Yep, but contrast with the message from leading reformists of Iran. While you are right that Iran's clerics says it doesn't matter much (but I still read into that that they actually slightly prefers Bush), leading reformists say that Bush is a disaster. That should mean a lot.
I highly recommend Hoder's blog about anything Iranian. He pretty much started blogging in Iran, and now there are a huge community of bloggers there.
OK, so would you care to explain your little theory that a government that doesn't care about copyright suddenly decides selectively to enforce an EULA and not GPL? Doesn't sound like a theory based on the real world to me.
You can't have a world without copyright, so what's the point of your comment?
Sure you can. Copyright is a relic of the age where copying was hard and there was a scarcity in copies. We don't need that anymore, it doesn't help the economy. What we need as a right to get the money that is involved a creative work, but that has to be very different from today's copyright.
You do realize that the ultimate goal of the Free Software Movement is to get all software into the public domain? That once Free Software is as good as or better than proprietary counterparts, it will be very hard to argue for anyone that copyright has any function?
Now, these are extremely radical ideas, and it will not happen overnight, nor is it desirable that it happens overnight. One needs to be pragmatic when working on day-to-day issues, and so copyright is needed for quite a long time to come. However, the statement that I quoted above is just closed-minded. I still insist that societies that lack copyright is a non-problem for free software.
Uhm, so, what makes you think that that country will respect a proprietary license? Or enforce laws again breaking into computers? You'd just hack that box and take your code back. Really, this is a non-issue. Fact is, free software would do extremely well in a world without copyright, it is the existance is copyright that makes it necessary to copyleft.
Would it even have helped in this case? Wouldn't the attacker simply have signed the software with his own bogus key?
In the case of distros, this has some more merit, since you probably got your initial copy of gpg from there, and the whole OS for that matter, and so, you might trust a keyring that is distributed with the distro.
For a random package off the Internet, you don't have any such thing you can trust. That's why it is so important to build a good personal web-of-trust. I wrote a bit about that a couple of days ago.
BTW, I worked on PostNuke for two months, almost 2.5 years ago. At that time, I felt the code was very, very bad. Could have been the PHPNuke legacy code, I don't know. Without being good hacker, I think I saw common security issues too. It was one of the things that prompted me to dump PHP alltogether and reinvent the wheel instead (see.sig!:-) ).
Not really. I use T9 daily to write SMSes, and Dasher now and then for the coolness of it. Dasher is in Debian and I would guess in many other distros. Just try it out to feel the difference.
Dasher is something I would really like to have on a PDA and even a cellphone. T9 is just a simple aid to write a couple of hundred charachters at most, but nothing that would help me writing longer texts.
PDA-makers, hear this: You need to put a lot more effort into text-entry interfaces. Have a serious look at Dasher!
Heh, I have this on three different t-shirts... Guess that makes me a physics geek...:-) But it is much prettier on vector form, only four equations...
Not only that, they are also advocating sensible IP laws. If they can pull that through, and we are correct in suspecting that current IP laws stifles innovation, we can only enjoy the whooshing sound as they fly by.
Often, distros rely on that the keyring has been distributed by trusted means. That the keyring hasn't been compromised. But since for PGP to be useful in checking e-mail and stuff, people generally import lots of keys, so this is not the best thing to rely on.
Anybody can generate a keypair "Red Hat Security " or whatever, and sign their trojan with that. Sure, gpg will report that the "update" is unmodified and signed by security@redhat.com. But since you do not know who security@redhat.com is, you can still be duped.
We should be building a huge social network, a PGP-based web of trust (WOT), so that you can actually check if the guy who signed a package is trusted by you or someone else you trust. People need to generate keypairs, go to keysigning parties, take the opportunity to exchange signatures whenever one is out travelling, etc. Go get yourself registered as willing to sign.
The next problem is to decide who you "ownertrust". To extend your WOT to people you haven't met, you assign a "ownertrust" to people, which says something about to what extent you trust them to correctly verify the identity of others.
I think this is rather hard to do these days. I don't know enough people personally to know their key signing habits, if they keep their private key safe, and stuff like that. Such things are important to know if you are to ownertrust.
I have thought about it a bit, and I think it would be nice if one could declare important aspects of one's policy in such a way people could easily find the policy when going through their keyring, to set ownertrusts.
Say, one could for example use FOAF to say things like "I only sign people I meet face to face after carefully checking their photo IDs and having them respond to an encrypted e-mail" and "I keep my private key on a networked computer that I control", "my passphrase is a mangled 20+ letter string" etc.
gpg --update-trustdb
amd similar tools could display these policies to the user and aid the user in making a more informed decision.
The problem with this approach is of course that people can state a policy they don't follow, but the non-personal WOT is really built on signatures, so I don't think that is a problem.
What do people thing of this idea?
Re:Lots of amazing stuff
on
Saving Huygens
·
· Score: 2, Interesting
...or reject proprietary designs alltogether, so as to make the specs available to the whole organization. The problem here was that the subcontractor didn't want JPL folks to poke at it, since they were "competitors". But that also means that the JPL folks are peers, and if those peers were interested enough in the design, those peers would have performed a peer-review, which is a central tenet of science.
The problem is that someone willing to sign an NDA is also in a situation where you cannot compete on the stuff you signed on. So, you cannot get peers to sign an NDA, that would kill their own career. You can get someone who may be top-notch in a different field, but they have not necessarily the specialisation needed to perform a exhaustive review.
Heh, well, I think your post illustrates how bad the imbalance with copyright law has become. Copyright law is supposed to be a balance between the public's right to freely participate in the cultural and scientific progresses of society, and the rights of the creators to be awarded for their contribution to said progress.
Nowadays, if you a little too freely participate in said culture, you're a pirate, one who can be imprisoned, bankrupted and hung out to dry in public. If you on the other hand deny the public the most basic right to participate in democratic discourse and attempt to destroy democracy, well, you'll be fined with pocket change...
When this latter behaviour is made criminal, then we can start talking about criminalising freeloading. Not before.
just give me all the information about the product. I tend to buy the stuff that I have the most information about. The most efficient marketeer to me is one who can give the most information in the shortest time.
What I want is a database with what can be given in terms of objective information, third party reviews , etc. Then it is much easier for me to buy the product that is most suitable to me. When I can do that capitalism would work well.
If they have to try subliminal messages on me to lure me into buying, it has to be because the product doesn't have any merits on its own, and I'm really not interested. Besides, the economy is finite, I can't see any good reasons for this...
For assuming that we could unleash cool advanced new technology like internet commerce onto the general public without our having built-in safeguards against the criminal element who would use this new technology to prey on people.
I didn't do it! It wasn't me, I swear!:-)
Seriously, while I certainly (proudly) advocated web technology for banking, I never envisioned what the suits were going to do with it. I did warn about some phising type scams in an e-mail to my bank aroun 1999, I think, long before I heard that it was actually done. Seemed like a natural extension of spammers obfuscation techniques.
Furthermore, I have told everyone who is willing to listen that the phising scams of today is just the beginning: Just imagine if you can replace the browser of a few victims, or just add a root certificate. Say that an attacker controls the network between the bank and a customer of a company, and the network between the bank and this company. Customer places an order to company. Pays, but the payment is snapped up by the attacker. Attacker sends confirmation of payment to company, company sends goods. Everybody's happy, but in fact, company never got money. Unless they have in place a source of information that attacker doesn't control, they can't figure this out.
I've been on the phone with my bank with this, trying desperately to realize how serious this is. I've written e-mails, and I tried to get the press to understand this. I have failed miserably, and I have made the scenario much more elaborate than above.
Frankly, I think I have done what I can.... The suits simply don't want to listen on that ear. There is always "we'll take that when it happens", also after the fact. I've given them enough free consulting. I have had a bit more luck with the press, but on nothing controversial.
Well, recently there was a nasty joe-job where they sent out a lot spams "advertising" weapons with "how to become a terrorist". I bet the victim of that joe-job wasn't amused... That was a big one...
Hehe, you're forgiven!:-) But it is a common misconception, so I felt it was worthwhile pointing it out bluntly.
I agree that sharing info with others is important, and even that try to submit false information to spammers may be worthwhile, but one should be careful so that the spammers can't track you down.
It is an interesting perspective, and I would truly like PGP to become more widespread, so that it at least meaningful for me to implement a whitelist system (still not rejecting non-signed e-mail).
I think your scalability point is going to prove important. I think it would be computationally rather expensive for the moment. My pubring has around 900 keys and the database is 12 MB. But then, it could become feasible in the future, as processing capacity does increase fast.
However, the real thing here is that PGP does not help you verify identity directly. It helps you verify that a message was sent by "Foo Bar ", and that it has not been altered while in transmission. Still, there is additional effort involved in knowing who "Foo Bar " is. Sure, you may know someone called "Foo Bar", but you don't know that it isn't some spammer who generated this keypair with your friend Foo Bar's credentials to get through your filters. Unless you have signed this key.
I don't think you will ever be able to sign all the keys of everyone who might legitimately send you e-mail, but you can build a web-of-trust based on PGP's concept of ownertrust, and I have put some effort into it myself, so I now trust roughly 1500 keys.
Doing this is a largish undertaking, however, and I think that is the main reason why I really can't envision PGP being useful for combatting spam in near future.
Have scripts that autorespond to any "from" that goes to any of the 4 dummy addresses, so as to waste spammers time with false positives.
Do not ever do this! It is an extremely bad advice.
From addresses are almost always forged, usually there are just random junk in the From. Quite often there are valid addresses there, and your autoresponders will spam those innocent bystanders. They will be very thankful, you bet!
Finally, it is not uncommon that spammers forge in anti-spammers who have successfully shut them down before in there. When I was still actively pursuing spammers, I had my addresses forged this way. I have had my share of moronic autoresponders. It is not fun at all. If you do this, you only contribute to the spam, and you bet that if you annoy a real anti-spammer enough, you will find your own connection to be a smoking hole faster than you can imagine.
In fact, having autoresponders at all is not recommendable at all at this time. If you first accept an e-mail and then generate a bounce message, if the MAIL FROM was forged, that bounce will go to a random bystander, which is bad. If you use autoresponders, or generate bounce messages, you should be careful not to bounce at forged from addresses.
Allthough it is a bit controversial still, you may configure your system to reject spam and viruses at SMTP time. Then you will not generate a bounce, a relay may, but then, hijacked relays usually don't either (I think it is good reasons for this). So, I am of the opinion that this is good practice.
Huh? I'm Norwegian and I must admit I'm really confused about what you wrote...
Norway ended up on Danish rule in the Middle Ages, and was pretty much at the mercy of the two regional "super-powers" Denmark and Sweden for much of our history.
The details are complex, but the Swedes played an important role in defeating Napoleon in the battle of Leipzig, while Denmark was pretty much on Napoleon's side. In the middle of this Norway tried to declare independence, getting a constitution and so on. However, that's not what the superpowers had in mind. So, in 1814, Norway was ceded to Sweden. Norway continued to establish a local rule, and adopted parliamentarism in 1890. In 1905, the Norwegians tried again: Us: "we want independence", Swedish King: "No, you don't", Us: "Yes, we do!", Swedish King: "No, you don't", Us: "Shut up, you idiot!", Swedish King: "damn, who wants a pile of rock anyway". Independence was 1905-07-07, so not quite 100 years yet... At that time, Norway was probably the poorest country in Europe, so he thought he didn't loose a lot...
So, Denmark and Sweden were never very friendly towards each other back in those days, but I can't understand where idea of that Sweden was a part of Denmark, comes from, allthough some smaller regions has had funny borders... Nowadays we're all good friends, though.
As for Finnland, they has had some of the same history as we do, but they were caught between Sweden, Russia, and Germany, in fact...
Refuse to comply because they don't agree with the FBI/Swiss/Italians/whoever or think Indymedia is a really cool organization that shouldn't be interfered with?
That would have been fanatical support, now, wouldn't it?
Slashdot Mirror
I highly recommend Hoder's blog about anything Iranian. He pretty much started blogging in Iran, and now there are a huge community of bloggers there.
OK, so would you care to explain your little theory that a government that doesn't care about copyright suddenly decides selectively to enforce an EULA and not GPL? Doesn't sound like a theory based on the real world to me.
Sure you can. Copyright is a relic of the age where copying was hard and there was a scarcity in copies. We don't need that anymore, it doesn't help the economy. What we need as a right to get the money that is involved a creative work, but that has to be very different from today's copyright.
You do realize that the ultimate goal of the Free Software Movement is to get all software into the public domain? That once Free Software is as good as or better than proprietary counterparts, it will be very hard to argue for anyone that copyright has any function?
Now, these are extremely radical ideas, and it will not happen overnight, nor is it desirable that it happens overnight. One needs to be pragmatic when working on day-to-day issues, and so copyright is needed for quite a long time to come. However, the statement that I quoted above is just closed-minded. I still insist that societies that lack copyright is a non-problem for free software.
Uhm, so, what makes you think that that country will respect a proprietary license? Or enforce laws again breaking into computers? You'd just hack that box and take your code back. Really, this is a non-issue. Fact is, free software would do extremely well in a world without copyright, it is the existance is copyright that makes it necessary to copyleft.
It is blocked from Norway. Besides, Netcraft confirms: GWBush is dying. ;-)
In the case of distros, this has some more merit, since you probably got your initial copy of gpg from there, and the whole OS for that matter, and so, you might trust a keyring that is distributed with the distro.
For a random package off the Internet, you don't have any such thing you can trust. That's why it is so important to build a good personal web-of-trust. I wrote a bit about that a couple of days ago.
BTW, I worked on PostNuke for two months, almost 2.5 years ago. At that time, I felt the code was very, very bad. Could have been the PHPNuke legacy code, I don't know. Without being good hacker, I think I saw common security issues too. It was one of the things that prompted me to dump PHP alltogether and reinvent the wheel instead (see .sig! :-) ).
No, he's not consistent. While talking about how important it is to get rid of dictators for the security of America, he's supporting some of the worst dictators on the planet, for example Islam Karimov [...] received a thank you letter from US President George Bush", and Bush received him in the oval office.
This story is very similar to when Reagan sent Rumsfeld to Bagdad to assist Saddam Hussein in 1983/84.
Yeah, that's right! Funny, I'm actually wearing one of those t-shirts, but I didn't notice when I put it on this morning... :-)
Dasher is something I would really like to have on a PDA and even a cellphone. T9 is just a simple aid to write a couple of hundred charachters at most, but nothing that would help me writing longer texts.
PDA-makers, hear this: You need to put a lot more effort into text-entry interfaces. Have a serious look at Dasher!
Heh, I have this on three different t-shirts... Guess that makes me a physics geek... :-) But it is much prettier on vector form, only four equations...
Not only that, they are also advocating sensible IP laws. If they can pull that through, and we are correct in suspecting that current IP laws stifles innovation, we can only enjoy the whooshing sound as they fly by.
Well, sure, but... Can I trust what I'm seeing?
Often, distros rely on that the keyring has been distributed by trusted means. That the keyring hasn't been compromised. But since for PGP to be useful in checking e-mail and stuff, people generally import lots of keys, so this is not the best thing to rely on.
Anybody can generate a keypair "Red Hat Security " or whatever, and sign their trojan with that. Sure, gpg will report that the "update" is unmodified and signed by security@redhat.com. But since you do not know who security@redhat.com is, you can still be duped.
We should be building a huge social network, a PGP-based web of trust (WOT), so that you can actually check if the guy who signed a package is trusted by you or someone else you trust. People need to generate keypairs, go to keysigning parties, take the opportunity to exchange signatures whenever one is out travelling, etc. Go get yourself registered as willing to sign.
The next problem is to decide who you "ownertrust". To extend your WOT to people you haven't met, you assign a "ownertrust" to people, which says something about to what extent you trust them to correctly verify the identity of others.
I think this is rather hard to do these days. I don't know enough people personally to know their key signing habits, if they keep their private key safe, and stuff like that. Such things are important to know if you are to ownertrust.
I have thought about it a bit, and I think it would be nice if one could declare important aspects of one's policy in such a way people could easily find the policy when going through their keyring, to set ownertrusts.
Say, one could for example use FOAF to say things like "I only sign people I meet face to face after carefully checking their photo IDs and having them respond to an encrypted e-mail" and "I keep my private key on a networked computer that I control", "my passphrase is a mangled 20+ letter string" etc.
amd similar tools could display these policies to the user and aid the user in making a more informed decision.The problem with this approach is of course that people can state a policy they don't follow, but the non-personal WOT is really built on signatures, so I don't think that is a problem.
What do people thing of this idea?
The problem is that someone willing to sign an NDA is also in a situation where you cannot compete on the stuff you signed on. So, you cannot get peers to sign an NDA, that would kill their own career. You can get someone who may be top-notch in a different field, but they have not necessarily the specialisation needed to perform a exhaustive review.
Nowadays, if you a little too freely participate in said culture, you're a pirate, one who can be imprisoned, bankrupted and hung out to dry in public. If you on the other hand deny the public the most basic right to participate in democratic discourse and attempt to destroy democracy, well, you'll be fined with pocket change...
When this latter behaviour is made criminal, then we can start talking about criminalising freeloading. Not before.
What I want is a database with what can be given in terms of objective information, third party reviews , etc. Then it is much easier for me to buy the product that is most suitable to me. When I can do that capitalism would work well.
If they have to try subliminal messages on me to lure me into buying, it has to be because the product doesn't have any merits on its own, and I'm really not interested. Besides, the economy is finite, I can't see any good reasons for this...
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040917 Firefox/0.9.3
But I know it will raise from the flames like a, uh, fox!
I didn't do it! It wasn't me, I swear! :-)
Seriously, while I certainly (proudly) advocated web technology for banking, I never envisioned what the suits were going to do with it. I did warn about some phising type scams in an e-mail to my bank aroun 1999, I think, long before I heard that it was actually done. Seemed like a natural extension of spammers obfuscation techniques.
Furthermore, I have told everyone who is willing to listen that the phising scams of today is just the beginning: Just imagine if you can replace the browser of a few victims, or just add a root certificate. Say that an attacker controls the network between the bank and a customer of a company, and the network between the bank and this company. Customer places an order to company. Pays, but the payment is snapped up by the attacker. Attacker sends confirmation of payment to company, company sends goods. Everybody's happy, but in fact, company never got money. Unless they have in place a source of information that attacker doesn't control, they can't figure this out.
I've been on the phone with my bank with this, trying desperately to realize how serious this is. I've written e-mails, and I tried to get the press to understand this. I have failed miserably, and I have made the scenario much more elaborate than above.
Frankly, I think I have done what I can.... The suits simply don't want to listen on that ear. There is always "we'll take that when it happens", also after the fact. I've given them enough free consulting. I have had a bit more luck with the press, but on nothing controversial.
Well, recently there was a nasty joe-job where they sent out a lot spams "advertising" weapons with "how to become a terrorist". I bet the victim of that joe-job wasn't amused... That was a big one...
I agree that sharing info with others is important, and even that try to submit false information to spammers may be worthwhile, but one should be careful so that the spammers can't track you down.
I think your scalability point is going to prove important. I think it would be computationally rather expensive for the moment. My pubring has around 900 keys and the database is 12 MB. But then, it could become feasible in the future, as processing capacity does increase fast.
However, the real thing here is that PGP does not help you verify identity directly. It helps you verify that a message was sent by "Foo Bar ", and that it has not been altered while in transmission. Still, there is additional effort involved in knowing who "Foo Bar " is. Sure, you may know someone called "Foo Bar", but you don't know that it isn't some spammer who generated this keypair with your friend Foo Bar's credentials to get through your filters. Unless you have signed this key.
I don't think you will ever be able to sign all the keys of everyone who might legitimately send you e-mail, but you can build a web-of-trust based on PGP's concept of ownertrust, and I have put some effort into it myself, so I now trust roughly 1500 keys.
Doing this is a largish undertaking, however, and I think that is the main reason why I really can't envision PGP being useful for combatting spam in near future.
Do not ever do this! It is an extremely bad advice.
From addresses are almost always forged, usually there are just random junk in the From. Quite often there are valid addresses there, and your autoresponders will spam those innocent bystanders. They will be very thankful, you bet!
Finally, it is not uncommon that spammers forge in anti-spammers who have successfully shut them down before in there. When I was still actively pursuing spammers, I had my addresses forged this way. I have had my share of moronic autoresponders. It is not fun at all. If you do this, you only contribute to the spam, and you bet that if you annoy a real anti-spammer enough, you will find your own connection to be a smoking hole faster than you can imagine.
In fact, having autoresponders at all is not recommendable at all at this time. If you first accept an e-mail and then generate a bounce message, if the MAIL FROM was forged, that bounce will go to a random bystander, which is bad. If you use autoresponders, or generate bounce messages, you should be careful not to bounce at forged from addresses.
Allthough it is a bit controversial still, you may configure your system to reject spam and viruses at SMTP time. Then you will not generate a bounce, a relay may, but then, hijacked relays usually don't either (I think it is good reasons for this). So, I am of the opinion that this is good practice.
Autoresponders are Evil however.
Norway ended up on Danish rule in the Middle Ages, and was pretty much at the mercy of the two regional "super-powers" Denmark and Sweden for much of our history.
The details are complex, but the Swedes played an important role in defeating Napoleon in the battle of Leipzig, while Denmark was pretty much on Napoleon's side. In the middle of this Norway tried to declare independence, getting a constitution and so on. However, that's not what the superpowers had in mind. So, in 1814, Norway was ceded to Sweden. Norway continued to establish a local rule, and adopted parliamentarism in 1890. In 1905, the Norwegians tried again: Us: "we want independence", Swedish King: "No, you don't", Us: "Yes, we do!", Swedish King: "No, you don't", Us: "Shut up, you idiot!", Swedish King: "damn, who wants a pile of rock anyway". Independence was 1905-07-07, so not quite 100 years yet... At that time, Norway was probably the poorest country in Europe, so he thought he didn't loose a lot...
So, Denmark and Sweden were never very friendly towards each other back in those days, but I can't understand where idea of that Sweden was a part of Denmark, comes from, allthough some smaller regions has had funny borders... Nowadays we're all good friends, though.
As for Finnland, they has had some of the same history as we do, but they were caught between Sweden, Russia, and Germany, in fact...
Have a loook what Ed Felten, Avi Rubin and Adam Stubblefield has to say about that.
That would have been fanatical support, now, wouldn't it?
Indymedia should sue for false advertising... ;-)
Yep, Reporters Without Borders has condemned the seizures and has a story about their letter to Mr. Blunkett too.