What was broken was not encryption. It's a form of DRM which did not rely on encryption.
BD+ (the DRM component which they claimed would last for 10 years) is a virtual machine on which a disc can run arbitrary code. The disc can run this code to try to guess at the authenticity of the player in which it is being played. The idea is that if a player has been tampered with, it can be detected by the disc. It also means that as new attacks on players become possible, it's possible to update the checks that the disc uses BD+ to perform. If the player doesn't pass the check, the disc refuses to play.
Surprise, surprise, it was possible to reverse engineer the virtual machine, and now unauthorized players can run the code and tamper with the results.
So this is both a poor example of how fragile encryption can be (it's not encryption) and a bad example of keeping data from prying eyes (as the other guy pointed out, Blu-ray is designed to be viewed.)
Worse:
While the hacker can find an unencrypted version of a movie and more or less determine what the encryption should look like when decoded, your common text messages are not much different.
Known-plaintext attacks are an understood phenomenon, and encryption algorithms are designed to thwart them. Blu-ray encryption uses AES, which is believed to be secure from this sort of attack.
Most IT guys I've encountered are more interested in "keeping the network healthy" than actually letting people get work done.
Devil's advocate: if the network isn't healthy, then no one gets work done. If the conference room has too few ports, six people don't get work done.
But like I said, the proper solution is for support to support you. If they don't want you plugging in your equipment, they should have a solution that will let you do what needs to be done. Most of the time, that would mean putting a temporary managed switch in that room. If the IT guy isn't willing to do that, they're likely just on a power trip, and such behavior should be dealt with.
I worked in a Lab when an "edict" occurred that only windows PCs could be connected to the corporate network. Couple of dozen scientists putting in purchase orders to replace old but functional equipment in the $100k to $10m price bracket with the justification "drivers only available for , need to upgrade equipment to get PC support" and firing them up the management chain and someone saw sense very quickly.
That's a pretty silly and arbitrary, but in a lab setting, you may be better off with a test network, anyway, like yours.
I was mostly talking about actual, reasonable measures, not measures that are in place because the admins can't figure out something if it doesn't connect to the AD.
I've gotten up early to make changes, and I've stayed up late to make changes. It's part of the job.
I've never (ten years or so) had a local hardware issue extend into the host network. It seems to be fairly hard to do that if you're not an idiot
I guess you're not an idiot:)
Mostly, I'm talking about PHB-types that bring in a Linksys wireless router and plug one of its LAN ports into the building network. We also used to see issues where people bridge the company wireless network to the wired network, causing all sorts of issues, too.
There are a lot of good reasons to disallow non-managed network equipment. What if one of the devices behind that switch starts killing the network? The admin's only option is to disable that port, which kills everyone's connection, and then everyone will start bitching about it. What if someone brings in a router and plugs it in wrong? Now they're serving DHCP out to the building? People with unlimited IT budgets might say, "Get gear that kills unauthorized DHCP servers." People with limited IT budgets will get bitter and hostile at this point.
IT is there to support the users, but it's perfectly reasonable for IT to be the ones adding on to the network. Need more ports in the conference room? Let me put one of my switches in there.
No joke. When I first read the summary, my first thought was that this will finally shut the naysayers up about Google being evil. This is almost exactly the sort of thing for which people have criticized Microsoft.
I say "almost" because there are a few things yet to be seen:
Will Google actually release the changes?
Will Google call it OpenID?
Will the specification still be open for others to implement?
The big problem with Microsoft's EEE philosophy is from an interoperability standpoint. Reverse-engineering is difficult, and they know it. Even if Microsoft forked a protocol and added in their extensions for the purpose of ease-of-use, the fact that they didn't share the changes with the rest of the world made it look like a marketshare grab.
Forking a project is not, in general, a bad thing. What's bad is when something is forked and made proprietary. We'll have to watch Google closely on this one.
Did you know that you're welcome to reject tax rebates, and in addition, you're welcome to pay more in taxes than you owe? There's no reason for a person like you to be suffering that free money from your government. Feel free to hand it all right back.
To maintain anything resembling the current structure of government in the United States, and to make sure that the people making laws are clued in upon the subjects, we'd need to either: a) Make all politicians have a clue on everything b) Make politicians govern over fewer things or c) Add politicians to cover areas for which current politicians are not clued in.
I think you start hitting roadblocks when you try to explain the Internet (or anything sufficiently complicated) to people. I've seen really smart people try to explain networking to laypersons, and there's just this sort of glazing over that happens. This means that option a is out. Option b isn't too bad, but it's never going to happen. We're left with option c.
It seems to me that most people, on this site and elsewhere, don't really believe in evidence, due process, or innocent until proven guilty. They think that suspects are guilty, period.
Unless it's a high school kid implicated in hacking, in which case he was just learning, and that's what schools are for, and it's the fault of the administrators for not securing the computer network.
When you suspect someone has committed a crime, and you need to violate their 4th amendment rights to prove it, we have this excellent system already set up to facilitate it.
Just a quick, but important nitpick.
It is never acceptable to violate a person's 4th amendment rights. The word "unreasonable" in the 4th amendment indicates that there can be reasonable searches, too. A reasonable search does not violate the 4th amendment rights of the individual, because the 4th amendment does not protect against reasonable searches. A search conducted with a warrant is reasonable, as are a few other types of searches.
What, it couldn't have been, "Let us all out of school early for the next week, or I'll post the contents of the file to Myspace?" You can profit anonymously in many, many ways. Terrorists try this tactic all the time.
And this fiber right here is exactly why it doesn't make sense to jump to conclusions. What sparse information we have is conflicting. Where does the profit motive come into play? Where's the profit in alerting the authorities when you find a hole like this? What do they mean by "used someone else's username and password?"
We don't know if the kid's being hung out to dry, or if this is an appropriate response to the actions taken. Yet all throughout the comments, you see people immediately assuming that the kid is being martyred.
I'm not even saying that the kid isn't. I'm just saying that we don't have any clue based upon the presented facts, so taking one side or the other is a bit like American politics--pick a side and pretend you're at a football match.
But any politician hearing about this unfair prosecution ought to update the "Good Samaritan Law" so it not only protects people trying to save injured persons, but also protects people trying to help schools/companies by revealing security flaws in their system.
That's one of the best ideas I've heard all day. Unfortunately, because politicians are about as dumb as a bag of bricks when it comes to computers, all they'll see is what the media shows them i.e. "Bad hacker got caught!"
I don't have a problem with the product specs themselves. For the price, they're fine. I have a problem with Dell absconding with the term in order to cash in on a hot item now. Then again, I think that size is probably the single most important aspect of the netbook. Because up until now, everyone's associated netbooks with the original EeePC and its clones, and this is a pretty big departure in the size department.
1) Darwinism doesn't purport to explain the start of the universe.
2) Few things are considered proven in science. The general test to determine if a theory is scientific is whether or not a test can be devised which would disprove the theory. Evolution could be disproven. Intelligent design can never be disproven. Ergo, its status as a scientific theory is highly questionable.
3) Intelligent design goes way farther than the beginning of life on Earth or of the universe. One of the classic examples of an ID argument is that the eye is too complex to have evolved "randomly". That's pretty far removed from the issue of the beginning of life.
At the risk of soundling like a 1990s AOLer, me too.
And for most of the same reasons. Originally, I tried Gentoo out for the promise of more speed. Once I bought a new notebook, I realized that speed was not going to be an issue. I benchmarked Gentoo and Ubuntu, and found that the differences were negligible in most applications. I stuck with Gentoo for a while, using -Os instead of -O3, just because I was somewhat stubborn and already had the notebook set up. Finally, I think after the third or fourth day in a row of rebuilding Open Office, I realized what an absurd pattern I was getting into, and I scrapped the whole thing for Ubuntu.
The nice thing about Ubuntu, in my opinion, is that you can still configure and compile things to your specifications if you like. I always disable Beagle/Tracker. I tend to run my own kernel. I disable a lot of the useless startup scripts. It's very nearly as good as Gentoo, without the drawbacks.
What's wrong with that is that they're marketing based upon the new netbook moniker without providing a netbook. It's just the same as if they came out with an 12" notebook with 512MB RAM and a 1.6Ghz Atom processor, and marketed it as a desktop replacement.
Technically, there's no specification for either of these two terms, so they can call it whatever they want. But they're going against de facto terminology within the industry.
I'm not sure what you mean by "inability to respond with sufficient force". We could have sent 10x as many soldiers to Afghanistan as we did but the President and his aids were clueless. We could have sent a lot more troops to Iraq as well (although Iraq had nothing to do with 9/11) but again, clueless.
That would have been a horrible mistake. As it was, morale was pretty damned low from people having to serve multiple tours with very short breaks. I can't really imagine what would have happened if the majority of the military had been over there this long without time off. There might have been real desertion in the ranks and a pretty big shitstorm, and a draft almost certainly would have had to be instated.
That might have been a good thing, though. It's possible that it would have meant an overall shorter occupation, and with people forcibly going off to war, the dissent at home would have been enough to ensure that things were handled differently. In fact, I'm almost certain that a draft was avoided for exactly that reason.
I think the guy is doing something wrong. I use NoScript all the time, and I've whitelisted probably 3 sites permanently. The rest I whitelist on a case-by-case basis, as I'm concerned about XSS (and while NoScript claims to protect against XSS and CSRF, but I don't like to take chances.) I have about 70 RSS feeds, many of which are blogs which point to external links, so yeah, I probably visit 100s of sites.
As you say, most work just fine without Javascript. Those that do lose functionality, I often don't care about that functionality (gawker sites require Javascript to view any comments--but I don't care about comments on those sites.) A very few provide useful Javascript, or were coded such that it's necessary, and I'll enable it on those for as long as I am using the site.
It's not cumbersome. It's trivial. The only problem is when a site loads script from many, many sources, and it may take a while to narrow down which site provides script for the functionality I need. Once I've figured that out, though, it's pretty easy to do again.
DRM prevents that recycling of music... in a new form
Example: "Under Pressure" by David Bowie and Queen had a resurgence on rock radio after the artistic abomination known as Vanilla Ice sampled it in "Ice, Ice, Baby".
Of course, what's most interesting is that David Bowie fought Vanilla Ice over the use of that sample after the fact. It's also probably a bad example because both David Bowie and Queen are popular enough to survive multiple formats, whereas smaller bands probably aren't. It's hard for me to decide who loses out more, though--the forgotten artist or the devoted fan who can't play their music anymore. As much as I sympathize with artists, I gotta go with the fan, 'cause they paid money to own a copy of the work, and then that copy was stolen from them by the DRM vendor.
By your reasoning, if I'm willing to pay for the paper and binding, I should be allowed to make my own copy of a book containing someone else's copyrighted work. Repeat after me: copyright, itself, promotes artificial scarcity. DRM is just a technological means of enforcing that scarcity.
Slashdot Mirror
That's not actually portable. Most non-Linux Unixes require the options to be first. But you can
rm /foo/bar and then ctrl-b back to the place where you need to type "-rf" and insert it there.
What was broken was not encryption. It's a form of DRM which did not rely on encryption.
BD+ (the DRM component which they claimed would last for 10 years) is a virtual machine on which a disc can run arbitrary code. The disc can run this code to try to guess at the authenticity of the player in which it is being played. The idea is that if a player has been tampered with, it can be detected by the disc. It also means that as new attacks on players become possible, it's possible to update the checks that the disc uses BD+ to perform. If the player doesn't pass the check, the disc refuses to play.
Surprise, surprise, it was possible to reverse engineer the virtual machine, and now unauthorized players can run the code and tamper with the results.
So this is both a poor example of how fragile encryption can be (it's not encryption) and a bad example of keeping data from prying eyes (as the other guy pointed out, Blu-ray is designed to be viewed.)
Worse:
While the hacker can find an unencrypted version of a movie and more or less determine what the encryption should look like when decoded, your common text messages are not much different.
Known-plaintext attacks are an understood phenomenon, and encryption algorithms are designed to thwart them. Blu-ray encryption uses AES, which is believed to be secure from this sort of attack.
Most IT guys I've encountered are more interested in "keeping the network healthy" than actually letting people get work done.
Devil's advocate: if the network isn't healthy, then no one gets work done. If the conference room has too few ports, six people don't get work done.
But like I said, the proper solution is for support to support you. If they don't want you plugging in your equipment, they should have a solution that will let you do what needs to be done. Most of the time, that would mean putting a temporary managed switch in that room. If the IT guy isn't willing to do that, they're likely just on a power trip, and such behavior should be dealt with.
I worked in a Lab when an "edict" occurred that only windows PCs could be connected to the corporate network. Couple of dozen scientists putting in purchase orders to replace old but functional equipment in the $100k to $10m price bracket with the justification "drivers only available for , need to upgrade equipment to get PC support" and firing them up the management chain and someone saw sense very quickly.
That's a pretty silly and arbitrary, but in a lab setting, you may be better off with a test network, anyway, like yours.
I was mostly talking about actual, reasonable measures, not measures that are in place because the admins can't figure out something if it doesn't connect to the AD.
Fine, as long as you work my hours.
Of course. That's why we're support.
I've gotten up early to make changes, and I've stayed up late to make changes. It's part of the job.
I've never (ten years or so) had a local hardware issue extend into the host network. It seems to be fairly hard to do that if you're not an idiot
I guess you're not an idiot :)
Mostly, I'm talking about PHB-types that bring in a Linksys wireless router and plug one of its LAN ports into the building network. We also used to see issues where people bridge the company wireless network to the wired network, causing all sorts of issues, too.
There are a lot of good reasons to disallow non-managed network equipment. What if one of the devices behind that switch starts killing the network? The admin's only option is to disable that port, which kills everyone's connection, and then everyone will start bitching about it. What if someone brings in a router and plugs it in wrong? Now they're serving DHCP out to the building? People with unlimited IT budgets might say, "Get gear that kills unauthorized DHCP servers." People with limited IT budgets will get bitter and hostile at this point.
IT is there to support the users, but it's perfectly reasonable for IT to be the ones adding on to the network. Need more ports in the conference room? Let me put one of my switches in there.
No joke. When I first read the summary, my first thought was that this will finally shut the naysayers up about Google being evil. This is almost exactly the sort of thing for which people have criticized Microsoft.
I say "almost" because there are a few things yet to be seen:
The big problem with Microsoft's EEE philosophy is from an interoperability standpoint. Reverse-engineering is difficult, and they know it. Even if Microsoft forked a protocol and added in their extensions for the purpose of ease-of-use, the fact that they didn't share the changes with the rest of the world made it look like a marketshare grab.
Forking a project is not, in general, a bad thing. What's bad is when something is forked and made proprietary. We'll have to watch Google closely on this one.
Did you know that you're welcome to reject tax rebates, and in addition, you're welcome to pay more in taxes than you owe? There's no reason for a person like you to be suffering that free money from your government. Feel free to hand it all right back.
To maintain anything resembling the current structure of government in the United States, and to make sure that the people making laws are clued in upon the subjects, we'd need to either:
a) Make all politicians have a clue on everything
b) Make politicians govern over fewer things
or
c) Add politicians to cover areas for which current politicians are not clued in.
I think you start hitting roadblocks when you try to explain the Internet (or anything sufficiently complicated) to people. I've seen really smart people try to explain networking to laypersons, and there's just this sort of glazing over that happens. This means that option a is out. Option b isn't too bad, but it's never going to happen. We're left with option c.
It seems to me that most people, on this site and elsewhere, don't really believe in evidence, due process, or innocent until proven guilty. They think that suspects are guilty, period.
Unless it's a high school kid implicated in hacking, in which case he was just learning, and that's what schools are for, and it's the fault of the administrators for not securing the computer network.
When you suspect someone has committed a crime, and you need to violate their 4th amendment rights to prove it, we have this excellent system already set up to facilitate it.
Just a quick, but important nitpick.
It is never acceptable to violate a person's 4th amendment rights. The word "unreasonable" in the 4th amendment indicates that there can be reasonable searches, too. A reasonable search does not violate the 4th amendment rights of the individual, because the 4th amendment does not protect against reasonable searches. A search conducted with a warrant is reasonable, as are a few other types of searches.
The problem is that statistical likelihood cannot disprove Evolution, and that's pretty much all ID's got.
Nice idea, but it would increase the number of politicians we have. Is that a good thing?
What, it couldn't have been, "Let us all out of school early for the next week, or I'll post the contents of the file to Myspace?" You can profit anonymously in many, many ways. Terrorists try this tactic all the time.
And this fiber right here is exactly why it doesn't make sense to jump to conclusions. What sparse information we have is conflicting. Where does the profit motive come into play? Where's the profit in alerting the authorities when you find a hole like this? What do they mean by "used someone else's username and password?"
We don't know if the kid's being hung out to dry, or if this is an appropriate response to the actions taken. Yet all throughout the comments, you see people immediately assuming that the kid is being martyred.
I'm not even saying that the kid isn't. I'm just saying that we don't have any clue based upon the presented facts, so taking one side or the other is a bit like American politics--pick a side and pretend you're at a football match.
But any politician hearing about this unfair prosecution ought to update the "Good Samaritan Law" so it not only protects people trying to save injured persons, but also protects people trying to help schools/companies by revealing security flaws in their system.
That's one of the best ideas I've heard all day. Unfortunately, because politicians are about as dumb as a bag of bricks when it comes to computers, all they'll see is what the media shows them i.e. "Bad hacker got caught!"
I don't have a problem with the product specs themselves. For the price, they're fine. I have a problem with Dell absconding with the term in order to cash in on a hot item now. Then again, I think that size is probably the single most important aspect of the netbook. Because up until now, everyone's associated netbooks with the original EeePC and its clones, and this is a pretty big departure in the size department.
A few points.
1) Darwinism doesn't purport to explain the start of the universe.
2) Few things are considered proven in science. The general test to determine if a theory is scientific is whether or not a test can be devised which would disprove the theory. Evolution could be disproven. Intelligent design can never be disproven. Ergo, its status as a scientific theory is highly questionable.
3) Intelligent design goes way farther than the beginning of life on Earth or of the universe. One of the classic examples of an ID argument is that the eye is too complex to have evolved "randomly". That's pretty far removed from the issue of the beginning of life.
At the risk of soundling like a 1990s AOLer, me too.
And for most of the same reasons. Originally, I tried Gentoo out for the promise of more speed. Once I bought a new notebook, I realized that speed was not going to be an issue. I benchmarked Gentoo and Ubuntu, and found that the differences were negligible in most applications. I stuck with Gentoo for a while, using -Os instead of -O3, just because I was somewhat stubborn and already had the notebook set up. Finally, I think after the third or fourth day in a row of rebuilding Open Office, I realized what an absurd pattern I was getting into, and I scrapped the whole thing for Ubuntu.
The nice thing about Ubuntu, in my opinion, is that you can still configure and compile things to your specifications if you like. I always disable Beagle/Tracker. I tend to run my own kernel. I disable a lot of the useless startup scripts. It's very nearly as good as Gentoo, without the drawbacks.
What's wrong with that is that they're marketing based upon the new netbook moniker without providing a netbook. It's just the same as if they came out with an 12" notebook with 512MB RAM and a 1.6Ghz Atom processor, and marketed it as a desktop replacement.
Technically, there's no specification for either of these two terms, so they can call it whatever they want. But they're going against de facto terminology within the industry.
I'm not sure what you mean by "inability to respond with sufficient force". We could have sent 10x as many soldiers to Afghanistan as we did but the President and his aids were clueless. We could have sent a lot more troops to Iraq as well (although Iraq had nothing to do with 9/11) but again, clueless.
That would have been a horrible mistake. As it was, morale was pretty damned low from people having to serve multiple tours with very short breaks. I can't really imagine what would have happened if the majority of the military had been over there this long without time off. There might have been real desertion in the ranks and a pretty big shitstorm, and a draft almost certainly would have had to be instated.
That might have been a good thing, though. It's possible that it would have meant an overall shorter occupation, and with people forcibly going off to war, the dissent at home would have been enough to ensure that things were handled differently. In fact, I'm almost certain that a draft was avoided for exactly that reason.
I think the guy is doing something wrong. I use NoScript all the time, and I've whitelisted probably 3 sites permanently. The rest I whitelist on a case-by-case basis, as I'm concerned about XSS (and while NoScript claims to protect against XSS and CSRF, but I don't like to take chances.) I have about 70 RSS feeds, many of which are blogs which point to external links, so yeah, I probably visit 100s of sites.
As you say, most work just fine without Javascript. Those that do lose functionality, I often don't care about that functionality (gawker sites require Javascript to view any comments--but I don't care about comments on those sites.) A very few provide useful Javascript, or were coded such that it's necessary, and I'll enable it on those for as long as I am using the site.
It's not cumbersome. It's trivial. The only problem is when a site loads script from many, many sources, and it may take a while to narrow down which site provides script for the functionality I need. Once I've figured that out, though, it's pretty easy to do again.
DRM prevents that recycling of music ... in a new form
Example: "Under Pressure" by David Bowie and Queen had a resurgence on rock radio after the artistic abomination known as Vanilla Ice sampled it in "Ice, Ice, Baby".
Of course, what's most interesting is that David Bowie fought Vanilla Ice over the use of that sample after the fact. It's also probably a bad example because both David Bowie and Queen are popular enough to survive multiple formats, whereas smaller bands probably aren't. It's hard for me to decide who loses out more, though--the forgotten artist or the devoted fan who can't play their music anymore. As much as I sympathize with artists, I gotta go with the fan, 'cause they paid money to own a copy of the work, and then that copy was stolen from them by the DRM vendor.
By your reasoning, if I'm willing to pay for the paper and binding, I should be allowed to make my own copy of a book containing someone else's copyrighted work. Repeat after me: copyright, itself, promotes artificial scarcity. DRM is just a technological means of enforcing that scarcity.
It's sad that so many people fall for the *AA's propaganda. You, of course, are absolutely right. I own a copy.