I say we play "Dark Side of the Moon" till things come back, or... baring that... go out... maybe meet some members of the opposite sex. Hopefully O'Reilly makes a book about that....
All I can say is WTF? "Evil"? How do you figure that? I might agree with "not the best idea" but not evil. It would be another thing if the guy was running a warez server or kiddie p0rn ring off someone else's machine. (or his own I suppose) RC5 doesn't really serve a whole of "personal gain" If GA state was not supportative of it, I would expect them to perhaps tell him to turn off the clients, and maybe slap him on the wrist. Justice loses a lot of its value when it is not applied with some reasonable proportion to the "crime."
Perhaps we should impose a stiff fine for trolling posts like yours?
Umm.... that solution is only as good as the holder of the keypair. What's to keep me from simply resigning the logs after the event occurs? Your idea isn't a bad one, but it requires the addition of a trusted thirdis ure digital timestamping. Interestingly, there are a few companies begininning to provide these services, but I suspect the cost of signing every message would be prohibitive. Even still, you have to tackle the question of how to trust the authenticity of the raw log entry. What's to keep me from faking an entire compromise by inserting addition bogus information into the logs?
Hmmm... I always thought Ham Radio guys were big dorks... but I suppose if I had a set... and slashdot had a set, maybe I won't have gone in to withdrawal convulsions this weekend.
Simply put, I don't want someone using a hashtable if they can't program one themselves. Higher level languages are great time savers, but learning is not always about shortcuts and portability. This is not to say Java shouldn't be taught, but that without a firm grounding, the tempation to program badly is very strong.
Why bother debugging a funny memory bug when you can just rewrite the code? Sure it's a quick fix, but there may be a more subtle point being missed. One of the most valuable experiences I had in college was when I was doing some math-intensive code, and could not make the algorithm work right. Many hours later, I dug down to the assembly, and discovered the compilier had made a mistake while optimizing. I wasn't programming in assembly, but it saved my ass to be able to read it.
Of course, I feel sympathy for the family of the young man, but I don't think enough information is provided in the article for the reader to draw any meaningful conclusions. Perhaps the school administrators were overly harsh, perhaps the young man was worried about reprecussions from his family, perhaps he was troubled by something completely unrelated.
I don't want to see this young man's actions reduced to a response to a single incident. The life of any 13 year old is fraught with many events which are so seemingly huge at the time. Try to remember how complex life is for a young teen, especially a bright one. A single article is not enough for any of us to gain signifigant insight into his motivations.
In the US, the Postal Service is completely funded by the sale of postage. (Not taxes, etc...) The revenue brought in by "bulk mailers" helps them keep afloat. (Though stamps keep creeping up a penny...)
My problem with spam is that there is NO compensation for resources consumed. Bandwidth costs, infrastructure costs, administration costs.
The spammer provides no support for these services.
I hate junk mail as much as the next guy, but at least it has some (slight) value.
The software industry is laden with executives who care more about making the time to market window shorter than producing a quality product. Since the turnover rate is so high, they "guilty parties" have moved on to selling the next vaporware product, leaving over-taxed development to follow through on the previous pipedream.
I'm sure the hardware industry would run the same way if the consequences weren't so great. If XYZ Corp puts out some crappy web - enabled - XML - Java - object - oriented turd, it hits the marker, flops, and dies quietly. If XYZ Corp is producing say, CPU's, they cost of failure could well destroy the company. Plus, there's a lot less "well, this is just the beta" stuff. The chip works (for the most part) or doesn't get released.
I suppose my point is that geeks are geeks, and we all have more bad ideas than good ones. In the software world, these ideas can see the light of day. In hardware, the bad ideas get weeded out early. Quite frankly, I think the management of the technical talent dictates the quality of the idea. And the truth is, most management will take the shortest path to getting paid. For hardware, the path is a little longer...
You know, I think that the TV folks who wanted to do an "Survivor" series involving a trip to MIR are missing a hell of a bet here. Just think... 12 people... one doomed space station... and all they have is this other zany./ idea to keep them alive in the end. Will they fall in love? Will they burn up over Siberia?
Heck, I'd even watch that one!
I'll be interested to see how this works out. Just today I took a break from work to run to the bookstore with a co-worker to pick up a few selected titles. (Programming related) We both completely agreed online reference/books are "Good Things"(tm) that we wouldn't be able to work without, the good books you buy. Period. He paid with his own money, even though our employer pays for work related books, because the importance of it being his copy was an issue for him.
I just bought an excellent SSL/TLS book on the basis of the chapters the author had graciously posted online. Those chapters helped me a lot, and even though I have ethernet to my bedroom, curling up with my laptop is only nice some (okay, okay most) of the time...
I think the argument could quite easily be extended to the dreaded MP3 format. Yes, I have several gig of mp3's, both at home and at work, but I also own several hundred CD's. (yeah, I've been meaning to convert them to Ogg...) The point is that if I like the mp3, more often than not, I'll buy the CD. As much as the online world is a part of my life, there is a feeling to having the physical media which isn't the same from a ripped or burned copy. A large number of CD's and books I own would never have even been considered if I couldn't try them online first.
Doncha think an interesting poll would be: "What percent of the MP3's you actually listen to do you own a 'real' copy of?"
Dude, smartcard's are like less than a buck each, and the readers aren't more than 10-15 dollars. Wanna see a cool toy to hack on? Go to CompUSA and look for this thing called "MyMousePad" or something like that... It cost around 15 bucks and basically is a mousepad with a smartcard reader used to store preferences for online locations. I think the concept is silly, but the hardware is interesting...
I should start by saying I am employed by a company designng PKI's, so I am a bit biased.:) I also don't play much in the way of OL games.
Anyway, doesn't this seem like the perfect application for a smartcard based PKI (Public Key Infrastructure) Think of the problems which could be solved:
1) No more lame password based authentication
2) Copy protection. (I know, I know... it's not something I like to admit, especially in these days an times of the CCA/MPAA...)
3) A nice toy/gimmack for the game.
I dunno, just a thought.
-T.
What's to keep me from making "virtual" devices and then having those write to the harddrive? I mean, couldn't I just use some truely ph3arsome CueCat style encryption (XOR) and screw the "copy bit?"
Then again, if you think I (or any one else) is going to pay good money for technology which is slower, then think again...
Does it sound plausible that if the drive has to find the copy bit, that simply "pre-encryption" of the input stream will FUBAR the algo? Plus, with my ph3arsome DVD style XOR encryption, they'll never prove I have all those stolen Backstreet Boy's CD's on my harddrive
I work writing code for one of the major players in the PKI space. Without mentioning any names, or making any plugs, I would advise you to think longand hard about what you are trying to accomplished with PKI and why.
A lot of the existing products on the market are more interested in domination of the market, and less on being the transparent (if elaborate) infrastructure PKI was designed to be. PKI should be as dependable and transparent as any of the other internet "specs" when done right. Of course, history has shown that nothing is ever that simple, just look at the wars being fought over Java or the ones over HTML (which have died down to some extent.)
PKI works well for those who are willing to suffer the pains of being an early adopter. Micro$oft and Netscape browsers don't parse certs the same. (Sadly, I have to admit that M$ is ahead in this area.) The major vendors often have interperated the specs just differently enough to make interoptability a major problem.
My advice is to find a product which fits your present needs, and seems to offer the flexibility to expand into the future. The flexibility is going to require a willingness to play nicely with others and to intergrate with existing apps. Stay away from total end-to-end solutions. You are not looking for a "structure" but an "infra-structure".
For all the complexity, PKI is likely to become much more wide spread due simply to the demand being placed on the internet by cooperations. IPSec and smart cards are becoming a reality, and the best way to manage those is PKI. The other benefit here is that with physical smart cards, private key theft is nearly impossible. (The only exploits I know of involve physical access, and LOTS of equipment beyond the reach of the average skript kiddie)
As PKI becomes more widely deployed, it's providers will be force to become more standardized or get out of the game. Just like with the Web, early adopters had a lot of headaches with different browsers HTML parsers, image formats, etc... but these days those issues have mostly been dealt with, and the early adopters now have a stronger business because of longer term involvement in the medium.
Well... agree with you on the surface, but how do you test an "engine" without building the "car"? Do you think there would have been such a push for the AES if folks like the EFF and Distributed.net hadn't begun to raise public doubt with their demonstations? Bruce Schneier sez in his excellent new book "Secrets and Lies: Digital Security in a Networked World" that no crypto can be said to be unbreakable, only that those who have tried have failed. When you reduce it to that level, the validity of the strength claims are only as good as the skills of the testers. I'd rather have the whole world testing than a handful of closed, and often profit oriented organizations. The "just trust us" approach to crypto has given us such gems as the CSS and A5 algorithms. (Which, for those of you in a networked cave, both failed under minor attack after being blessed as "secure")
In light of the absurd "Draft Cybercrime Treaty" brought to our attention by this article I'd love to hear Rijmem's take on the whole issue. How does the world expect to pull off other events like the AES challenge if researchers can't "hack/crack" without fear of legal repercussions?
I work for a major e-commerce company making crypto for banks and other paranoid people, and the single biggest thing with screams at me here is "inside job." What makes you think the perp was after the data? Why not the laptop for the hardware? The fire alarm went off the other dya at work, and I had 30 grand of hardware crypto cards lying on my desk. (FIPS level 4, PCI) The first thing I did was pile them in the secure file cabinet and lock it. No one wants these things cause they know what they are, they only want them because the "look cool." I worry much more about someone taking an unethical personal interest in the hardware, and "borrowing" them, than stealing it for secrets.
The other possibility is revenge. What better way to stick it to the boss? If someone took my laptop, the financial pain would be minor, but the loss of my kernel would hurt a lot. (Took forever to get PCMCIA just happy...)
Doesn't this seem like a great oppertunity for Linux (or any OS) in the embedded market? Suppose I have some critical and rather non-accessable chunk of hardware. (Satellite, remote weather station,...) Wouldn't it be cool if the hardware could detect the fault and "heal" itself?
Anyways, yhis is waaayyy to late to get read by anyone sane, (I have to admit that I only read the first 100 or so posts, so sorry if someone already had this idea)
As an employee of good ol' big blue (I love it by the way...) I will be very interested to see what this does for the internal legal standing. We have delightfully ambiguous policy about what programmers can and cannot do. (Examples: install linux at work, yes. Give it to co-workers, no. Fix bugs, yes, contribute the fixes to the tree, no.) More interesting will be the ramifications "cleanroom" policy. If I look at the source, I can't write code of the same nature for at least a year. The policy is standard for all outside software, Linux or otherwise.... Personally, I'm expecting good news, because in my experience so far, IBM has been very interested in "supporting" and contributing to Linux, and doesn't seem to be shy about giving it away...
I wish this guy all the best. The lack of ambitious engineering in the "geek" world is depressing. Even if this guy dies in flames, as long as he make a halfway good showing, it may encourage others to attempt other, (and prehaps less umm... terminal...) endeavours in the name of science. It's great to say we (speaking for the soft handed software geeks out there) are "engineers," but the sad truth is that more and more of us have barely enough mechanical aptitude to get the screws out of our cases. While Linus and ESR never directly risked life and limb, their undertakings were just as technically ambitiuous. Large ideas, and large results can start with the "pipe dreams" of one person, especially when geek culture bands together to support the undertaking. The creative thinking a large number of us apply to code and all other things digital could do wonders if we wouldn't limit ourselves to one and zeros.
'Course, I'm not exactly gonna sign up to beta test, and I hate to think of the "dumping core" joke possibilities here...;P
Slashdot Mirror
Umm... last I checked lynx does SSL just peachy...
I say we play "Dark Side of the Moon" till things come back, or... baring that... go out... maybe meet some members of the opposite sex. Hopefully O'Reilly makes a book about that....
And who exactly does one apply to for "building on the moon"? I mean, I know a crazy guy under a bridge who claims to own it... was he consulted?
Perhaps we should impose a stiff fine for trolling posts like yours?
Umm.... that solution is only as good as the holder of the keypair. What's to keep me from simply resigning the logs after the event occurs? Your idea isn't a bad one, but it requires the addition of a trusted thirdis ure digital timestamping. Interestingly, there are a few companies begininning to provide these services, but I suspect the cost of signing every message would be prohibitive. Even still, you have to tackle the question of how to trust the authenticity of the raw log entry. What's to keep me from faking an entire compromise by inserting addition bogus information into the logs?
Hmmm... I always thought Ham Radio guys were big dorks... but I suppose if I had a set... and slashdot had a set, maybe I won't have gone in to withdrawal convulsions this weekend.
Why bother debugging a funny memory bug when you can just rewrite the code? Sure it's a quick fix, but there may be a more subtle point being missed. One of the most valuable experiences I had in college was when I was doing some math-intensive code, and could not make the algorithm work right. Many hours later, I dug down to the assembly, and discovered the compilier had made a mistake while optimizing. I wasn't programming in assembly, but it saved my ass to be able to read it.
If you're gonna be an engineer, be an engineer.
I don't want to see this young man's actions reduced to a response to a single incident. The life of any 13 year old is fraught with many events which are so seemingly huge at the time. Try to remember how complex life is for a young teen, especially a bright one. A single article is not enough for any of us to gain signifigant insight into his motivations.
My problem with spam is that there is NO compensation for resources consumed. Bandwidth costs, infrastructure costs, administration costs.
The spammer provides no support for these services. I hate junk mail as much as the next guy, but at least it has some (slight) value.
The software industry is laden with executives who care more about making the time to market window shorter than producing a quality product. Since the turnover rate is so high, they "guilty parties" have moved on to selling the next vaporware product, leaving over-taxed development to follow through on the previous pipedream.
I'm sure the hardware industry would run the same way if the consequences weren't so great. If XYZ Corp puts out some crappy web - enabled - XML - Java - object - oriented turd, it hits the marker, flops, and dies quietly. If XYZ Corp is producing say, CPU's, they cost of failure could well destroy the company. Plus, there's a lot less "well, this is just the beta" stuff. The chip works (for the most part) or doesn't get released.
I suppose my point is that geeks are geeks, and we all have more bad ideas than good ones. In the software world, these ideas can see the light of day. In hardware, the bad ideas get weeded out early. Quite frankly, I think the management of the technical talent dictates the quality of the idea. And the truth is, most management will take the shortest path to getting paid. For hardware, the path is a little longer...
You know, I think that the TV folks who wanted to do an "Survivor" series involving a trip to MIR are missing a hell of a bet here. Just think... 12 people... one doomed space station... and all they have is this other zany ./ idea to keep them alive in the end. Will they fall in love? Will they burn up over Siberia?
Heck, I'd even watch that one!
I just bought an excellent SSL/TLS book on the basis of the chapters the author had graciously posted online. Those chapters helped me a lot, and even though I have ethernet to my bedroom, curling up with my laptop is only nice some (okay, okay most) of the time...
I think the argument could quite easily be extended to the dreaded MP3 format. Yes, I have several gig of mp3's, both at home and at work, but I also own several hundred CD's. (yeah, I've been meaning to convert them to Ogg...) The point is that if I like the mp3, more often than not, I'll buy the CD. As much as the online world is a part of my life, there is a feeling to having the physical media which isn't the same from a ripped or burned copy. A large number of CD's and books I own would never have even been considered if I couldn't try them online first.
Doncha think an interesting poll would be: "What percent of the MP3's you actually listen to do you own a 'real' copy of?"
Dude, smartcard's are like less than a buck each, and the readers aren't more than 10-15 dollars. Wanna see a cool toy to hack on? Go to CompUSA and look for this thing called "MyMousePad" or something like that... It cost around 15 bucks and basically is a mousepad with a smartcard reader used to store preferences for online locations. I think the concept is silly, but the hardware is interesting...
I should start by saying I am employed by a company designng PKI's, so I am a bit biased. :) I also don't play much in the way of OL games.
Anyway, doesn't this seem like the perfect application for a smartcard based PKI (Public Key Infrastructure) Think of the problems which could be solved:
1) No more lame password based authentication
2) Copy protection. (I know, I know... it's not something I like to admit, especially in these days an times of the CCA/MPAA...)
3) A nice toy /gimmack for the game.
I dunno, just a thought.
-T.
What's to keep me from making "virtual" devices and then having those write to the harddrive? I mean, couldn't I just use some truely ph3arsome CueCat style encryption (XOR) and screw the "copy bit?" Then again, if you think I (or any one else) is going to pay good money for technology which is slower, then think again...
Does it sound plausible that if the drive has to find the copy bit, that simply "pre-encryption" of the input stream will FUBAR the algo? Plus, with my ph3arsome DVD style XOR encryption, they'll never prove I have all those stolen Backstreet Boy's CD's on my harddrive
I work writing code for one of the major players in the PKI space. Without mentioning any names, or making any plugs, I would advise you to think longand hard about what you are trying to accomplished with PKI and why. A lot of the existing products on the market are more interested in domination of the market, and less on being the transparent (if elaborate) infrastructure PKI was designed to be. PKI should be as dependable and transparent as any of the other internet "specs" when done right. Of course, history has shown that nothing is ever that simple, just look at the wars being fought over Java or the ones over HTML (which have died down to some extent.) PKI works well for those who are willing to suffer the pains of being an early adopter. Micro$oft and Netscape browsers don't parse certs the same. (Sadly, I have to admit that M$ is ahead in this area.) The major vendors often have interperated the specs just differently enough to make interoptability a major problem. My advice is to find a product which fits your present needs, and seems to offer the flexibility to expand into the future. The flexibility is going to require a willingness to play nicely with others and to intergrate with existing apps. Stay away from total end-to-end solutions. You are not looking for a "structure" but an "infra-structure". For all the complexity, PKI is likely to become much more wide spread due simply to the demand being placed on the internet by cooperations. IPSec and smart cards are becoming a reality, and the best way to manage those is PKI. The other benefit here is that with physical smart cards, private key theft is nearly impossible. (The only exploits I know of involve physical access, and LOTS of equipment beyond the reach of the average skript kiddie) As PKI becomes more widely deployed, it's providers will be force to become more standardized or get out of the game. Just like with the Web, early adopters had a lot of headaches with different browsers HTML parsers, image formats, etc... but these days those issues have mostly been dealt with, and the early adopters now have a stronger business because of longer term involvement in the medium.
Well... agree with you on the surface, but how do you test an "engine" without building the "car"? Do you think there would have been such a push for the AES if folks like the EFF and Distributed.net hadn't begun to raise public doubt with their demonstations? Bruce Schneier sez in his excellent new book "Secrets and Lies: Digital Security in a Networked World" that no crypto can be said to be unbreakable, only that those who have tried have failed. When you reduce it to that level, the validity of the strength claims are only as good as the skills of the testers. I'd rather have the whole world testing than a handful of closed, and often profit oriented organizations. The "just trust us" approach to crypto has given us such gems as the CSS and A5 algorithms. (Which, for those of you in a networked cave, both failed under minor attack after being blessed as "secure")
In light of the absurd "Draft Cybercrime Treaty" brought to our attention by this article I'd love to hear Rijmem's take on the whole issue. How does the world expect to pull off other events like the AES challenge if researchers can't "hack/crack" without fear of legal repercussions?
I work for a major e-commerce company making crypto for banks and other paranoid people, and the single biggest thing with screams at me here is "inside job." What makes you think the perp was after the data? Why not the laptop for the hardware? The fire alarm went off the other dya at work, and I had 30 grand of hardware crypto cards lying on my desk. (FIPS level 4, PCI) The first thing I did was pile them in the secure file cabinet and lock it. No one wants these things cause they know what they are, they only want them because the "look cool." I worry much more about someone taking an unethical personal interest in the hardware, and "borrowing" them, than stealing it for secrets. The other possibility is revenge. What better way to stick it to the boss? If someone took my laptop, the financial pain would be minor, but the loss of my kernel would hurt a lot. (Took forever to get PCMCIA just happy...)
Doesn't this seem like a great oppertunity for Linux (or any OS) in the embedded market? Suppose I have some critical and rather non-accessable chunk of hardware. (Satellite, remote weather station, ...) Wouldn't it be cool if the hardware could detect the fault and "heal" itself?
Anyways, yhis is waaayyy to late to get read by anyone sane, (I have to admit that I only read the first 100 or so posts, so sorry if someone already had this idea)
As an employee of good ol' big blue (I love it by the way...) I will be very interested to see what this does for the internal legal standing. We have delightfully ambiguous policy about what programmers can and cannot do. (Examples: install linux at work, yes. Give it to co-workers, no. Fix bugs, yes, contribute the fixes to the tree, no.) More interesting will be the ramifications "cleanroom" policy. If I look at the source, I can't write code of the same nature for at least a year. The policy is standard for all outside software, Linux or otherwise.... Personally, I'm expecting good news, because in my experience so far, IBM has been very interested in "supporting" and contributing to Linux, and doesn't seem to be shy about giving it away...
I wish this guy all the best. The lack of ambitious engineering in the "geek" world is depressing. Even if this guy dies in flames, as long as he make a halfway good showing, it may encourage others to attempt other, (and prehaps less umm... terminal...) endeavours in the name of science. It's great to say we (speaking for the soft handed software geeks out there) are "engineers," but the sad truth is that more and more of us have barely enough mechanical aptitude to get the screws out of our cases. While Linus and ESR never directly risked life and limb, their undertakings were just as technically ambitiuous. Large ideas, and large results can start with the "pipe dreams" of one person, especially when geek culture bands together to support the undertaking. The creative thinking a large number of us apply to code and all other things digital could do wonders if we wouldn't limit ourselves to one and zeros.
;P
'Course, I'm not exactly gonna sign up to beta test, and I hate to think of the "dumping core" joke possibilities here...
I think the term "syntax error" is appropriate here.
You all buy into the statement:
"C#" == "C Sharp"
Whereas I'm much more convinced:
"C#" == "C Hash"
where "Sharp" == "Smart, intuitive, and/or clever"
and "Hash" == "Intelligence dulling drug"
You make the call!