Rather naughtily replying to my own post, I should own up that on reflection even a time-limited key could presumably be circumvented by resetting the computer's date. That doesn't detract from the main point of my post, which is that publication of a passphrase on its own would never have been this much of a problem if private keys had been used and kept private.
I concur. I'm also not sure what's up with these assertions in the ABC article linked to from the post:
<quote>In a subsequent reply to the ABC, Wikileaks said, "It is false that the passphrase was temporary or was ever described as such. That is not how PGP files work. Ask any expert."
It's clear that security experts are indeed agreeing with this.</quote>
I don't claim to be an expert, but I'm pretty sure I can easily create a PGP key that is time-limited, which would render the Wikileaks position bogus. At least, GPG certainly supports such keys.
There's a deeper issue here, though. Possibly the system used here wasn't the public-private key encryption that I associate with PGP. I'm confused by what I've read so far. Either this case used private keys, in which case the bittorrent file could not be decrypted with the password alone (unless the private key was included in the download, which would be a totally brain-dead loss of security from the Wikileaks side), or it used a simple password-protection protocol which is always going to be inherently less secure. Whichever way I spin it, I can't get Wikileaks to not look pretty incompetent when it comes to security. Which is surprising, considering what they do.
They're not independent. They're all in the same unit, and so there is at the very least a time-of-assembly bias. So the best we can say is that *at some point* the QA has been flawed. We cannot extend that to larger time windows without further data.
All good points. I think your last point nicely introduces the difference between the real estate and stock markets which is often overlooked. "Casual" investors in the stock market typically take a long position and often don't risk any more sophisticated trading (I'm including myself in this category). However, at least in this country (UK) by far the commonest way to get onto the housing "ladder" is to take out a substantial mortgage. So in effect, most of the trades on the real estate market are heavily geared, which means I think negative equity is a much commoner problem in this market than margin calls are in the stock market. This could well be a significant counterargument to the crowd that frequently claims investing in housing is safer than the stock market. It turns out reality is (surprise, surprise) more complicated than that.
I realise you've already alluded to all of this, but I think it really bears spelling out in detail.
R does support fully user-defined types, inheritance and polymorphic methods. You just have to want to use them enough to dig through the multiple OO implementations available as part of the core. The commonly used systems, S3 and S4 objects, don't exactly play nicely together. I personally lean towards S4 since it seems much cleaner, but a lot of legacy code still uses S3 so it looks like there won't be a rationalisation of these two systems any time soon. The Bioconductor R modules generally (but not exclusively) use S4, so check those out for examples.
I think it's worth pointing out somewhere in this thread (and here seems pertinent) that there are many branches of science which have already confronted the question of data and software disclosure, and have generally come to the conclusion that if you want to publish you should disclose everything. My own branch, biology, has for many years been sharing sequence, protein structures, microarray and high-throughput sequencing data freely at the point of publication. 9 million data points are a drop in the ocean; I'm currently working on a dataset with 5 billion data points, and even that's small compared to the cutting edge. Now, I'm not going to pretend it's perfect, since it's up to the journals to police their data disclosure policies, but the point often missed is that in return for disclosing your hard-won data, you get access to everyone else's data as well. That alone makes it worth it, speeding up the process of scientific discovery which is, after all, what we're all about.
The climate research community badly needs to get itself an international data repository along the models of EMBL/Genbank, GEO/ArrayExpress, and PDB.
And yet, Twitter is still around and still relevant. Which shows that one can get away with taking these short-cuts and still achieve the ultimate aim of your project. I see people getting bogged down in the details of which software architecture/model to use all the time (never mind sort algorithms!), so much so that they lose sight of their objectives. What often happens is that someone (usually me) then does a quick end-run around them in <insert scripting language here> and we eventually move on. People wonder about the prevalence of dodgy scripts in the world today; I say this habit of programmers taking their eye off the ball is one of the reasons. Never underestimate the advantage of being first to market.
Just to address the rules local to the UK, this government website shows that bicycledriving.org is not an entirely reliable authority, at least in this case:
They say they have refined the manufacturing process and have learned from building this laptop how to mass produce a laptop that will sell for $98.00
So... "Sub-$100 Laptops Have Finally Arrived". And yet... they haven't. It'd be nice (although, apparently, unrealistic) to think that we've learnt by now not to give credence to vaporware. Color me unimpressed.
(like the UK now isn't going ahead with its ID scheme)
Um, yes it is. From October new passport applicants will be automatically entered on the National Identity Register. This is effectively the ID card scheme, without any of the "benefits" to you, the end user. All of the tracking with none of the crunchy empowerment of the citizen. The only people who won't be hit by this will be those who don't need a passport. Like my shiny new RFID-enabled one. What the hell happened to this country?
Interesting - I'd not considered this angle. Sounds plausible, though. Worth a further look, especially if this directory is under Apple's radar when it comes to automatically repairing permissions.
For the record, I'm pretty sure that the earliest thing I installed which would have used the/Library/StartupItems directory* would have been the Fink daemonic package.
*As in, not the/System/Library/StartupItems, as suggested below. I'm not quite that easily confused.
Users with admin rights do *not* need to login as root or to authenticate to install files in/Library/StartupItems. At the next boot, the script will be executed by root and your system is compromised without further notice.
Sorry, I can't just let this one go. As a nearby poster points out, the/Library/StartupItems directory is owned by root, and is not writable by the admin group. You would actually have to sudo or authenticate to create items in that directory (I have just confirmed this for myself).
This is on a machine running 10.3.5; I can't speak for earlier versions.
Good analogy. It's just that now we've got the kernel printed out in binary we can think about reverse engineering it back into an understandable programming language:-P
Of course, this should also give you some idea of the scale of the problem which remains...
Yup. The 3Dfx voodoo2 card (MicroConversions GameWizard) I installed in the mezzanine slot really extended the life of my computer. It's a shame Apple dropped it from the Rev.C onwards (IIRC). Maybe the company wouldn't have gone bust and we might even have had up-to-date drivers for it. Yeah, in my dreams...*sigh*:-P
Here's a tip: You can get all apps in OSX to generate crash info using the Console app. It's off by default, but you can set the Console app's prefs such that crash information in stored in ~/Library/Logs and is displayed automatically after a crash.
I'd have to concede, however, that this is hardly intuitive:-P
I think you're crediting people with far too much intelligence. History is littered with examples where the consumer has hurt him/herself by accepting an inferior, more expensive product based primarily on marketing hype.
sigh, feeling slightly more cynical than usual, today.
Might I recommend Yellow Dog Linux? Version 2.0 supported the 2001 iBook and is one of the most advanced Linux distros available for ppc (comparable tto Slackware 8.0, IMHO; incidentally, I am not associated with this company)
I seem to recall that one set of comparisons tested MS Word 6 (or possibly 5, I don't remember too well) against the corresponding windows product, running under emulation on the mac. The windows product was supposedly faster in such tests.
I know a few people who like it because you can work on two documents side-by-side in a more streamlined fashion. Minor detail maybe, but the details are what apple has often excelled at.
It's be nice if they fixed that DVD playback detail though...
Slashdot Mirror
Rather naughtily replying to my own post, I should own up that on reflection even a time-limited key could presumably be circumvented by resetting the computer's date. That doesn't detract from the main point of my post, which is that publication of a passphrase on its own would never have been this much of a problem if private keys had been used and kept private.
I concur. I'm also not sure what's up with these assertions in the ABC article linked to from the post:
<quote>In a subsequent reply to the ABC, Wikileaks said, "It is false that the passphrase was temporary or was ever described as such. That is not how PGP files work. Ask any expert."
It's clear that security experts are indeed agreeing with this.</quote>
I don't claim to be an expert, but I'm pretty sure I can easily create a PGP key that is time-limited, which would render the Wikileaks position bogus. At least, GPG certainly supports such keys.
There's a deeper issue here, though. Possibly the system used here wasn't the public-private key encryption that I associate with PGP. I'm confused by what I've read so far. Either this case used private keys, in which case the bittorrent file could not be decrypted with the password alone (unless the private key was included in the download, which would be a totally brain-dead loss of security from the Wikileaks side), or it used a simple password-protection protocol which is always going to be inherently less secure. Whichever way I spin it, I can't get Wikileaks to not look pretty incompetent when it comes to security. Which is surprising, considering what they do.
They're not independent. They're all in the same unit, and so there is at the very least a time-of-assembly bias. So the best we can say is that *at some point* the QA has been flawed. We cannot extend that to larger time windows without further data.
How true. This story could just as easily be from Good Housekeeping as far as I'm concerned (uh, not that I'm a reader, you understand).
News for Nerds, Stuff that Matters indeed.
<token attempt at relevance>
WWW::Mechanize (or Selenium, depending on requirements) FTW.
</token attempt at relevance>
Old Slashdot would have had people chiming in with genuinely useful ideas, not this echo chamber.
All good points. I think your last point nicely introduces the difference between the real estate and stock markets which is often overlooked. "Casual" investors in the stock market typically take a long position and often don't risk any more sophisticated trading (I'm including myself in this category). However, at least in this country (UK) by far the commonest way to get onto the housing "ladder" is to take out a substantial mortgage. So in effect, most of the trades on the real estate market are heavily geared, which means I think negative equity is a much commoner problem in this market than margin calls are in the stock market. This could well be a significant counterargument to the crowd that frequently claims investing in housing is safer than the stock market. It turns out reality is (surprise, surprise) more complicated than that.
I realise you've already alluded to all of this, but I think it really bears spelling out in detail.
R does support fully user-defined types, inheritance and polymorphic methods. You just have to want to use them enough to dig through the multiple OO implementations available as part of the core. The commonly used systems, S3 and S4 objects, don't exactly play nicely together. I personally lean towards S4 since it seems much cleaner, but a lot of legacy code still uses S3 so it looks like there won't be a rationalisation of these two systems any time soon. The Bioconductor R modules generally (but not exclusively) use S4, so check those out for examples.
I think it's worth pointing out somewhere in this thread (and here seems pertinent) that there are many branches of science which have already confronted the question of data and software disclosure, and have generally come to the conclusion that if you want to publish you should disclose everything. My own branch, biology, has for many years been sharing sequence, protein structures, microarray and high-throughput sequencing data freely at the point of publication. 9 million data points are a drop in the ocean; I'm currently working on a dataset with 5 billion data points, and even that's small compared to the cutting edge. Now, I'm not going to pretend it's perfect, since it's up to the journals to police their data disclosure policies, but the point often missed is that in return for disclosing your hard-won data, you get access to everyone else's data as well. That alone makes it worth it, speeding up the process of scientific discovery which is, after all, what we're all about.
The climate research community badly needs to get itself an international data repository along the models of EMBL/Genbank, GEO/ArrayExpress, and PDB.
And yet, Twitter is still around and still relevant. Which shows that one can get away with taking these short-cuts and still achieve the ultimate aim of your project. I see people getting bogged down in the details of which software architecture/model to use all the time (never mind sort algorithms!), so much so that they lose sight of their objectives. What often happens is that someone (usually me) then does a quick end-run around them in <insert scripting language here> and we eventually move on. People wonder about the prevalence of dodgy scripts in the world today; I say this habit of programmers taking their eye off the ball is one of the reasons. Never underestimate the advantage of being first to market.
Just to address the rules local to the UK, this government website shows that bicycledriving.org is not an entirely reliable authority, at least in this case:
http://www.direct.gov.uk/en/TravelAndTransport/Highwaycode/DG_069837
Note in particular the final sentence in rule 63.
The Independent picked up on this before Slashdot, and that's not unusual in my experience.
So... "Sub-$100 Laptops Have Finally Arrived". And yet... they haven't. It'd be nice (although, apparently, unrealistic) to think that we've learnt by now not to give credence to vaporware. Color me unimpressed.
Um, yes it is. From October new passport applicants will be automatically entered on the National Identity Register. This is effectively the ID card scheme, without any of the "benefits" to you, the end user. All of the tracking with none of the crunchy empowerment of the citizen. The only people who won't be hit by this will be those who don't need a passport. Like my shiny new RFID-enabled one. What the hell happened to this country?
I don't agree.
Wow. That's so useful. Sign me up now. Is that like this new-fangled "parallel processing" or something?
For the record, I'm pretty sure that the earliest thing I installed which would have used the /Library/StartupItems directory* would have been the Fink daemonic package.
*As in, not the /System/Library/StartupItems, as suggested below. I'm not quite that easily confused.
Sorry, I can't just let this one go. As a nearby poster points out, the
This is on a machine running 10.3.5; I can't speak for earlier versions.
Go on, mod me down :-P
-- Y.A. Punctuation Nazi
Of course, this should also give you some idea of the scale of the problem which remains...
Yup. The 3Dfx voodoo2 card (MicroConversions GameWizard) I installed in the mezzanine slot really extended the life of my computer. It's a shame Apple dropped it from the Rev.C onwards (IIRC). Maybe the company wouldn't have gone bust and we might even have had up-to-date drivers for it. Yeah, in my dreams...*sigh* :-P
I'd have to concede, however, that this is hardly intuitive :-P
sigh, feeling slightly more cynical than usual, today.
Might I recommend Yellow Dog Linux? Version 2.0 supported the 2001 iBook and is one of the most advanced Linux distros available for ppc (comparable tto Slackware 8.0, IMHO; incidentally, I am not associated with this company)
Ho hum.
I thoroughly agree. The terrorists must be loving this...
It's be nice if they fixed that DVD playback detail though...