come a time when they won't work with new software which drops support for old formats, and nothing else can help them as the format is closed.
I know EXIF is a meta-data spec. I mentioned it as an image *related* file format. Btw, EXIF is not all metadata. It can embed a thumbnail which is JPEG-encoded raster image data.
Many image-related open formats offer private data areas, including TIFF, EXIF, SVG (it's not a raster format, but still an example of a graphics format which is extensible with custom private data). Even a format with support for comments can be exploited to store private data. If you take the analogy of other open documentation such as CPU manuals, chipset documentation, etc. no company tells you *everything*. They give you enough to work with and keep many undocumented features hidden.
The point here is that the RAW specification is completely closed. If DNG specifies enough "open fields" to reasonably express most of the currently proprietary information in RAW files without resorting to private data, then that's good enough.
The private area is a necessary feature for extensibility. In the future, there may be things which a camera manufacturer would want to express which is not currently stated in the DNG specification. The private area is good for that while a new version of the standard comes out and specifies it.
I don't get Zeus for my servers though (which run Apache) when I go through my ISP (Nildram ADSL).
I guess BBC use a mixture of Apache and Zeus in their farm then.
A `synchronize cache' command is not going to help in the case of a journaling filesystem as the order of block writes are lost when a on-disk cache is used. This means having to run the `synchronize cache' command each time something is written to disk, which is just as good as turning write cache off.
Adding to what you've said, if the cumbled SHA-1 wall is 4.9 cm (1.9 in) tall, our current average reach of scaling the wall is still a few nano metres.
It appears as if that 4.9 cm wall is very scalable, but it still isn't easily scalable.
Quoting Bruce Schneier's quote of what Jon Callas, PGP's CTO said: "It's time to walk, but not run, to the fire exits. You don't see smoke, but the fire alarms have gone off."
Q. The patent license associated with the Office 2003 XML Reference Schemas states that "Microsoft may have patents and/or patent applications that are necessary for you to license in order to make, sell, or distribute software programs that read or write files that comply with the Microsoft specifications for the Office Schemas." What does this statement mean and to what specific patents and/or patent applications does this statement relate?
A.
As an industry leader in the design and development of innovative computer technology, Microsoft has made a significant investment in research and development (R&D). With an annual budget of nearly $7 billion, Microsoft's R&D commitment is among the highest of the world's major technology providers, both on an absolute basis and as a percentage of sales. Like other major technology providers, Microsoft routinely applies to governments around the world to obtain patents on our inventions. A patent establishes ownership of an invention, enabling the patent owner to benefit commercially from investments in innovation. A patent is granted if government patent examiners conclude that an invention is a true innovation compared with existing technology. Microsoft has been awarded thousands of United States patents, and our worldwide portfolio continues to grow.
Under the patent license for the Office 2003 XML Reference Schemas, Microsoft offers royalty-free rights both to its issued patents and patents that may be issued in the future as an outcome of the patent process. To learn more about Microsoft's intellectual property policy and to find links to government patent offices, we encourage you to learn more about Microsoft Intellectual Property at the Microsoft Web site.
We have chosen a simple and straightforward licensing approach that should appeal to a wide variety of potential licensees because it broadly covers all applicable patents and patent applications instead of only those that are enumerated.
If this's something you want to argue personally against me ("you said", "I said", "so you're absurd"), then I'll stop discussing this here. I did not compare Sun or IBM to the welfare system. Please read my initial post properly.
I merely said that the software patent system is legal, just like the welfare system, even though I don't think highly of it.
I wouldn't compare Sun to a thug. That'd be calling FUD. I haven't read of a single case where they have litigated offensively on software patents. And after their experiences with issues such as the Kodak case recently, I don't think they'd not have a strong opinion towards software patents. They do some good stuff such as OpenOffice, their work on GNOME and portions of Apache's software. They have released several more projects and contributed to others under open source and non-free licenses.
Unlike you and me, Sun is a publicly traded company, and so is IBM. IBM has only released a very very small portion of their patents. They register tens of times more patents than this in a year. I'd like to see them open up their entire portfolio. *I'd like to see them stop registering software patents.* IBM actually has a well reknown history of litigating on the offensive with patents. They have responsibilities towards their share-holders, who may not take it kindly to have what is accepted now as legal intellectual property, given away for nothing. Note that I'm not calling X or Y company is bad. What I'm trying to say is that change happens slowly. Sun is trying to open up to the community and yes they need to do more, but it doesn't mean they are similar to thugs any more than any other company in their markets is.
As far as the welfare system goes, I'm sure you are aware that there are several hundreds of cases where families have lots of children so that they get better revenue from benefits. Some parents don't even work to earn their living anymore as the welfare system lets them lead a comfortable life here in this country.
I don't mind if my money goes towards assisting a person recover and build his/her life. And I'd like the person to work for it.
We can live with other people having any copyright license they want for their own software. We simply won't touch that software if the license is unacceptable, and we will make sure everybody knows if the license is unacceptable.
By your same argument, you can leave Sun and Microsoft alone and stick to using the software you like best. If you want the software patent system to be abolished, knocking Sun is not the right way to do it. Them releasing the patents to be used for CDDL (which I guess will become an OSI approved license) is a step forward from a company like Microsoft which doesn't release anything.
Don't get me wrong, I don't support Sun or Microsoft, and I don't support the system of software patents either. I'm a software engineer and my freedom is everything to me. But you seem to have your lines confused and crossed when you criticise Sun about what they want to do with *their* property. You don't like the software patent system? Do something about it. Talk to your local government official. Support and form a group of patent defense. Talk to Richard Stallman about having revocation clauses in the GPL for those who sue on infringement. Free software is everywhere and a revocation clause would hurt.
For right or wrong, the software patent system is entirely legal in many countries. I don't like the social welfare system in the country I live in for example. It takes away my tax dollars. But it is legal. If I want to break it, I don't go about telling my neighbours to hate that other neighbour who utilises the social welfare system. I do something to get the system abolished.
Slashdot Mirror
I'm still blown away everytime a new Pac Man out.
I'm not siding with these ^%$^%$£$% who carelessly copied the source code of a GPLd program and refused to release the derivative work under the GPL, but the clause about the attempt to void the rights granted by the GPL has been debated before. It's not quite clear how they'd void the license, given that the company making StarMessenger or someotherstupidmessenger can simply download a new copy of the program and get a fresh license for using it. This is not a contract either.
Not to mention that a truly secure card reader would cost a lot more than $25. $150 would be much more realistic. To be even somewhat secure, it would need to at least have a display and its own network connection, which adds quite a bit to the cost.
No a `fully secure' card reader costs $25 today and expect prices to keep falling as demand goes up. To be somwhat secure? You still don't seem to get the idea of the signing operation of a transaction done on a card. I suggest you read up on how a JavaCard works.
Customers generally don't need to ship stuff to 20 different addresses, and it's not difficult to call your bank and have them add another authorized address. Most places will still ship to an alternate address, they will just call you first to confirm. Having to use special card reader hardware would be much more of a hassle.
No customers don't have to ship items to 20 addresses, but I'm not about to to register all my acquaintances' addresses to the credit card, just because I want to send them gifts directly.
Your system has exactly the same problem. There is no foolproof way to identify a person remotely. Plus, your system is now susceptible to spyware: put some software on the customer's machine to hijack the card reader and you can do what you want with the credit card. If anything, it's LESS secure.
I believe you're just trying to knock me here, rather than actually first read up and understand how the system works. Read up on how a Java Card works. I'll explain once more for your benefit. The cryptographic signing operation takes place on the card. Your private key is stored on the card and there is no way you can extract the key from the card. You can only present a transaction to the card and have it signed, and retrieve the signed transaction. The signature is only valid for one transaction, done by a particular vendor only, because the signed data contains the transaction ID, the price which it's paying. The signature-request which is supplied to the card contains the price the person would pay for, the vendor details and the transaction ID. This is displayed *on the card* before a customer makes a payment by choosing an option *on the card*. These cards will not be significantly more expensive to manufacture in quantity. Remember card sized calculators? That was back in 1980.
No the system does not have the same problem, nor is it susceptible to spyware. You can hijack a card reader, but you can't hijack the card itself which needs to do the signing after reading the users' input *on the card* which is only powered by the card reader, which also provides the reader interface for communicating with the PC. The card reader is otherwise stupid. No other software on the PC has the private key to do this signing. Even if you were to tap the wire communication, you still cannot fool the system. If you do not follow this, I suggest you read up on even user land items like PGP Corporation's introduction to cryptography which should be reasonable for a newbie to follow. Read on digital signatures and how they are not susceptible to man/monkey in the middle attacks (when the card's public key is known and trusted by the bank), which is exactly what you're claiming by hijacking the card reader.
Not to mention most merchants won't ship to anywhere other than your billing address without verification from you, which pretty much makes obtaining merchandise in a fraudulent manner next to impossible.
Goods aren't the only things purchased with credit cards. Many Internet services such as iTunes or dating websites have nothing to ship. Think of Amazon gift certificates.
Your scheme would require hundreds of dollars in hardware in order to buy stuff, and you would have to drag around a card reader with you everywhere (I often make online purchases from random places). I'd say a system like that would pretty much kill off e-commerce. Also, maybe you have smartcards in Europe, but I've yet to see a single smartcard-based credit card here in the US. Virtually all credit cards here are regular magstripes.
Perhaps you have not understood how this would be implemented and used. Let me explain. You already use a card reader when paying for a lot of goods and services. When you go to a restaurant and pay with your card, they put it in a card reader. The same way, a computer can also read data from cards by having a device attached. Now, coming to the topic of lugging that device everywhere you go---you do not have to. By the time such a system takes off (and trust me, eventually we will use some sort of system which resembles the one I've described as nothing else is secure enough), many desktops will have a card reader attached, for various purposes such as authentication of your identity instead of a username/password. The transaction(vendor, price, transaction ID) will be displayed on the *card* and you can pretty much buy items using any reader as the signing operations take place inside your card which you carry around, just like you carry your current credit card around.
How much more would all this cost? Not much more than the amount of insurance which these financial institutions end up paying due to frauds caused by using an insecure system. A card reader currently costs US $25, which a bank can afford to provide to a customer for better security.
The burden of using a system should not be upto a vendor or a customer (e.g., shipping to the cardholder address only). It makes it incredibly inconvenient. The other day I ordered a DVD drive and wanted it shipped to my office address and the stockist just wouldn't. How can I send a gift to a person in another country? The current system is not right, and there'll be something which'll fix it.
The current system is incredibly stupid, because it doesn't verify a person. It merely identifies a person's card with a card number, and this identity can be adopted by anyone masquerading as that person.
Banks and financial institutions need to start using public-key encryption to authenticate a user rather than a card number and expiry date. Many visa/master cards already come as smart cards these days and it should be easy to upgrade them to operate as a JavaCard for example. Couple this with a USB card reader issued by the bank. A website can then ask for a signed payment (to be signed in a chip inside the card) valid for a short time period and only usable once in the transaction only. You verify it by looking at the reader, or a display on the card itself and reading the name of the store you're making the payment for, and press a button on the card or on the reader to grant/deny it. In this way, no external software outside the card is involved with granting money which can be tampered with. The signature takes place in the card. No credit card numbers stored. Payment made. Everyone's happy.
"You know what I found? Right in the kernel, in the heart of the operating system, I found a developer's comment that said, 'Does this belong here?' "Lok says. "What kind of confidence does that inspire? Right then I knew it was time to switch."
Damn. Somebody remove that comment.
Depending on who you are, the cup is either half full or half empty.
Many traditional Linux users don't have Windows boxes and don't care about SMB browsing and don't want ports open unnecessarily.
Gtk+ WebCore seems to be made at Nokia.
Like <president@whitehouse.gov> for example?
I completely agree with that. Photographers need to become more aware that their raw photographs are proprietary and there may come a time when they won't work with new software which drops support for old formats, and nothing else can help them as the format is closed.
I know EXIF is a meta-data spec. I mentioned it as an image *related* file format. Btw, EXIF is not all metadata. It can embed a thumbnail which is JPEG-encoded raster image data.
Many image-related open formats offer private data areas, including TIFF, EXIF, SVG (it's not a raster format, but still an example of a graphics format which is extensible with custom private data). Even a format with support for comments can be exploited to store private data. If you take the analogy of other open documentation such as CPU manuals, chipset documentation, etc. no company tells you *everything*. They give you enough to work with and keep many undocumented features hidden.
The point here is that the RAW specification is completely closed. If DNG specifies enough "open fields" to reasonably express most of the currently proprietary information in RAW files without resorting to private data, then that's good enough.
The private area is a necessary feature for extensibility. In the future, there may be things which a camera manufacturer would want to express which is not currently stated in the DNG specification. The private area is good for that while a new version of the standard comes out and specifies it.
The manufacturers are just opposed to working together to create some sort of standard.
Adobe made an open format called digital negative... The camera manufacturers need to start adopting it.
I don't get Zeus for my servers though (which run Apache) when I go through my ISP (Nildram ADSL). I guess BBC use a mixture of Apache and Zeus in their farm then.
Fedora Core 4 is also scheduled for June 6.
Does it have the `any' key?
A `synchronize cache' command is not going to help in the case of a journaling filesystem as the order of block writes are lost when a on-disk cache is used. This means having to run the `synchronize cache' command each time something is written to disk, which is just as good as turning write cache off.
Adding to what you've said, if the cumbled SHA-1 wall is 4.9 cm (1.9 in) tall, our current average reach of scaling the wall is still a few nano metres.
It appears as if that 4.9 cm wall is very scalable, but it still isn't easily scalable.
Quoting Bruce Schneier's quote of what Jon Callas, PGP's CTO said: "It's time to walk, but not run, to the fire exits. You don't see smoke, but the fire alarms have gone off."
It's funny how you swap Red and Hat around and you get "Hatred".
Here's the original Nature article.
FUD. It sometimes helps to read the linked pages.
Q. The patent license associated with the Office 2003 XML Reference Schemas states that "Microsoft may have patents and/or patent applications that are necessary for you to license in order to make, sell, or distribute software programs that read or write files that comply with the Microsoft specifications for the Office Schemas." What does this statement mean and to what specific patents and/or patent applications does this statement relate?
A. As an industry leader in the design and development of innovative computer technology, Microsoft has made a significant investment in research and development (R&D). With an annual budget of nearly $7 billion, Microsoft's R&D commitment is among the highest of the world's major technology providers, both on an absolute basis and as a percentage of sales. Like other major technology providers, Microsoft routinely applies to governments around the world to obtain patents on our inventions. A patent establishes ownership of an invention, enabling the patent owner to benefit commercially from investments in innovation. A patent is granted if government patent examiners conclude that an invention is a true innovation compared with existing technology. Microsoft has been awarded thousands of United States patents, and our worldwide portfolio continues to grow.
Under the patent license for the Office 2003 XML Reference Schemas, Microsoft offers royalty-free rights both to its issued patents and patents that may be issued in the future as an outcome of the patent process. To learn more about Microsoft's intellectual property policy and to find links to government patent offices, we encourage you to learn more about Microsoft Intellectual Property at the Microsoft Web site.
We have chosen a simple and straightforward licensing approach that should appeal to a wide variety of potential licensees because it broadly covers all applicable patents and patent applications instead of only those that are enumerated.
Bruce,
If this's something you want to argue personally against me ("you said", "I said", "so you're absurd"), then I'll stop discussing this here. I did not compare Sun or IBM to the welfare system. Please read my initial post properly.
I merely said that the software patent system is legal, just like the welfare system, even though I don't think highly of it.
Mukund
I wouldn't compare Sun to a thug. That'd be calling FUD. I haven't read of a single case where they have litigated offensively on software patents. And after their experiences with issues such as the Kodak case recently, I don't think they'd not have a strong opinion towards software patents. They do some good stuff such as OpenOffice, their work on GNOME and portions of Apache's software. They have released several more projects and contributed to others under open source and non-free licenses.
Unlike you and me, Sun is a publicly traded company, and so is IBM. IBM has only released a very very small portion of their patents. They register tens of times more patents than this in a year. I'd like to see them open up their entire portfolio. *I'd like to see them stop registering software patents.* IBM actually has a well reknown history of litigating on the offensive with patents. They have responsibilities towards their share-holders, who may not take it kindly to have what is accepted now as legal intellectual property, given away for nothing. Note that I'm not calling X or Y company is bad. What I'm trying to say is that change happens slowly. Sun is trying to open up to the community and yes they need to do more, but it doesn't mean they are similar to thugs any more than any other company in their markets is.
As far as the welfare system goes, I'm sure you are aware that there are several hundreds of cases where families have lots of children so that they get better revenue from benefits. Some parents don't even work to earn their living anymore as the welfare system lets them lead a comfortable life here in this country.
I don't mind if my money goes towards assisting a person recover and build his/her life. And I'd like the person to work for it.
Mukund
Dear Bruce,
We can live with other people having any copyright license they want for their own software. We simply won't touch that software if the license is unacceptable, and we will make sure everybody knows if the license is unacceptable.
By your same argument, you can leave Sun and Microsoft alone and stick to using the software you like best. If you want the software patent system to be abolished, knocking Sun is not the right way to do it. Them releasing the patents to be used for CDDL (which I guess will become an OSI approved license) is a step forward from a company like Microsoft which doesn't release anything.
Don't get me wrong, I don't support Sun or Microsoft, and I don't support the system of software patents either. I'm a software engineer and my freedom is everything to me. But you seem to have your lines confused and crossed when you criticise Sun about what they want to do with *their* property. You don't like the software patent system? Do something about it. Talk to your local government official. Support and form a group of patent defense. Talk to Richard Stallman about having revocation clauses in the GPL for those who sue on infringement. Free software is everywhere and a revocation clause would hurt.
For right or wrong, the software patent system is entirely legal in many countries. I don't like the social welfare system in the country I live in for example. It takes away my tax dollars. But it is legal. If I want to break it, I don't go about telling my neighbours to hate that other neighbour who utilises the social welfare system. I do something to get the system abolished.
Mukund