Zap2it was a good mid-point, but not on par with Tivo's or Microsoft's offerings.
Tivo gets their guide data from Tribune Media Services, who actually own and operate the zap2it service. So the data is basically the same, albeit I think their free offering was not as complete as the data they sell to companies like Tivo.
Hence, this is an issue that effects me and my customers, and I seriously hope that a fix finds itself into either apache mod_ssl or the mainline Linux kernel PDQ.
That's really what's up for debate here. Whether the patch should be in the kernel-land or in the code user-space (mod_ssl, for your example).
The only realistic patch you could do in kernel-land is to simply disable HyperThreading. This works, but seems like a poor way to go. Any other form of patch in kernel-land just makes the attack harder and thus doesn't really work or it degrades performance way too much to be practical.
But fixing it in userspace is somewhat easier to do, albeit you'd have to fix *every* user-space program that's susceptible to this sort of thing.
Let's talk about the problem in general terms. When a program is doing some kind of computational stuff on something you want to remain secret, then it has to make some assumptions. Assumptions like the hardware is secure, or that it's not running on a virtual machine that's recording everything it does.. That sort of thing. You can come up with all kinds of ways to crack it like an egg if you work outside the box a bit and have total control of the machine it runs on.
This problem is attacking one of those assumptions, namely that another process can't time the secret computations accurately enough to perform a timing attack. With HT, you have two things running on the same core, and so it is somewhat easier to do this sort of attack.
So userspace programs that do secure computations have had one of their assumptions broken by HT. To remedy it, they need to rethink their assumptions. They need to or ensure that they perform equal timings regardless of the computations being done and so on. This is not particularly simple, but it's probably not particularly hard either.
Of course, the attack is still largely theoretical. All it's been shown is that it's "possible", not that it's "easy" or even that it is indeed "doable". For one thing, without having some kind of clue as to the algorithim involved or some idea of what to look for, all you get are a bunch of timings. You still need to do some things to trigger it at the right time and in the right way as to be able to derive information from this channel.
But crypto guys are paranoid like nobody else, and so they're naturally worried about this sort of thing. Mainly it's worrying to them because it's not a mathematical attack, which they're more used to. Modern crypto works based on theory and algorithims and such, and the idea that the algorithim being correct (for a given value of "correct") isn't enough to protect the security of the data is extremely worrying. A real world implementation of these algorithims now has to take some more real world facts into account, and this bothers them, of course.
Linus is basically right here. The kernel is simply the wrong place to fix this. It doesn't ensure that processes cannot spy on other processes via subchannels like this, nor should it. If you're paranoid enough to think this is a real thing to guard against, then your secure code should take it into account. Existing code doesn't do that, and would need to be changed *even* if the kernel was patched. Because how do you know that your kernel has been patched? How do you know that you're not running on an HT processor? You can't know for sure, so you simply assume you are and take steps to make timing attacks fail. Because if you don't, you can't reasonably say that you've attempted to secure the code in this way.
This isn't a new idea... except that they propose to integrate it into the mail client and have everybody you've ever sent mail to or received mail from be a potential contact, weighted by frequency that you email them. That's a bit new, but not as effective as it seems.
For one thing, it would block mailing list messages, which are messages that you probably do share with your contacts.
For another, it does not consider that most spam has random keywords seeding into every copy sent, so those would have to be ignored somehow, which introduces a fuzzy match algorithim, which means the possibility of false matches exists, and since you're asking others (probably all using the same algorithim against their databases) you have increased the chances of a false match being found.
In any case, collaborative networks already exist in a better form. Users mark messages as spam when they get them, a flag is created and sent to some central place that all users check against for matches. The algorithim for fuzzy matching resides in one place and is only used as an indicator in spam assassin in any case, not as the sole indicator..
Large scale systems like Google's GMail can use people flagging messages as spam to filter similar enough messages from other users, sort of thing. I'm pretty sure they do something like this, in fact, as my GMail account has *never* made a mistake in it's spam detection.
And so forth. There's better ways than relying on a random query of your contacts to see what they think.
You're simply misunderstood if you assume any of the music is yours to keep when you stop using Yahoo Music.
And that's my point. It is not beyond reason for a customer to not expect his own hardware to automatically delete his music just because he hasn't let the damn thing call home in a while.
I also do not see why Yahoo Music (based on Microsoft's WMP) would conflict with any Microsoft certified hardware in the future.
I don't see why it would either. I do see, however, that these services simply do not work with non-Microsoft-Certified hardware. I can't build an interoperable device and neither can anybody else. You're locked into Microsoft with these services. Furthermore, you're locked into that service itself, since you lose your music if you switch to another service.
Even if iTunes sold its music in mp3 format, you're still not supposed to give it to friends. You could, but the business model goes to hell when everyone can just buy it once and send it around to everyone (p2p).
Oh? Boohoo. Too fucking bad. Find another business model that doesn't rely on artifical restrictions on what I can do with the music I paid for.
I suppose you have major gripes with services such as netflix also then, right?
Other than the inefficency of using the postal service for movie rentals, not really, no. I'm not a Netflix customer, however.
However, the comparison is more than a little stupid, as in one case you're getting a physical product, and in the other case you're not. The situation is fundamentally different. You don't "return" this songs from Yahoo/Napster/whoever, your software deletes them. Call me crazy, but I don't want my software doing things like deleting stuff without asking me.
As long as the consumer knows up front that Yahoo may change the price at any time, that continued subscription is required to keep what you've 'bought' (I don't know if this is even true for the Yahoo service), then what the hell is your problem? Just don't subscribe if you don't like those terms.
I agree, however I feel it necessary to point out that they're not exactly advertising those terms real loudly, are they? I didn't notice the fine print on Napster ToGo's commercials that said "unsubscribing makes your portable player delete all the music you put on it by itself" or anything. I think that it's not widely understood, by the consumer, that the new "Plays For Sure" players will auto-expire your subscription music after some amount of time. It's not an obvious thing to expect to happen.
Regarding copying for your friends.. that is not 'fair use'.
I would argue otherwise, but even if it's not fair use, I would suggest that the Audio Home Recording Act of 1992 (section 1008) makes non-commercial use like this immune to civil actions alleging infringement of copyright. So while it may or may not be Fair Use, it's also not illegal to do.
If a service doesn't let you (easily) copy music, that may be a draw back of the service, but it is not the human rights violation that some make it out to be. It's a condition of the music companies license to the service.
True, and I never said otherwise.
The whole bit about MS deleting all your music? Please. Let's talk about reality. MS certified hardware? Hilarious. Why do you kooks always assume that 'Trusted Computing' is a given? Furthermore, why do you think that MS will deliberately piss off all of its customers?
What? You think I'm making this shit up? It's made very clear in the Windows Media 10 SDKs. it's what the whole frickin' Janus DRM is about. It happens [i]right now[/i] if you use Napster ToGo or this new Yahoo Music Service in combination with a "Plays For Sure" player device. It was [i]expressly designed[/i] to do exactly that. This isn't paranoia, it's an honest statement of the facts of the matter.
These services only work on MS Certified hardware. The "Plays For Sure" logo is the certification program Microsoft runs to certify any given player. Look it up! They're not even trying to hide this stuff. They make it's a *selling point* of the Janus DRM for crying out loud.
Re:A blinkered view from the ivory tower of UC Dav
on
Johnny Can So Program
·
· Score: 1
When a mediocre programmer gets something "done" and their manager or peer reviewer picks it apart and they have to keep doing it until they get it right (or involved someone who can help get it right), that's taking longer.
90% of the programming jobs out there don't have managers that can understand or indeed read code, much less actual peer review.
In a perfect world, maybe, but the world is not perfect. Most code out there is not peer reviewed and barely tested.
This is not the case in my current job (it's a much more professional shop than it used to be), but the previous few jobs I had this was the case.
Furthermore, even *with* peer review, there's still doing it fast vs. doing it right, and a hell of a lot of the time the managers care more about fast than about right. Corners get cut.
Anyway, assuming the same standards of code quality produced between the programmers we were discussing is entirely unwarranted, IMO.
Re:A blinkered view from the ivory tower of UC Dav
on
Johnny Can So Program
·
· Score: 1
No, always be the best. When you're the best you get the same job done but you get it done quicker
Clearly you're not a programmer.;)
The "best" guy will get it done in the right way. Doing it "right" means doing it with an eye for maintainability and making things simpler to do later. Usually this takes *longer* at the beginning. Often, much, much longer.
I mean, let's say the average subscriber is 20, and keeps this service until they are 100. That's 80 years at 5 bucks a month, or around 5,000 dollars.
This doesn't account for inflation over those 80 years, nor the price hike that happens about a year from now because Yahoo Music can't get enough subscribers to justify the low price of the service.
Every time they add another 100 CDs to the library, it's like you got them for free.
Yep, a whole $5 a month worth of free.
Who cares if it's DRM'd, as long as you can listen to what you want when you want.
Exactly! So what if you're forced to use Microsoft certified hardware and Microsoft certified software? So what if you decide to switch to another service that all your music, even the music on your portable device, gets automatically deleted thanks to the Microsoft Janus DRM? So what if you get tied into the service just to keep your existing music working, even though you don't usually listen to new music and download maybe only one or two new songs every month (like, in fact, most people over the age of 25 do according to the most recent polls).
The only major downside of DRM, if it's unobtrusive enough, is that you can't give away the music to others.
Yeah. I mean, who needs to share their interests with their friends anyway?
And while the music is lossy, 192k WMA is like 384k MP3 - which doesn't even exist, since 320k is the maximum quality (at least on any software I know of)
a) 384 kbps MP3 does exist. It's called "freeformat" and MP3 can go up to 640kbps. b) 192k WMA is closer to 160k MP3, if you're using the proper encoders (read: LAME).
-99 cents to own a song for, essentially, forever... -or $5 a month to rent it for, essentially, forever...
I've got enough monthly bills without adding one more to the mix, thanks. I don't need WMA's music rental model, at any price.
Re:A blinkered view from the ivory tower of UC Dav
on
Johnny Can So Program
·
· Score: 2, Informative
From this I guess the author means that it's OK to be at the same level they were eight years ago. It doesn't matter that the American teams didn't improve at the same rate at the rest of the world. And in his statistical argument he ignores that although team numbers might have increased so did the number of American teams.
While your statistical point is valid, your improvement one is not. He's saying that there's a large number of new entries, not that existing entries got better.
OMG, it's not fair, they trained harder! Well hello! Is it cheating to produce programmers who can actually solve problems and write code? What exactly is coursework for if it isn't preparation for the kinds of problems you solve in programming contests? I've done a couple - it's the same thing, you just have to be faster and more accurate, compared to a programming assignment.
If you've not participated in these types of challenges in specific, then it's hard to explain. These types of contests are based on the field in general, not on specific coursework that is commonplace. Doing coursework does help, but a more focused study on the contest and the types of problems in the contest does yield better results... in the contest itself. But it's just a contest, it bears very little relation to anything outside of itself. I've done several, and the contests should *not* be like your normal programming assignments. Different goals, different problems.
I was a H1-B worker - I made great rates (thanks very much) and so did all the other H1-B's I know. It's convenient for Norm's flawed argument to repeat this myth, propagated by programmers who think they should have had my job because it was their birthright, not because they could have done it better.
He has a point though, while H1-B workers do get paid well (it's a technical field, everybody gets paid well), on average they don't make as much as a non-H1-B worker. Simple statistical truth, that is.
The way to compete is to be the best, there is no other way.... At the end of the day it is usually pretty obvious whether they work or do not work. "Almost works" is not good enough for anyone
You're right, and that's why "be the best" isn't a long term good strategy. While I agree that a good programmer can always get a job, I disagree that you need to be the best to do it. The best person doesn't always get the job. The guy who is good enough to "make it work" will get the job, and that guy is not necessarily the best at it.
Sure, you could do that as well. But realistically, that's not very different from simply using ABR-like settings to produce a given average bitrate in the first place.
Unfortunately, I haven't been able to find any such tests comparing quality-based encoding, because the bitrate can be unpredictable.
You can't compare quality based encoding like that.
You can either a) encode your samples at similar bitrates and compare relative quality, or you can b) encode the samples at the lowest quality level that achieves transparency in a double blind ABX and then compare bitrates.
Method a) can be used in a mass scale sort of thing, where the relative qualities at similar bitrates from many people are averaged together sort of thing (although not really "averaged" as such).
Method b) could be used in a mass way by averaging (okay, okay) the bitrates where transparency is considered to have been achieved.
In practice, method a) is usually used because it's easier for a lot of people to perform the test. Basically you give them several samples of the same thing in different formats at similar bitrates and ask them to rank how they sound (without telling them which is which). Method b) would involve doing your own encoding or having it encode the same sample at several bitrates in several formats, and would be much longer to perform for each person.
I mean, the system isn't broken, so why fix it by opening up Fairplay? Where is the big gain? Maybe other stores would sell more iPods...
You answered your own question. The big gain, for Apple, would be a wider base of music which could be leveraged into selling more iPod's.
I don't think people are calling for other stores to sell music with Fairplay DRM.
Not in those words, no. But people are calling for more stores to sell music that can go on their iPod's. Given that Fairplay is the only DRM the iPod supports, if the stores want to do that, they either a) need Fairplay or b) need to convince the labels that selling non-DRM'd music is okay. A is the choice that works.
And to be frank, Fairplay DRM is about as light of a DRM as you can get. I'm not saying DRM is good, but given the alternatives of WM10 DRM vs. Fairplay, I know which one I can work with.
Part of what Apple delivers is the "whole experience" which, I think, is a major selling point for them. How can the experience be improved by having walmart.com sell Fairplay DRM based music.
The "whole experience" with using Apple products on the Windows platform is a pretty terrible one. Just this morning my iPod decided that it didn't like me anymore. Took me 4 hours to get the thing working again (had to format the iPod's drive and resync my music), and I'm somebody who knows how this stuff works.
I mean, let's face facts. All of Apple's Windows products more or less suck. iTunes, Quicktime, all slow as hell and buggy on the Windows platform. Mainly because they ported them from the Mac, along with all the rest of the Mac GUI stuff that they could. It's not that they're bad products, they're just out of their native environment and kinda running in a semi-emulator. Adds a *lot* of overhead. From a usability perspective they don't fit in with the rest of the system either. Just bad all around.
So Apple has a system that collectively sells about 70% of the music-players (maybe more) and 75% of online music. They currently don't have a pressing reason to open up their integration. Consumers aren't calling for it, and if they are, it's probably a minority.
I would disagree with you on that one. The number one complaint I've heard with regards to new iPod users is that they can't buy their songs from Napster or other online music services. I've had to "crack" many a friend's online purchased music libraries and convert it to MP3 after they purchased an iPod.
The recording industry is who really wants it broken up, they want to charge more per song.
More stores means competition means lower prices. Walmart, Napster, all the online stores that use WMA currently are underselling iTMS on price. Wal-Mart is selling at 89 cents. Real was selling at 49 cents for a while.
Lastly, iTunes hasn't been a big money-maker previously, but last quarter it was profitable. $200 million I think? Could be different. But it was profitable.
If they can sustain that, more power to 'em. I'm not sure they can. And I certainly don't like the idea of one store getting all the exclusives like iTMS does. A lot of good albums by good bands have begun to go iTMS-only for their latest releases. I'm not particularly happy with that prospect.
It does? Well, I don't use WMA, WMP or any other audio technology from them. That seems kind of dumb though - do you figure such a scheme is going to last for long in the land of Kazaa and eMule? Last I checked people can still vote with their wallets. If the device manufacturers jump on the bandwagon with Microsoft and do something like that I'm betting they're not going to sell a lot of devices, and that's ultimately what is going to kill it.
Then again I suppose it's possible they'll go for it, in which case they'll get what they deserve. But that doesn't change the fact that Apple is hoisting a DRM scheme on them right now, and people have no problem with it because a) it works; and b) Shiny objects distract them.
Microsoft's WM10 DRM is more insidious than that. They're planning ahead here. WM10 is basically a (reasonably well thought out) DRM for the future, sort of thing. It's a complete media system, not just audio, but video and all multimedia you can think of, basically.
You might have seen some of these new shiny portable video devices with that "Plays For Sure" logo on them. You can get a Windows Media Center PC that will do basically everything a Tivo will do and more, and can transfer the video to your new shiny player device. All this works through the new WM10 methodology.
Not a lot of this stuff implements DRM yet. It's a big sleeper in WM10. The goal is to get the WM format to be all-pervasive, to the point where it gets integrated into the home entertainment system. Then you can, say, buy a PPV movie and have it not only delete itself after a while, but have it delete itself on all the devices you've transferred the video to. The capability is there in WM10, it's just not being used much.
Napster ToGo uses it for their system. That $15 a month all-you-can-hear thingy that also lets you transfer your music to a "Plays For Sure" player implements it. Stop paying for the service, and a month later all the music you had on your device is gone, without you doing a thing.
Will it last long? I dunno. Depends on how pervasive Microsoft can make it. If they get it built into the head unit of your media rack, then that's pretty pervasive. What with the CableCard technology coming out, they're looking forward to being able to sell boxes that are basically XP Media Center devices. Plug the CableCard in from your cable company, and it just works. You can watch your recorded shows on all your PC's, even transfer them to that shiny portable player. And it's DRM'd all the way through.
1. No, they couldn't, because they could not possibly license the music in an unprotected format. Ergo, they, and everybody else, are locked out of providing DRM music for the iPod.
That didn't stop Real from actually doing it. Or haven't you noticed that Real's latest store can transfer DRM protected music to the iPod just fine?
Point is that if they wanted to support Fairplay, they could work something out. But they don't want that. They're heavily invested in WMA, and the technology in WMA10 makes it really obvious that they're pushing for more restrictive DRM than Fairplay can do.
Microsoft is looking long term on this one. The DRM in WM10 allows for all sorts of stuff. Examples: -Imagine a service that lets you download all the music you want and put it on your "Plays For Sure" compatible device, for $15 a month. But when you stop paying, that device will delete all the music on itself a month later. Take a closer look at Napster To-Go, that's exactly what it does. -Imagine a Tivo-like system where you could buy a PPV program, and it auto deleted itself after, say, a month. It would let you transfer it to a portable device, but the portable device had the same restrictions and would also delete the content automatically on that date. WM10 supports exactly this, and the "Plays For Sure" certification program ensures that the device implements these sorts of restrictions.
2. Try doing a bit-for-bit comparison of WMA9 VBR quality-based encoding to other formats. You might be pleasantly surprised at the quality.
Ogg and AAC both beat the crap out of WMA in the latest double blind tests I've seen. Check HydrogenAudio for the latest results though.
That's true, but Apple has consistently refused to license the AAC/Fairplay format, so walmart.com can't sell music with that DRM.
Yep, you're right. Apple should have opened up Fairplay, or at least the iPod's DRM playback capability, a long time ago.
The iTMS isn't making money, as I understand it. Basically a minor profit there. Their big money maker is the iPod, and if they leveraged the capabilties of it by allowing other stores to sell music for it, they could only do better.
Perhaps she's complaining because she doesn't follow the party line that permeates your world - namely that customer lock-in and DRM are bad only when they come from Microsoft or someone else, but A-OK when they come from Apple.
No, it's bad coming from Apple too.
I agree that Apple should open the iPod up a bit, to let others make DRM'd AAC's for the device without resorting to Real's Harmony approach.
What the problem here is is that while Apple is promoting vendor lock-in a little bit, Microsoft, via, walmart, napster, and all the other WMA stores, is promoting not only format lock-in, but the most hideous DRM ever conceived by mankind.
If you want a portable music device that will delete your music by itself simply because you haven't connected it to a computer recently, then look into WMA10 and the "Plays For Sure" logo. Because that's what it does, and that's what it means. Go read the WMA10 SDKs, it's pretty clear once you get past the pretty diagrams.
Of course, for certain definitions, if you get too popular...you are a monopoly. It's all about barrier to entry, or something, even when alternatives do already exist. One could thus make the claim that the iPod does have a monopoly on handheld mp3 players, and practices that would prevent others from entering the market (proprietary formats, etc) would be illegal. But now I'm contradicting myself in my own post, and living in a hyphothetical world.
True, but then you'd have to be controlling the format of say, 90% of the music stores out there.
Even though Microsoft has maybe 5% of the music store sales (through walmart, napster, etc), they still have way more songs and clout and if they were really interested in supporting the iPod, they would. Apple hasn't opened up the FairPlay DRM scheme, which they should do (or at least stop bitching when somebody comes along and makes interoperable software like Real's Harmony), but if Microsoft wanted to push AAC instead of the shitty sounding WMA format, they could.
You really must be blind not to see the idea behind this one.. She's pushing Microsoft WMA10 format. Simple as that.
WMA 10 has some nifty little features with it: - Specifically designed such that *only* Microsoft approved devices can receive the music. They don't make the device themselves of course, they just sell licensing schemes. - What do you think that whole "Plays For Sure" certification is all about? It's about the most restrictive DRM ever developed. A "Plays For Sure" device is certified to be capable of ERASING your music, by itself, if you don't reenable it every so often by connecting it to your computer. How do you think the new Napster-To-Go actually works?
She states it pretty clearly here, in fact: If you are really a geek, you can figure out how to strip the songs you might have bought from another on-line store of all identifying information so that they will go into the iPod.
Exactly. You have to remove that violently horrible DRM in order for Microsoft's products to work on your iPod. Let's not forget that Microsoft WMA10 came out into a market where the iPod was king. They're not interested in compatibility, they're interested in owning the market by owning the format and controlling the devices and stores themselves that way.
I admit that Apple has been a bit stupid with regards to compatibility. Specifically breaking Real's Harmony software should have been beneath them.
However, if walmart.com wanted to sell AAC files, those AAC files would play on the iPod just fine. It plays un DRM-encumbered music like nobody's business.
The web accelerator is not a robot, so this is correct behavior.
The web accelerator ignores the NOARCHIVE meta.
NOARCHIVE is a Google specific extension to the robots.txt specification, and again, this is not a robot.
I believe, but have yet to confirm, that it ignores any no-cache pragma headers.
I'd be absolutely shocked if that were actually the case. I also believe it respects the Expires header as well as the Cache-Control header.
It avoids prefetching anything with a question mark in the URL, but what about all those PATH_INFO dynamic links we've been installing for the last four years so that our dynamic pages look like static URLs? Google prefetches many of these, and there are numerous reports that this prefetching, along with some cookie mishandling by Google, is breaking sites out there. Does Google care?
If they're following the proper standards, then it's not their place to care or not. If your website doesn't properly specify cache-control (many don't) then you get what you get.
For any pages with user-specific content, add the "Cache-Control: private" header and voila, problem solved for you.
If you want to opt out entirely, then a simple "Cache-Control: no-cache" header in your HTTP responses would do the trick, as would "Pragma: no-cache", I bet.
Furthermore, there is no cookie-mishanding I've actually seen, and I've tested it. It passes cookies through just fine, without caching them, near as I can tell.
Or, simply adding: header("Cache-Control: private"); Will work to actually fix the problem on your dynamic PHP pages, without being so specific to GWA.
If you want to actually block GWA your way, then simply blocking the given IP range it uses is a much better solution than relying on user level code to do it. Let the webserver handle it instead.
It's not a bug with the proxy software, it's a bug with those forums.
Caching proxies have been around for several years now, and this is not a new problem. Any webmaster worth his salt should know about this, and any dynamic content (especially a piece of forum software) should know damn well to properly implement expiration dates and cache control directives.
If the WWWBoard software at Futuremark was doing the right thing in the first place, this wouldn't be a problem. It's Futuremark's and WWWBoard's security bug, not GWA's or any other caching proxy's.
The only reason people are bitching about this is because GWA is one of the first caching proxy systems out there to hit widespread use by people who've never used one before. The concept itself is not new by a long shot, and there are established guidelines to follow when you develop web software to deal with them. If you fail to follow these guidelines, then yeah, your site will break and you create a security risk like WWWBoard has clearly done. Upgrade/fix your forum software.
The core problem with science/math in movies and TV shows is that reality is often too boring to make it on film.
While true, the problem I have with this argument is that in the vast majority of cases of bad science/math on film/tv, the part that was so mind numbingly bad was not necessary in the first place.
I mean, for the car exploding from a gunshot problem, you can justify it from an entertainment/action movie basis. But showing some dork cracking a password in 5 seconds or a common bank black and white security camera having seemingly infinite resolution, well, half the time the audience doesn't give a shit and it's not essential to the plot anyway. The end result (we got the guy's bank accounts from his computer or we were able to get the license plate of that speeding car from the video tape) is what the plot needs. The technical details of how you get it are wholly irrelevant. So why show the dude cracking the password? Why show the guy typing on a keyboard at random with nothing else on the screen but this image and magically "enhancing" the picture to get the license plate number?
It's not a matter of bad writing. It's a matter of bad directing, it's a matter of bad production, and it's a sign of a filmmaker not knowing WTF makes a flick good in the first place.
Slashdot Mirror
Zap2it was a good mid-point, but not on par with Tivo's or Microsoft's offerings.
Tivo gets their guide data from Tribune Media Services, who actually own and operate the zap2it service. So the data is basically the same, albeit I think their free offering was not as complete as the data they sell to companies like Tivo.
Hence, this is an issue that effects me and my customers, and I seriously hope that a fix finds itself into either apache mod_ssl or the mainline Linux kernel PDQ.
That's really what's up for debate here. Whether the patch should be in the kernel-land or in the code user-space (mod_ssl, for your example).
The only realistic patch you could do in kernel-land is to simply disable HyperThreading. This works, but seems like a poor way to go. Any other form of patch in kernel-land just makes the attack harder and thus doesn't really work or it degrades performance way too much to be practical.
But fixing it in userspace is somewhat easier to do, albeit you'd have to fix *every* user-space program that's susceptible to this sort of thing.
Let's talk about the problem in general terms. When a program is doing some kind of computational stuff on something you want to remain secret, then it has to make some assumptions. Assumptions like the hardware is secure, or that it's not running on a virtual machine that's recording everything it does.. That sort of thing. You can come up with all kinds of ways to crack it like an egg if you work outside the box a bit and have total control of the machine it runs on.
This problem is attacking one of those assumptions, namely that another process can't time the secret computations accurately enough to perform a timing attack. With HT, you have two things running on the same core, and so it is somewhat easier to do this sort of attack.
So userspace programs that do secure computations have had one of their assumptions broken by HT. To remedy it, they need to rethink their assumptions. They need to or ensure that they perform equal timings regardless of the computations being done and so on. This is not particularly simple, but it's probably not particularly hard either.
Of course, the attack is still largely theoretical. All it's been shown is that it's "possible", not that it's "easy" or even that it is indeed "doable". For one thing, without having some kind of clue as to the algorithim involved or some idea of what to look for, all you get are a bunch of timings. You still need to do some things to trigger it at the right time and in the right way as to be able to derive information from this channel.
But crypto guys are paranoid like nobody else, and so they're naturally worried about this sort of thing. Mainly it's worrying to them because it's not a mathematical attack, which they're more used to. Modern crypto works based on theory and algorithims and such, and the idea that the algorithim being correct (for a given value of "correct") isn't enough to protect the security of the data is extremely worrying. A real world implementation of these algorithims now has to take some more real world facts into account, and this bothers them, of course.
Linus is basically right here. The kernel is simply the wrong place to fix this. It doesn't ensure that processes cannot spy on other processes via subchannels like this, nor should it. If you're paranoid enough to think this is a real thing to guard against, then your secure code should take it into account. Existing code doesn't do that, and would need to be changed *even* if the kernel was patched. Because how do you know that your kernel has been patched? How do you know that you're not running on an HT processor? You can't know for sure, so you simply assume you are and take steps to make timing attacks fail. Because if you don't, you can't reasonably say that you've attempted to secure the code in this way.
We don't borrow, we don't rent, we don't steal, we don't lease, we TAKE the mind!
This isn't a new idea... except that they propose to integrate it into the mail client and have everybody you've ever sent mail to or received mail from be a potential contact, weighted by frequency that you email them. That's a bit new, but not as effective as it seems.
For one thing, it would block mailing list messages, which are messages that you probably do share with your contacts.
For another, it does not consider that most spam has random keywords seeding into every copy sent, so those would have to be ignored somehow, which introduces a fuzzy match algorithim, which means the possibility of false matches exists, and since you're asking others (probably all using the same algorithim against their databases) you have increased the chances of a false match being found.
In any case, collaborative networks already exist in a better form. Users mark messages as spam when they get them, a flag is created and sent to some central place that all users check against for matches. The algorithim for fuzzy matching resides in one place and is only used as an indicator in spam assassin in any case, not as the sole indicator..
Large scale systems like Google's GMail can use people flagging messages as spam to filter similar enough messages from other users, sort of thing. I'm pretty sure they do something like this, in fact, as my GMail account has *never* made a mistake in it's spam detection.
And so forth. There's better ways than relying on a random query of your contacts to see what they think.
You're simply misunderstood if you assume any of the music is yours to keep when you stop using Yahoo Music.
And that's my point. It is not beyond reason for a customer to not expect his own hardware to automatically delete his music just because he hasn't let the damn thing call home in a while.
I also do not see why Yahoo Music (based on Microsoft's WMP) would conflict with any Microsoft certified hardware in the future.
I don't see why it would either. I do see, however, that these services simply do not work with non-Microsoft-Certified hardware. I can't build an interoperable device and neither can anybody else. You're locked into Microsoft with these services. Furthermore, you're locked into that service itself, since you lose your music if you switch to another service.
Even if iTunes sold its music in mp3 format, you're still not supposed to give it to friends. You could, but the business model goes to hell when everyone can just buy it once and send it around to everyone (p2p).
Oh? Boohoo. Too fucking bad. Find another business model that doesn't rely on artifical restrictions on what I can do with the music I paid for.
I suppose you have major gripes with services such as netflix also then, right?
Other than the inefficency of using the postal service for movie rentals, not really, no. I'm not a Netflix customer, however.
However, the comparison is more than a little stupid, as in one case you're getting a physical product, and in the other case you're not. The situation is fundamentally different. You don't "return" this songs from Yahoo/Napster/whoever, your software deletes them. Call me crazy, but I don't want my software doing things like deleting stuff without asking me.
As long as the consumer knows up front that Yahoo may change the price at any time, that continued subscription is required to keep what you've 'bought' (I don't know if this is even true for the Yahoo service), then what the hell is your problem? Just don't subscribe if you don't like those terms.
I agree, however I feel it necessary to point out that they're not exactly advertising those terms real loudly, are they? I didn't notice the fine print on Napster ToGo's commercials that said "unsubscribing makes your portable player delete all the music you put on it by itself" or anything. I think that it's not widely understood, by the consumer, that the new "Plays For Sure" players will auto-expire your subscription music after some amount of time. It's not an obvious thing to expect to happen.
Regarding copying for your friends.. that is not 'fair use'.
I would argue otherwise, but even if it's not fair use, I would suggest that the Audio Home Recording Act of 1992 (section 1008) makes non-commercial use like this immune to civil actions alleging infringement of copyright. So while it may or may not be Fair Use, it's also not illegal to do.
If a service doesn't let you (easily) copy music, that may be a draw back of the service, but it is not the human rights violation that some make it out to be. It's a condition of the music companies license to the service.
True, and I never said otherwise.
The whole bit about MS deleting all your music? Please. Let's talk about reality. MS certified hardware? Hilarious. Why do you kooks always assume that 'Trusted Computing' is a given? Furthermore, why do you think that MS will deliberately piss off all of its customers?
What? You think I'm making this shit up? It's made very clear in the Windows Media 10 SDKs. it's what the whole frickin' Janus DRM is about. It happens [i]right now[/i] if you use Napster ToGo or this new Yahoo Music Service in combination with a "Plays For Sure" player device. It was [i]expressly designed[/i] to do exactly that. This isn't paranoia, it's an honest statement of the facts of the matter.
These services only work on MS Certified hardware. The "Plays For Sure" logo is the certification program Microsoft runs to certify any given player. Look it up! They're not even trying to hide this stuff. They make it's a *selling point* of the Janus DRM for crying out loud.
When a mediocre programmer gets something "done" and their manager or peer reviewer picks it apart and they have to keep doing it until they get it right (or involved someone who can help get it right), that's taking longer.
90% of the programming jobs out there don't have managers that can understand or indeed read code, much less actual peer review.
In a perfect world, maybe, but the world is not perfect. Most code out there is not peer reviewed and barely tested.
This is not the case in my current job (it's a much more professional shop than it used to be), but the previous few jobs I had this was the case.
Furthermore, even *with* peer review, there's still doing it fast vs. doing it right, and a hell of a lot of the time the managers care more about fast than about right. Corners get cut.
Anyway, assuming the same standards of code quality produced between the programmers we were discussing is entirely unwarranted, IMO.
No, always be the best. When you're the best you get the same job done but you get it done quicker
;)
Clearly you're not a programmer.
The "best" guy will get it done in the right way. Doing it "right" means doing it with an eye for maintainability and making things simpler to do later. Usually this takes *longer* at the beginning. Often, much, much longer.
Faster != better.
I mean, let's say the average subscriber is 20, and keeps this service until they are 100. That's 80 years at 5 bucks a month, or around 5,000 dollars.
This doesn't account for inflation over those 80 years, nor the price hike that happens about a year from now because Yahoo Music can't get enough subscribers to justify the low price of the service.
Every time they add another 100 CDs to the library, it's like you got them for free.
Yep, a whole $5 a month worth of free.
Who cares if it's DRM'd, as long as you can listen to what you want when you want.
Exactly! So what if you're forced to use Microsoft certified hardware and Microsoft certified software? So what if you decide to switch to another service that all your music, even the music on your portable device, gets automatically deleted thanks to the Microsoft Janus DRM? So what if you get tied into the service just to keep your existing music working, even though you don't usually listen to new music and download maybe only one or two new songs every month (like, in fact, most people over the age of 25 do according to the most recent polls).
The only major downside of DRM, if it's unobtrusive enough, is that you can't give away the music to others.
Yeah. I mean, who needs to share their interests with their friends anyway?
And while the music is lossy, 192k WMA is like 384k MP3 - which doesn't even exist, since 320k is the maximum quality (at least on any software I know of)
a) 384 kbps MP3 does exist. It's called "freeformat" and MP3 can go up to 640kbps.
b) 192k WMA is closer to 160k MP3, if you're using the proper encoders (read: LAME).
Let's see..
-99 cents to own a song for, essentially, forever...
-or $5 a month to rent it for, essentially, forever...
I've got enough monthly bills without adding one more to the mix, thanks. I don't need WMA's music rental model, at any price.
From this I guess the author means that it's OK to be at the same level they were eight years ago. It doesn't matter that the American teams didn't improve at the same rate at the rest of the world. And in his statistical argument he ignores that although team numbers might have increased so did the number of American teams.
... At the end of the day it is usually pretty obvious whether they work or do not work. "Almost works" is not good enough for anyone
While your statistical point is valid, your improvement one is not. He's saying that there's a large number of new entries, not that existing entries got better.
OMG, it's not fair, they trained harder! Well hello! Is it cheating to produce programmers who can actually solve problems and write code? What exactly is coursework for if it isn't preparation for the kinds of problems you solve in programming contests? I've done a couple - it's the same thing, you just have to be faster and more accurate, compared to a programming assignment.
If you've not participated in these types of challenges in specific, then it's hard to explain. These types of contests are based on the field in general, not on specific coursework that is commonplace. Doing coursework does help, but a more focused study on the contest and the types of problems in the contest does yield better results... in the contest itself. But it's just a contest, it bears very little relation to anything outside of itself. I've done several, and the contests should *not* be like your normal programming assignments. Different goals, different problems.
I was a H1-B worker - I made great rates (thanks very much) and so did all the other H1-B's I know. It's convenient for Norm's flawed argument to repeat this myth, propagated by programmers who think they should have had my job because it was their birthright, not because they could have done it better.
He has a point though, while H1-B workers do get paid well (it's a technical field, everybody gets paid well), on average they don't make as much as a non-H1-B worker. Simple statistical truth, that is.
The way to compete is to be the best, there is no other way.
You're right, and that's why "be the best" isn't a long term good strategy. While I agree that a good programmer can always get a job, I disagree that you need to be the best to do it. The best person doesn't always get the job. The guy who is good enough to "make it work" will get the job, and that guy is not necessarily the best at it.
Sure, you could do that as well. But realistically, that's not very different from simply using ABR-like settings to produce a given average bitrate in the first place.
Unfortunately, I haven't been able to find any such tests comparing quality-based encoding, because the bitrate can be unpredictable.
You can't compare quality based encoding like that.
You can either a) encode your samples at similar bitrates and compare relative quality, or you can b) encode the samples at the lowest quality level that achieves transparency in a double blind ABX and then compare bitrates.
Method a) can be used in a mass scale sort of thing, where the relative qualities at similar bitrates from many people are averaged together sort of thing (although not really "averaged" as such).
Method b) could be used in a mass way by averaging (okay, okay) the bitrates where transparency is considered to have been achieved.
In practice, method a) is usually used because it's easier for a lot of people to perform the test. Basically you give them several samples of the same thing in different formats at similar bitrates and ask them to rank how they sound (without telling them which is which). Method b) would involve doing your own encoding or having it encode the same sample at several bitrates in several formats, and would be much longer to perform for each person.
I mean, the system isn't broken, so why fix it by opening up Fairplay? Where is the big gain? Maybe other stores would sell more iPods...
You answered your own question. The big gain, for Apple, would be a wider base of music which could be leveraged into selling more iPod's.
I don't think people are calling for other stores to sell music with Fairplay DRM.
Not in those words, no. But people are calling for more stores to sell music that can go on their iPod's. Given that Fairplay is the only DRM the iPod supports, if the stores want to do that, they either a) need Fairplay or b) need to convince the labels that selling non-DRM'd music is okay. A is the choice that works.
And to be frank, Fairplay DRM is about as light of a DRM as you can get. I'm not saying DRM is good, but given the alternatives of WM10 DRM vs. Fairplay, I know which one I can work with.
Part of what Apple delivers is the "whole experience" which, I think, is a major selling point for them. How can the experience be improved by having walmart.com sell Fairplay DRM based music.
The "whole experience" with using Apple products on the Windows platform is a pretty terrible one. Just this morning my iPod decided that it didn't like me anymore. Took me 4 hours to get the thing working again (had to format the iPod's drive and resync my music), and I'm somebody who knows how this stuff works.
I mean, let's face facts. All of Apple's Windows products more or less suck. iTunes, Quicktime, all slow as hell and buggy on the Windows platform. Mainly because they ported them from the Mac, along with all the rest of the Mac GUI stuff that they could. It's not that they're bad products, they're just out of their native environment and kinda running in a semi-emulator. Adds a *lot* of overhead. From a usability perspective they don't fit in with the rest of the system either. Just bad all around.
So Apple has a system that collectively sells about 70% of the music-players (maybe more) and 75% of online music. They currently don't have a pressing reason to open up their integration. Consumers aren't calling for it, and if they are, it's probably a minority.
I would disagree with you on that one. The number one complaint I've heard with regards to new iPod users is that they can't buy their songs from Napster or other online music services. I've had to "crack" many a friend's online purchased music libraries and convert it to MP3 after they purchased an iPod.
The recording industry is who really wants it broken up, they want to charge more per song.
More stores means competition means lower prices. Walmart, Napster, all the online stores that use WMA currently are underselling iTMS on price. Wal-Mart is selling at 89 cents. Real was selling at 49 cents for a while.
Lastly, iTunes hasn't been a big money-maker previously, but last quarter it was profitable. $200 million I think? Could be different. But it was profitable.
If they can sustain that, more power to 'em. I'm not sure they can. And I certainly don't like the idea of one store getting all the exclusives like iTMS does. A lot of good albums by good bands have begun to go iTMS-only for their latest releases. I'm not particularly happy with that prospect.
It does? Well, I don't use WMA, WMP or any other audio technology from them. That seems kind of dumb though - do you figure such a scheme is going to last for long in the land of Kazaa and eMule? Last I checked people can still vote with their wallets. If the device manufacturers jump on the bandwagon with Microsoft and do something like that I'm betting they're not going to sell a lot of devices, and that's ultimately what is going to kill it.
Then again I suppose it's possible they'll go for it, in which case they'll get what they deserve. But that doesn't change the fact that Apple is hoisting a DRM scheme on them right now, and people have no problem with it because a) it works; and b) Shiny objects distract them.
Microsoft's WM10 DRM is more insidious than that. They're planning ahead here. WM10 is basically a (reasonably well thought out) DRM for the future, sort of thing. It's a complete media system, not just audio, but video and all multimedia you can think of, basically.
You might have seen some of these new shiny portable video devices with that "Plays For Sure" logo on them. You can get a Windows Media Center PC that will do basically everything a Tivo will do and more, and can transfer the video to your new shiny player device. All this works through the new WM10 methodology.
Not a lot of this stuff implements DRM yet. It's a big sleeper in WM10. The goal is to get the WM format to be all-pervasive, to the point where it gets integrated into the home entertainment system. Then you can, say, buy a PPV movie and have it not only delete itself after a while, but have it delete itself on all the devices you've transferred the video to. The capability is there in WM10, it's just not being used much.
Napster ToGo uses it for their system. That $15 a month all-you-can-hear thingy that also lets you transfer your music to a "Plays For Sure" player implements it. Stop paying for the service, and a month later all the music you had on your device is gone, without you doing a thing.
Will it last long? I dunno. Depends on how pervasive Microsoft can make it. If they get it built into the head unit of your media rack, then that's pretty pervasive. What with the CableCard technology coming out, they're looking forward to being able to sell boxes that are basically XP Media Center devices. Plug the CableCard in from your cable company, and it just works. You can watch your recorded shows on all your PC's, even transfer them to that shiny portable player. And it's DRM'd all the way through.
1. No, they couldn't, because they could not possibly license the music in an unprotected format. Ergo, they, and everybody else, are locked out of providing DRM music for the iPod.
That didn't stop Real from actually doing it. Or haven't you noticed that Real's latest store can transfer DRM protected music to the iPod just fine?
Point is that if they wanted to support Fairplay, they could work something out. But they don't want that. They're heavily invested in WMA, and the technology in WMA10 makes it really obvious that they're pushing for more restrictive DRM than Fairplay can do.
Microsoft is looking long term on this one. The DRM in WM10 allows for all sorts of stuff. Examples:
-Imagine a service that lets you download all the music you want and put it on your "Plays For Sure" compatible device, for $15 a month. But when you stop paying, that device will delete all the music on itself a month later. Take a closer look at Napster To-Go, that's exactly what it does.
-Imagine a Tivo-like system where you could buy a PPV program, and it auto deleted itself after, say, a month. It would let you transfer it to a portable device, but the portable device had the same restrictions and would also delete the content automatically on that date. WM10 supports exactly this, and the "Plays For Sure" certification program ensures that the device implements these sorts of restrictions.
2. Try doing a bit-for-bit comparison of WMA9 VBR quality-based encoding to other formats. You might be pleasantly surprised at the quality.
Ogg and AAC both beat the crap out of WMA in the latest double blind tests I've seen. Check HydrogenAudio for the latest results though.
That's true, but Apple has consistently refused to license the AAC/Fairplay format, so walmart.com can't sell music with that DRM.
Yep, you're right. Apple should have opened up Fairplay, or at least the iPod's DRM playback capability, a long time ago.
The iTMS isn't making money, as I understand it. Basically a minor profit there. Their big money maker is the iPod, and if they leveraged the capabilties of it by allowing other stores to sell music for it, they could only do better.
Perhaps she's complaining because she doesn't follow the party line that permeates your world - namely that customer lock-in and DRM are bad only when they come from Microsoft or someone else, but A-OK when they come from Apple.
No, it's bad coming from Apple too.
I agree that Apple should open the iPod up a bit, to let others make DRM'd AAC's for the device without resorting to Real's Harmony approach.
What the problem here is is that while Apple is promoting vendor lock-in a little bit, Microsoft, via, walmart, napster, and all the other WMA stores, is promoting not only format lock-in, but the most hideous DRM ever conceived by mankind.
If you want a portable music device that will delete your music by itself simply because you haven't connected it to a computer recently, then look into WMA10 and the "Plays For Sure" logo. Because that's what it does, and that's what it means. Go read the WMA10 SDKs, it's pretty clear once you get past the pretty diagrams.
Of course, for certain definitions, if you get too popular...you are a monopoly. It's all about barrier to entry, or something, even when alternatives do already exist. One could thus make the claim that the iPod does have a monopoly on handheld mp3 players, and practices that would prevent others from entering the market (proprietary formats, etc) would be illegal. But now I'm contradicting myself in my own post, and living in a hyphothetical world.
True, but then you'd have to be controlling the format of say, 90% of the music stores out there.
Even though Microsoft has maybe 5% of the music store sales (through walmart, napster, etc), they still have way more songs and clout and if they were really interested in supporting the iPod, they would. Apple hasn't opened up the FairPlay DRM scheme, which they should do (or at least stop bitching when somebody comes along and makes interoperable software like Real's Harmony), but if Microsoft wanted to push AAC instead of the shitty sounding WMA format, they could.
You really must be blind not to see the idea behind this one.. She's pushing Microsoft WMA10 format. Simple as that.
WMA 10 has some nifty little features with it:
- Specifically designed such that *only* Microsoft approved devices can receive the music. They don't make the device themselves of course, they just sell licensing schemes.
- What do you think that whole "Plays For Sure" certification is all about? It's about the most restrictive DRM ever developed. A "Plays For Sure" device is certified to be capable of ERASING your music, by itself, if you don't reenable it every so often by connecting it to your computer. How do you think the new Napster-To-Go actually works?
She states it pretty clearly here, in fact:
If you are really a geek, you can figure out how to strip the songs you might have bought from another on-line store of all identifying information so that they will go into the iPod.
Exactly. You have to remove that violently horrible DRM in order for Microsoft's products to work on your iPod. Let's not forget that Microsoft WMA10 came out into a market where the iPod was king. They're not interested in compatibility, they're interested in owning the market by owning the format and controlling the devices and stores themselves that way.
I admit that Apple has been a bit stupid with regards to compatibility. Specifically breaking Real's Harmony software should have been beneath them.
However, if walmart.com wanted to sell AAC files, those AAC files would play on the iPod just fine. It plays un DRM-encumbered music like nobody's business.
The web accelerator is not a robot, so this is correct behavior.
NOARCHIVE is a Google specific extension to the robots.txt specification, and again, this is not a robot.
I'd be absolutely shocked if that were actually the case. I also believe it respects the Expires header as well as the Cache-Control header.
If they're following the proper standards, then it's not their place to care or not. If your website doesn't properly specify cache-control (many don't) then you get what you get.
For any pages with user-specific content, add the "Cache-Control: private" header and voila, problem solved for you.
If you want to opt out entirely, then a simple "Cache-Control: no-cache" header in your HTTP responses would do the trick, as would "Pragma: no-cache", I bet.
Furthermore, there is no cookie-mishanding I've actually seen, and I've tested it. It passes cookies through just fine, without caching them, near as I can tell.
Or, simply adding:
header("Cache-Control: private");
Will work to actually fix the problem on your dynamic PHP pages, without being so specific to GWA.
If you want to actually block GWA your way, then simply blocking the given IP range it uses is a much better solution than relying on user level code to do it. Let the webserver handle it instead.
It's not a bug with the proxy software, it's a bug with those forums.
Caching proxies have been around for several years now, and this is not a new problem. Any webmaster worth his salt should know about this, and any dynamic content (especially a piece of forum software) should know damn well to properly implement expiration dates and cache control directives.
If the WWWBoard software at Futuremark was doing the right thing in the first place, this wouldn't be a problem. It's Futuremark's and WWWBoard's security bug, not GWA's or any other caching proxy's.
The only reason people are bitching about this is because GWA is one of the first caching proxy systems out there to hit widespread use by people who've never used one before. The concept itself is not new by a long shot, and there are established guidelines to follow when you develop web software to deal with them. If you fail to follow these guidelines, then yeah, your site will break and you create a security risk like WWWBoard has clearly done. Upgrade/fix your forum software.
The core problem with science/math in movies and TV shows is that reality is often too boring to make it on film.
While true, the problem I have with this argument is that in the vast majority of cases of bad science/math on film/tv, the part that was so mind numbingly bad was not necessary in the first place.
I mean, for the car exploding from a gunshot problem, you can justify it from an entertainment/action movie basis. But showing some dork cracking a password in 5 seconds or a common bank black and white security camera having seemingly infinite resolution, well, half the time the audience doesn't give a shit and it's not essential to the plot anyway. The end result (we got the guy's bank accounts from his computer or we were able to get the license plate of that speeding car from the video tape) is what the plot needs. The technical details of how you get it are wholly irrelevant. So why show the dude cracking the password? Why show the guy typing on a keyboard at random with nothing else on the screen but this image and magically "enhancing" the picture to get the license plate number?
It's not a matter of bad writing. It's a matter of bad directing, it's a matter of bad production, and it's a sign of a filmmaker not knowing WTF makes a flick good in the first place.