First reactions are generally positive. Theo de Raadt comments, "Choice is good!!."
The name "BoringSSL."
I am finding extreme difficulty in liking this name choice. What was Google thinking? Am I alone?
It's not "What was Google thinking?", it's "What was Adam Langley thinking?". As for what he was thinking, it's pretty simple: Fundamental security components like SSL/TLS should be very, very boring. They're not a place for innovation and experimentation, they're not a place for clever code that demonstrates the author's virtuosity (assuming there is any such place, outside of Obfuscated C contests). They're not a place for exploration of how the C preprocessor can be used to automatically generate much of the codebase (which is something that OpenSSL has done). They're where you want very simple, straightforward, boring implementations of industry best practice algorithms and protocols.
When it comes to security, boring is good.
As Langley said in his blog post, the name is aspirational. But it is his goal, to produce a security library which is completely boring. And it's a good thing.
Of course you'll still need to lubricate and adjust the throttle, brake and clutch cables
A throttle cable? Why would you want a cable to move a potentiometer to adjust current flow? Just put the potentiometer on the handlebar and run a wire down to the engine. All solid state.
Brake cables... maybe, though they could be eliminated if you want.
Clutch cable? With an electric there's no need for a transmission, so no need for a clutch.
inspect/repair the brakes
Yes, although with regenerative braking there's a lot less wear on brake pads and discs.
inspect shock absorbers, inspect/replace front fork seals, inspect/add front fork oil
Yes, still need those, although why you wouldn't just go with permanently-sealed shocks I don't know.
adjust the chain (or belt, if it's a Harley)
It looks like this model still has a belt, but it could actually be eliminated and replaced with a hub motor.
lubricate steering head bearings, and go over all the critical fasteners
Yes, although with so many fewer moving parts there will be far fewer fasteners.
The only real difference is changing the oil and adjusting the valves.
Only if you insist on designing an electric bike to be identical to a gasoline-powered bike. But there's really no need to do that.
could you or someone else please explain how later public offerings don't dilute the ownership of the company amongst the existing shareholders?
Sure, it's very simple. It does dilute the ownership of the existing shareholders, but it also increases the value of the company, so it doesn't dilute the value of the shareholders' shares.
For the simplest possible case, suppose there is one share worth $1. The market cap is 1 X $1 = $1, and the single shareholder owns the whole company. Now suppose the company issues another share, sold for $1. The company was previously worth $1 and it still has whatever assets and opportunities that made it worth that, but now it also has an additional $1 in cash, so the total value of the company is $2. Likewise, there are now two investors, each holding one $1 share, so the market cap is 2 X $1 = $2. The original investor now only owns have the company, but his half is worth the same amount the original company was.
So companies can raise money by selling more shares whenever they like. As long as those shares are sold at market price, the value of shareholders' holdings is unchanged, even though their ownership is diluted.
An IPO is a one-time fundraiser that requires permanently surrendering control of your company to a bunch of greedy, short-sighted psychopaths who are only concerned with doing whatever it takes to pump up the stock price
It's not one-time (well, the INITIAL public offering is, but it doesn't preclude later public offerings), and it doesn't require surrendering control, though it is necessary to take some steps up front to retain control.
You can't - as I understand it - legally IPO to only those sharing your vision. You are going
to get pension funds and hedge funds and... purchasing slices of your company to diversify their
portfolios.
These may then not want you to go spending money on wild unprofitable in the next 10 years crap, but
to make next years dividend larger.
It's not quite that bad. It is possible to retain control; it just requires doing two things:
1. Retain voting majority. This has been done for well over a century by media companies (newspapers, originally) going public, and is what Google and Facebook did. You issue two classes of shares, one of which has dramatically more voting power than the other. The insiders keep the high-voting shares, the public buys the weaker ones. Set the numbers to ensure that the insiders retain a voting majority. Google has recently taken a further step to split it's low-power shares into low-power and no-power shares (actually a dividend paid out in a class of new shares), so that it can continue issuing new shares of the non-voting sort without further diluting the founders' majority. This is well-traveled ground.
2. Specify non-financial corporate goals in the prospectus and IPO materials, to make clear that accomplishing things like going to Mars are a higher priority than increasing shareholder value. This is necessary because otherwise it's assumed that the board and C-level execs have a fiduciary responsibility to maximize shareholder value, and can be sued for failing to do so. It's always hard to make such a suit work, because it requires proving that an alternative course of action was clearly and obviously better, but as long as the company is following the goals stated up front to prospective buyers of the stock they can have no case at all. They knew they were buying a space exploration company that might generate some profits, rather than a profit-generating company that might explore the solar system.
Non-profit corporate goals for a for-profit company is also well-traveled ground. Google's IPO made clear that search result integrity and nebulous forms of technological advancement in the area of information organization, as well as being a good corporate citizen, were as high a priority as profit. This allows the founders to exercise control without fear of lawsuits accusing them of not fulfilling their fiduciary responsibilities, since they can just say "Well, we told you money wasn't our only goal." There are lots of other examples. One very much on point is Tesla's prospectus, which made clear that advancing EV technology and helping to improve the environment are corporate goals, so Musk clearly knows exactly how this works.
However, going public does add all sorts of complications and overheads, even if you structure it to avoid giving away control. If SpaceX really needed the influx of capital they could get from an IPO, it would make sense to jump through the hoops. But they don't, so it doesn't.
With few exceptions, rewrites are a bad idea. They only make sense when you need to fundamentally change the architecture, and even then it's often better to refactor heavily. Almost without exception, whenever someone says "Oh, it'll be easier to start from scratch", they're wrong. I understand that the TrueCrypt codebase is something of a mess, but I'm still skeptical that a rewrite is actually a better choice.
However, if the copyright owner and the licenses already issued, don't allow it, then it is impossible. The question is, is he doing this because he really believes it, or because he's trying to throw up obstacles? It's hard to see how it could be the former, since even if he believes a rewrite is easier, others are offering to do the work.
If Yahoo's tech work force is really 35% female, that's astoundingly high, far higher than anywhere I've seen in my 25 years in the industry. More tellingly, it's about double the percentage of female CS grads, which says that Yahoo has managed to draw a far higher share of female software engineers than the average in the industry (Google's percentage of female engineers is in line with the CS graduate numbers).
I really don't think there's any sexism on the part of the companies here. I know Google is trying hard to recruit, hire retain and promote more women and minorities, and not just for the sake of political correctness (I work for Google). Google's numbers, as well as those from other studies around the industry, show that diverse teams are more effective, more creative and more efficient. Diversity has non-trivial value to the business, and the companies would like more.
For how long? A month? A week? A day? An hour? Duration is very important.
Wattage is a measure of power which is energy per time. Energy is measured in watt-hours (or joules, a joule being one watt second). The GP measured his unit at 0.9 watts in standby, which is presumably a constant draw rate. If you want to know how many watt-hours the unit uses per month, week, day or hour, do the multiplication. So in standby mode the GP's unit consumes 0.9 Wh per hour, 21.6 Wh per day, 151.2 Wh per week or 648 Wh per 30-day month. At a price of $0.11 per kWh (what I pay, your rate may vary), that's a cost per month of 7 cents, at standby. 63 cents per month if running continuously. The real cost would be somewhere in between.
If the ball is the primary subject, then they don't need players permission.
A judge is unlikely to buy that argument, unless there is something really unique and distinctive about their ball -- other than it being theirs, of course. Otherwise, the prosecutor will just argue that if you'd really been after a picture of a ball, you'd have used your own.
There is still the common misconception that having windows in your bedroom allows the guy across the street to record and broadcasting everything happening inside.
It depends on the jurisdiction, of course, but at least in the US if your curtains are open, and the window is positioned so that the interior of your bedroom is visible from the street, and close enough that no magnification is required, it's perfectly legal for the guy across the street to record and broadcast what is visible to the public. He can't use it commercially (essentially, in advertising) without a model release, and if it constitutes explicit pornography he has to have a release that also asserts that all of the "actors" are over 18.
Outside of that... yes, he can record and broadcast whatever is visible to the public, even if that happens to include your bedroom. If you don't like that, close your curtains.
Of course, using a quad-copter mounted camera gains visibility of areas which are not expected to be visible to the public, so this argument doesn't really bear on the case here. Or nude beaches.
I thought DES had been abandoned quite some time ago precisely because there were attack vectors aside from brute force, i.e.:
http://en.wikipedia.org/wiki/D...
No, DES was abandoned because brute force became practical. It's still not easy, mind you, but it is within the realm of feasibility for well-funded adversaries. Yes, differential and linear cryptanalysis allow attacks that are in theory a little faster than brute force, but they're actually less practical than brute force, and even the theoretical reduction in work is small enough that if they were practical they wouldn't be much cheaper than brute force.
DES is still essentially unbroken, 40 years after its invention. But the 56-bit keys required by the NSA are now too short to be secure. Triple DES, which is generally implemented using two 56-bit keys, for an aggregate 112-bit key length, is still considered to be quite secure. AES is a better choice at present not because it's noticeably more secure but because it's much faster.
Gold is no less pretend than anything else. With the exception of the tiny part of its value that derives from industrial applications, the value of gold is that people believe it has value, just the same as bitcoin, USD, EUR, etc. Note that even gold's value for making jewelry is all belief-based.
What, do they have to dig him up every few years and update the current value, or did they weigh him at death or at some other point? Basing a system of measure on a physical object is problematic.
Truecrypt has been the no.1 target for the NSA and GCHQ for the longest time now.
Cite?
I suspect that Truecrypt is secure, but we don't actually have any reason to believe that it doesn't contain one or more weaknesses that give the NSA ready access to Truecrypt volumes. And even if it is secure, we don't have any specific reason to believe it's their number one target.
It isn't that GPL isn't "worth" fighting, it is that you can't fight it, you can't challenge it.
Right. And that's the same situation that would hold with the patent license I'm guessing Tesla might issue. If you manage to get the license invalidated, you merely harm yourself since you now have no license to use the patents.
I did RTFA, and I didn't see a really clear statement. A clear statement would describe exactly what they're doing... releasing the patents to the public domain, issuing a general license, etc.
Rest assured, the second they perceive Google as a real threat, there will be a bevy of laws passed to obstruct this sort of deal. Just like they've already passed laws in 30 states banning municipal broadband.
I don't know of any challenges, but the principle in question seems nearly identical to the copyleft notion underlying the GPL -- a notion that went untested in court for a very long time because, basically, every attorney that looked at it decided it wasn't worth fighting. As for whether an assignee is obligated to honor the license, I can't see how they could possibly avoid it, particularly if the license states that it's irrevocable (excepting its exceptions). I'm not aware of any purchaser of a patent who has successfully argued that they can revoke a licensing commitment to a standards body, either. It seems to me that the precedent is rather firmly established.
First reactions are generally positive. Theo de Raadt comments, "Choice is good!!."
The name "BoringSSL."
I am finding extreme difficulty in liking this name choice. What was Google thinking? Am I alone?
It's not "What was Google thinking?", it's "What was Adam Langley thinking?". As for what he was thinking, it's pretty simple: Fundamental security components like SSL/TLS should be very, very boring. They're not a place for innovation and experimentation, they're not a place for clever code that demonstrates the author's virtuosity (assuming there is any such place, outside of Obfuscated C contests). They're not a place for exploration of how the C preprocessor can be used to automatically generate much of the codebase (which is something that OpenSSL has done). They're where you want very simple, straightforward, boring implementations of industry best practice algorithms and protocols.
When it comes to security, boring is good.
As Langley said in his blog post, the name is aspirational. But it is his goal, to produce a security library which is completely boring. And it's a good thing.
Provide a test suite along with the library. Users may or may not bother to run it, but at least then it's on them.
Of course you'll still need to lubricate and adjust the throttle, brake and clutch cables
A throttle cable? Why would you want a cable to move a potentiometer to adjust current flow? Just put the potentiometer on the handlebar and run a wire down to the engine. All solid state.
Brake cables... maybe, though they could be eliminated if you want.
Clutch cable? With an electric there's no need for a transmission, so no need for a clutch.
inspect/repair the brakes
Yes, although with regenerative braking there's a lot less wear on brake pads and discs.
inspect shock absorbers, inspect/replace front fork seals, inspect/add front fork oil
Yes, still need those, although why you wouldn't just go with permanently-sealed shocks I don't know.
adjust the chain (or belt, if it's a Harley)
It looks like this model still has a belt, but it could actually be eliminated and replaced with a hub motor.
lubricate steering head bearings, and go over all the critical fasteners
Yes, although with so many fewer moving parts there will be far fewer fasteners.
The only real difference is changing the oil and adjusting the valves.
Only if you insist on designing an electric bike to be identical to a gasoline-powered bike. But there's really no need to do that.
could you or someone else please explain how later public offerings don't dilute the ownership of the company amongst the existing shareholders?
Sure, it's very simple. It does dilute the ownership of the existing shareholders, but it also increases the value of the company, so it doesn't dilute the value of the shareholders' shares.
For the simplest possible case, suppose there is one share worth $1. The market cap is 1 X $1 = $1, and the single shareholder owns the whole company. Now suppose the company issues another share, sold for $1. The company was previously worth $1 and it still has whatever assets and opportunities that made it worth that, but now it also has an additional $1 in cash, so the total value of the company is $2. Likewise, there are now two investors, each holding one $1 share, so the market cap is 2 X $1 = $2. The original investor now only owns have the company, but his half is worth the same amount the original company was.
So companies can raise money by selling more shares whenever they like. As long as those shares are sold at market price, the value of shareholders' holdings is unchanged, even though their ownership is diluted.
I used to feel the same way, but over the decades experience has taught me otherwise.
An IPO is a one-time fundraiser that requires permanently surrendering control of your company to a bunch of greedy, short-sighted psychopaths who are only concerned with doing whatever it takes to pump up the stock price
It's not one-time (well, the INITIAL public offering is, but it doesn't preclude later public offerings), and it doesn't require surrendering control, though it is necessary to take some steps up front to retain control.
You can't - as I understand it - legally IPO to only those sharing your vision. You are going to get pension funds and hedge funds and ... purchasing slices of your company to diversify their
portfolios.
These may then not want you to go spending money on wild unprofitable in the next 10 years crap, but
to make next years dividend larger.
It's not quite that bad. It is possible to retain control; it just requires doing two things:
1. Retain voting majority. This has been done for well over a century by media companies (newspapers, originally) going public, and is what Google and Facebook did. You issue two classes of shares, one of which has dramatically more voting power than the other. The insiders keep the high-voting shares, the public buys the weaker ones. Set the numbers to ensure that the insiders retain a voting majority. Google has recently taken a further step to split it's low-power shares into low-power and no-power shares (actually a dividend paid out in a class of new shares), so that it can continue issuing new shares of the non-voting sort without further diluting the founders' majority. This is well-traveled ground.
2. Specify non-financial corporate goals in the prospectus and IPO materials, to make clear that accomplishing things like going to Mars are a higher priority than increasing shareholder value. This is necessary because otherwise it's assumed that the board and C-level execs have a fiduciary responsibility to maximize shareholder value, and can be sued for failing to do so. It's always hard to make such a suit work, because it requires proving that an alternative course of action was clearly and obviously better, but as long as the company is following the goals stated up front to prospective buyers of the stock they can have no case at all. They knew they were buying a space exploration company that might generate some profits, rather than a profit-generating company that might explore the solar system.
Non-profit corporate goals for a for-profit company is also well-traveled ground. Google's IPO made clear that search result integrity and nebulous forms of technological advancement in the area of information organization, as well as being a good corporate citizen, were as high a priority as profit. This allows the founders to exercise control without fear of lawsuits accusing them of not fulfilling their fiduciary responsibilities, since they can just say "Well, we told you money wasn't our only goal." There are lots of other examples. One very much on point is Tesla's prospectus, which made clear that advancing EV technology and helping to improve the environment are corporate goals, so Musk clearly knows exactly how this works.
However, going public does add all sorts of complications and overheads, even if you structure it to avoid giving away control. If SpaceX really needed the influx of capital they could get from an IPO, it would make sense to jump through the hoops. But they don't, so it doesn't.
With few exceptions, rewrites are a bad idea. They only make sense when you need to fundamentally change the architecture, and even then it's often better to refactor heavily. Almost without exception, whenever someone says "Oh, it'll be easier to start from scratch", they're wrong. I understand that the TrueCrypt codebase is something of a mess, but I'm still skeptical that a rewrite is actually a better choice.
However, if the copyright owner and the licenses already issued, don't allow it, then it is impossible. The question is, is he doing this because he really believes it, or because he's trying to throw up obstacles? It's hard to see how it could be the former, since even if he believes a rewrite is easier, others are offering to do the work.
This whole situation is bizarre.
If Yahoo's tech work force is really 35% female, that's astoundingly high, far higher than anywhere I've seen in my 25 years in the industry. More tellingly, it's about double the percentage of female CS grads, which says that Yahoo has managed to draw a far higher share of female software engineers than the average in the industry (Google's percentage of female engineers is in line with the CS graduate numbers).
I really don't think there's any sexism on the part of the companies here. I know Google is trying hard to recruit, hire retain and promote more women and minorities, and not just for the sake of political correctness (I work for Google). Google's numbers, as well as those from other studies around the industry, show that diverse teams are more effective, more creative and more efficient. Diversity has non-trivial value to the business, and the companies would like more.
For how long? A month? A week? A day? An hour? Duration is very important.
Wattage is a measure of power which is energy per time. Energy is measured in watt-hours (or joules, a joule being one watt second). The GP measured his unit at 0.9 watts in standby, which is presumably a constant draw rate. If you want to know how many watt-hours the unit uses per month, week, day or hour, do the multiplication. So in standby mode the GP's unit consumes 0.9 Wh per hour, 21.6 Wh per day, 151.2 Wh per week or 648 Wh per 30-day month. At a price of $0.11 per kWh (what I pay, your rate may vary), that's a cost per month of 7 cents, at standby. 63 cents per month if running continuously. The real cost would be somewhere in between.
There's a slight difference in that Google maintains physical offices and possibly datacenters in Canada.
Slight correction. Google has offices in Canada, but no data centers: http://www.google.com/about/da...
If the ball is the primary subject, then they don't need players permission.
A judge is unlikely to buy that argument, unless there is something really unique and distinctive about their ball -- other than it being theirs, of course. Otherwise, the prosecutor will just argue that if you'd really been after a picture of a ball, you'd have used your own.
There is still the common misconception that having windows in your bedroom allows the guy across the street to record and broadcasting everything happening inside.
It depends on the jurisdiction, of course, but at least in the US if your curtains are open, and the window is positioned so that the interior of your bedroom is visible from the street, and close enough that no magnification is required, it's perfectly legal for the guy across the street to record and broadcast what is visible to the public. He can't use it commercially (essentially, in advertising) without a model release, and if it constitutes explicit pornography he has to have a release that also asserts that all of the "actors" are over 18.
Outside of that... yes, he can record and broadcast whatever is visible to the public, even if that happens to include your bedroom. If you don't like that, close your curtains.
Of course, using a quad-copter mounted camera gains visibility of areas which are not expected to be visible to the public, so this argument doesn't really bear on the case here. Or nude beaches.
I thought DES had been abandoned quite some time ago precisely because there were attack vectors aside from brute force, i.e.: http://en.wikipedia.org/wiki/D...
No, DES was abandoned because brute force became practical. It's still not easy, mind you, but it is within the realm of feasibility for well-funded adversaries. Yes, differential and linear cryptanalysis allow attacks that are in theory a little faster than brute force, but they're actually less practical than brute force, and even the theoretical reduction in work is small enough that if they were practical they wouldn't be much cheaper than brute force.
DES is still essentially unbroken, 40 years after its invention. But the 56-bit keys required by the NSA are now too short to be secure. Triple DES, which is generally implemented using two 56-bit keys, for an aggregate 112-bit key length, is still considered to be quite secure. AES is a better choice at present not because it's noticeably more secure but because it's much faster.
Gold is no less pretend than anything else. With the exception of the tiny part of its value that derives from industrial applications, the value of gold is that people believe it has value, just the same as bitcoin, USD, EUR, etc. Note that even gold's value for making jewelry is all belief-based.
Actually the unit of weight is newtons
What, do they have to dig him up every few years and update the current value, or did they weigh him at death or at some other point? Basing a system of measure on a physical object is problematic.
Truecrypt has been the no.1 target for the NSA and GCHQ for the longest time now.
Cite?
I suspect that Truecrypt is secure, but we don't actually have any reason to believe that it doesn't contain one or more weaknesses that give the NSA ready access to Truecrypt volumes. And even if it is secure, we don't have any specific reason to believe it's their number one target.
It isn't that GPL isn't "worth" fighting, it is that you can't fight it, you can't challenge it.
Right. And that's the same situation that would hold with the patent license I'm guessing Tesla might issue. If you manage to get the license invalidated, you merely harm yourself since you now have no license to use the patents.
This was a blog post, not a legal document...
Agreed. I'm sure the legal document will be forthcoming.
I did RTFA, and I didn't see a really clear statement. A clear statement would describe exactly what they're doing... releasing the patents to the public domain, issuing a general license, etc.
Meh. I still think you're making a mountain out of a molehill.
Who needs to compete when you have lobbyists?
Rest assured, the second they perceive Google as a real threat, there will be a bevy of laws passed to obstruct this sort of deal. Just like they've already passed laws in 30 states banning municipal broadband.
Google has lobbyists, too.
I don't know of any challenges, but the principle in question seems nearly identical to the copyleft notion underlying the GPL -- a notion that went untested in court for a very long time because, basically, every attorney that looked at it decided it wasn't worth fighting. As for whether an assignee is obligated to honor the license, I can't see how they could possibly avoid it, particularly if the license states that it's irrevocable (excepting its exceptions). I'm not aware of any purchaser of a patent who has successfully argued that they can revoke a licensing commitment to a standards body, either. It seems to me that the precedent is rather firmly established.
Tell that to all the people who based their software off of Java, who used the API in good faith.
None of whom have been successfully sued. Oracle tried to sue Google, not based on using the API, but on re-implementing Java. And they lost.
I don't recall Rambus ever committing not to sue.