That's very... odd. Why would they require an on-line check to validate the signature? And why would there be a fee? The whole point of public key-based digital signatures is that you can publish the root public keys far and wide. Then anyone can validate the signature offline -- and it scales arbitrarily.
I'm not saying you're mistaken, but there's a piece missing here.
Couples who don't argue don't last. Well, crap, we're doomed.
Heh. Us too. Our 19th anniversary is coming up, and we've had maybe two or three discussions that qualify as an "argument" in all that time. Barely qualify.
Not that we don't get mad. But when we do, we go away, cool off and then talk it out later if it's important. Even that only happens a couple of times per year, and it's getting less common year by year.
What's important is not letting your anger fester. Personally, I just don't stay mad. My wife stays mad, but is good at cooling down enough to express her issues calmly, usually in writing. The key is for every couple to know themselves and their partners, and to work out the communication method that works for them.
I am not against DRM implemented properly (i.e. in such a way that it allows for legal exceptions like fair use, satire, copyright termination, companies going under, etc.). However, the chances of that happening are essentially zero.
It'll happen as soon as (a) the computer can read your mind to discover your intent/rationale, and (b) we can automate judicial-quality decisionmaking to determine whether or not your intended action falls within on of these necessarily-fuzzy categories.
Until then, DRM will necessarily be a poor approximation to the actual legal standard. And, of course, given that it's the content owners that usually build/buy the DRM, it will usually err on the side of excessive restriction.
Hash the card contents, encrypt the hash with a government private key, put that into the card as well, hand out the public key to every card reader, then when someone wants to read your card, he can scan the contents, have his machine hash them itself and decrypt the encrypted hash already in the card with the public key. If the two match, the card is authentic. In theory, this is unbreakable.
Actually, in theory it's as secure as the hash function and the public key cipher you use. That's not unbreakable in theory, but it's certainly unbreakable in practice.
And that is exactly what the UK National ID card does. You can copy the data, and modify the copy, but the signature won't check out, making the exercise pointless.
However in this case the article claims that they were able to clone the card AND modify the information in the cloned card, which is really the hack that those cards are trying to prevent.
I suspect that he modified the cloned data -- but could not, of course, produce a digital signature for the modified data, or a certificate for the "cloned" card's private key, so any attempt to use the cloned card with a legitimate reader would have failed.
If you'd RTFA, you'd see that he also changed a ton of information as well, and created a fake ID with the modified information; including a line that said, "I am a terrorist, please shoot me on sight."
IOW, there's no security, signing, encryption, anything at all
What he didn't do was verify that the modified data would be considered valid when examined by a government official.
Just because data is signed doesn't mean you can't change it. What it means is that if it is changed, the signature will no longer match the content, proving that the content has been modified.
Pffft, says who? Japan didn't even have the logistical means to occupy Hawaii. You think they had the wherewithal to invade and conquer mainland USA? Give me a fucking break.
Though the quote is apocryphal, Admiral Yamamoto's supposed utterance -- "You cannot invade mainland United States. There would be a rifle behind each blade of grass" -- is absolutely correct, at least for any level of forces that Japan could have brought to bear. The US was still largely rural in the 1940s, and outside of the cities every household had a rifle (or five), and knew how to use them, including the women and even children. There's simply no way Japan could have hoped to have any success at invading the US.
I'm pretty sure neither you nor the parent post actually know what orthagonal means.
Orthogonal vectors are "perpendicular". More precisely, their dot product is zero. Colloquially, this is mathematical concept is generalized to mean issues which exist on separate, non-interacting and independent axes.
Not knowing what a word means is not the same as disagreeing with the application of the word.
Yeah... the word has changed, which is what makes being pedantic about the original meaning (and the one you still get if you pull the pieces of the word apart) so much fun!
As someone who's worked for software companies, it's hard to imagine those companies GPLing their products, and easy to imagine the company losing half its profits or going under altogether if any company with an IT department could legally recompile the source code and use the software without payment.
You may be interested in what IBM is doing with its new Rational Team Concert suite. All of the software is open source commercial software. That means that the source is fully open, in that you can go download it right now and build it yourself, but if you want to use it legally you have to buy a license.
Basically, they're betting that company IT departments will not recompile the source code and use it without payment.
I'd say an "open" standard would mean that anyone could implement the standard without need to buy a license to implement all or part of it.
I'd say that's not enough to be "open". Try this:
Anyone can implement the standard for any purpose and allow the implementation to be redistributed and/or modified by anyone for any purpose without either requesting or buying a license and without requiring any downstream users, distributors or modifiers to request or buy a license.
That would make it GPL compatible, I think, and would be significantly more open than your description, which would still allow the patent holders to significantly restrict all usage, but without requiring payment, and to totally restrict some specific uses.
The term that people seem to be looking for is 'royalty free', which is orthogonal to 'open'. If a standard is open and royalty free then it can be implemented without problems by GPL'd software
Open and royalty-free are necessary but not sufficient conditions for use by GPL software.
There could be additional encumbrances on a patent other than royalties. A common one is that each user has to obtain permission from the patent holder. Even if this permission is easy to obtain and costs nothing, that would still be encumbered from the GPL's perspective because it would impose restrictions on those who receive the software.
Contrary to the GGP's opinion, while the GPL may not be the "be-all end-all" of openness it's a pretty damned good yardstick. If a license (copyright or patent) is compatible with the GPL, you know that it's open.
but if it is the tpm chip that does the check and calculates the hash, and not the bios, you can't modify the bios without alerting the tpm cihp.
The TPM is just a device sitting on an internal USB bus. It has no ability to somehow reach out and scan the BIOS, it only works with whatever information is fed to it.
The BIOS has to feed itself to the TPM, which means that a compromise of the BIOS screws you completely.
I suppose what we really need is a bit of pre-BIOS code which is stored in ROM and therefore unmodifiable. That code should do nothing other than start up the TPM and feed the BIOS to it.
If they left a vm yesterday, they should give it at least until Monday before publicly humiliating the guy. Being a few days late in answering voiemail isn't odd at all.
If you read the information at http://planet.centos.org/, it appears to be a little worse than that.
They say that Davis vanished from the project "some time in 2008". Given that we're more than halfway through 2009, that means he's been gone for the better part of a year, maybe more. Also, they've been asking for quite some time for him to provide a public accounting of the funds collected from contributions to CentOS, and Lance stopped answering their questions months ago. It sounds like they've recently gotten serious about trying to get some answers and discovered that he's completely inaccessible.
It may just be that he's gone on vacation, but given that he's been refusing to answer questions for months about what has happened to what is probably a fairly large amount of money, I think their concern isn't at all unreasonable.
If it's unclear what the code does, run it in a debugger and control the inputs. Step through the code line by line. If the debugger doesn't do everything you want, write a better debugger.
Is that right?
Here, I'll describe a program so simple it can be coded in under 100 lines, and can be fully specified in a few sentences, then ask you a question about its behavior. It should be easy, right?
There is a 100x100 grid of cells. Each cell is in one of two states "live" or "dead". Each cell has 8 neighbors, the cells horizontally, vertically and diagonally adjacent (the edges of the grid "wrap", so this is true even for edge cells). Each "generation", the state of the cells is updated according to the following rules:
Any live cell with fewer than two live neighbours becomes dead.
Any live cell with more than three live neighbours becomes dead.
Any dead cell with exactly three live neighbours becomes live.
All other cells remain unchanged.
That's it. Now, given an initial state of the grid, tell me what the state is after 100, 500 and 1000 generations. Further, tell me whether or not any patterns of live cells will survive across across generations. Will patterns repeat? Can patterns move? Interact?
Amazing complexity can arise from very simple rules. In this case (known as Conway's Game of Life, if you hadn't recognized it), the above rules contain enough power that if you make the grid infinite in size, the result is a Turing-complete computation system. In addition, the shifting patterns it creates are bewildering in their number, complexity and behavior.
Now scale that up to thousands of lines of code. Granted, not code specifically chosen to create interesting interactions, but still 2-3 orders of magnitude more complex. Further, code that itself lives in and interacts with a complex and varied ecosystem of other code, some of which is trying to detect the code and kill it -- so the code is written to be self-modifying, to "mutate" a bit, after a fashion. Also add in the ability to migrate between "ecosystems", reproduce, receive deliberate external updates and instructions, etc.
Simulation is the only way to get a handle on this sort of thing. And that's why the very smart people who designed and built the world's first million-machine simulator decided to do it.
because we all need to provide movie suggestions to our millions of users?
Because there are many, many organizations who can effectively use a high quality, freely-available automatic preference identification system. Some aspects of the winner are probably very specific to movies, but I'm sure most of the core, and the underlying ideas, are relevant to any sort of preference identification and clustering.
Okay... I'm no Microsoft fan by a long shot, but so what if they had been violating the GPL all this time before releasing the source code? I think that the important point is that they are doing so *NOW*... because, after all, isn't that the point of the GPL?
If there are no negative consequences to violating the GPL, companies can do it as a matter of course, and then only come into compliance when forced to. This hugely increases the burden on those enforcing the GPL, because as long as there's any value in non-compliance for a time, companies may as well not comply. That's why the FSF has begun demanding cash settlements and other punitive measures for violators.
Additionally, as other posters have noted, it appears that Microsoft is actually still *NOT* in compliance. Providing the source to the Linux kernel team is not sufficient per the terms of the GPL. Since MS is distributing binaries, the GPL requires them to either distribute the source with the binaries, or to accompany the binaries with an offer, valid for at least 3 years, to provide the source upon request. Also, MS must not impose additional licensing requirements beyond those of the GPL, but it seems they are imposing additional requirements which violates the GPL another way.
Strangely enough...I started out life having multiple LONG term relationships. In high school through college I had girlfriends for 5 years, 5 years and 3 years at a time.
Hehe. I've been married for 20 years. Five years doesn't seem like a long (much less LONG) relationship to me. In fact, I'd say that after five years my wife and I were just getting to really know one another.
That's very... odd. Why would they require an on-line check to validate the signature? And why would there be a fee? The whole point of public key-based digital signatures is that you can publish the root public keys far and wide. Then anyone can validate the signature offline -- and it scales arbitrarily.
I'm not saying you're mistaken, but there's a piece missing here.
Couples who don't argue don't last. Well, crap, we're doomed.
Heh. Us too. Our 19th anniversary is coming up, and we've had maybe two or three discussions that qualify as an "argument" in all that time. Barely qualify.
Not that we don't get mad. But when we do, we go away, cool off and then talk it out later if it's important. Even that only happens a couple of times per year, and it's getting less common year by year.
What's important is not letting your anger fester. Personally, I just don't stay mad. My wife stays mad, but is good at cooling down enough to express her issues calmly, usually in writing. The key is for every couple to know themselves and their partners, and to work out the communication method that works for them.
I am against DRM in its current form.
I am not against DRM implemented properly (i.e. in such a way that it allows for legal exceptions like fair use, satire, copyright termination, companies going under, etc.). However, the chances of that happening are essentially zero.
It'll happen as soon as (a) the computer can read your mind to discover your intent/rationale, and (b) we can automate judicial-quality decisionmaking to determine whether or not your intended action falls within on of these necessarily-fuzzy categories.
Until then, DRM will necessarily be a poor approximation to the actual legal standard. And, of course, given that it's the content owners that usually build/buy the DRM, it will usually err on the side of excessive restriction.
Hash the card contents, encrypt the hash with a government private key, put that into the card as well, hand out the public key to every card reader, then when someone wants to read your card, he can scan the contents, have his machine hash them itself and decrypt the encrypted hash already in the card with the public key. If the two match, the card is authentic. In theory, this is unbreakable.
Actually, in theory it's as secure as the hash function and the public key cipher you use. That's not unbreakable in theory, but it's certainly unbreakable in practice.
And that is exactly what the UK National ID card does. You can copy the data, and modify the copy, but the signature won't check out, making the exercise pointless.
I work in the smartcard industry
Me too.
However in this case the article claims that they were able to clone the card AND modify the information in the cloned card, which is really the hack that those cards are trying to prevent.
I suspect that he modified the cloned data -- but could not, of course, produce a digital signature for the modified data, or a certificate for the "cloned" card's private key, so any attempt to use the cloned card with a legitimate reader would have failed.
If it's digital, tampering is undetectable.
Not unless you figure out how to forge digital signatures.
So, no, it is actually pretty bloody scary, as they successfully changed the biometrics of the copy.
But did he successfully generate a new digital signature so that the modification would be undetectable?
If you'd RTFA, you'd see that he also changed a ton of information as well, and created a fake ID with the modified information; including a line that said, "I am a terrorist, please shoot me on sight."
IOW, there's no security, signing, encryption, anything at all
What he didn't do was verify that the modified data would be considered valid when examined by a government official.
Just because data is signed doesn't mean you can't change it. What it means is that if it is changed, the signature will no longer match the content, proving that the content has been modified.
Thats the point - there isn't one. Whether there should be one is another question.
So what's your answer to that question?
Pffft, says who? Japan didn't even have the logistical means to occupy Hawaii. You think they had the wherewithal to invade and conquer mainland USA? Give me a fucking break.
Though the quote is apocryphal, Admiral Yamamoto's supposed utterance -- "You cannot invade mainland United States. There would be a rifle behind each blade of grass" -- is absolutely correct, at least for any level of forces that Japan could have brought to bear. The US was still largely rural in the 1940s, and outside of the cities every household had a rifle (or five), and knew how to use them, including the women and even children. There's simply no way Japan could have hoped to have any success at invading the US.
I'm pretty sure neither you nor the parent post actually know what orthagonal means.
Orthogonal vectors are "perpendicular". More precisely, their dot product is zero. Colloquially, this is mathematical concept is generalized to mean issues which exist on separate, non-interacting and independent axes.
Not knowing what a word means is not the same as disagreeing with the application of the word.
Oh, and please not the correct spelling.
I consider GPL to be more restrictive than most of the commercial licenses I've had to deal with over the years.
Bwahahahahahaha!!!
You didn't actually read any of those commercial licenses, did you?
:-)
Yeah... the word has changed, which is what makes being pedantic about the original meaning (and the one you still get if you pull the pieces of the word apart) so much fun!
As someone who's worked for software companies, it's hard to imagine those companies GPLing their products, and easy to imagine the company losing half its profits or going under altogether if any company with an IT department could legally recompile the source code and use the software without payment.
You may be interested in what IBM is doing with its new Rational Team Concert suite. All of the software is open source commercial software. That means that the source is fully open, in that you can go download it right now and build it yourself, but if you want to use it legally you have to buy a license.
Basically, they're betting that company IT departments will not recompile the source code and use it without payment.
Their definition is all very well and good, but its not *the* definition.
What is *the* definition?
I'd say an "open" standard would mean that anyone could implement the standard without need to buy a license to implement all or part of it.
I'd say that's not enough to be "open". Try this:
Anyone can implement the standard for any purpose and allow the implementation to be redistributed and/or modified by anyone for any purpose without either requesting or buying a license and without requiring any downstream users, distributors or modifiers to request or buy a license.
That would make it GPL compatible, I think, and would be significantly more open than your description, which would still allow the patent holders to significantly restrict all usage, but without requiring payment, and to totally restrict some specific uses.
The term that people seem to be looking for is 'royalty free', which is orthogonal to 'open'. If a standard is open and royalty free then it can be implemented without problems by GPL'd software
Open and royalty-free are necessary but not sufficient conditions for use by GPL software.
There could be additional encumbrances on a patent other than royalties. A common one is that each user has to obtain permission from the patent holder. Even if this permission is easy to obtain and costs nothing, that would still be encumbered from the GPL's perspective because it would impose restrictions on those who receive the software.
Contrary to the GGP's opinion, while the GPL may not be the "be-all end-all" of openness it's a pretty damned good yardstick. If a license (copyright or patent) is compatible with the GPL, you know that it's open.
Because we're talking about repeated decimation, not extermination?
But wrong level 1.
Start with 100 people.
10 draw lots, are killed, 90 left.
9 (10% of 90) draw lots, are killed, 81 left.
8 (10% of 81) draw lots, are killed, 73 left.
7 draw lots, are killed, 66 left
7 draw lots, are killed, 59 left
6 draw lots, are killed, 53 left
5 draw lots, are killed, 48 left.
It took 7 rounds to get below 50.
but if it is the tpm chip that does the check and calculates the hash, and not the bios, you can't modify the bios without alerting the tpm cihp.
The TPM is just a device sitting on an internal USB bus. It has no ability to somehow reach out and scan the BIOS, it only works with whatever information is fed to it.
The BIOS has to feed itself to the TPM, which means that a compromise of the BIOS screws you completely.
I suppose what we really need is a bit of pre-BIOS code which is stored in ROM and therefore unmodifiable. That code should do nothing other than start up the TPM and feed the BIOS to it.
If they left a vm yesterday, they should give it at least until Monday before publicly humiliating the guy. Being a few days late in answering voiemail isn't odd at all.
If you read the information at http://planet.centos.org/, it appears to be a little worse than that.
They say that Davis vanished from the project "some time in 2008". Given that we're more than halfway through 2009, that means he's been gone for the better part of a year, maybe more. Also, they've been asking for quite some time for him to provide a public accounting of the funds collected from contributions to CentOS, and Lance stopped answering their questions months ago. It sounds like they've recently gotten serious about trying to get some answers and discovered that he's completely inaccessible.
It may just be that he's gone on vacation, but given that he's been refusing to answer questions for months about what has happened to what is probably a fairly large amount of money, I think their concern isn't at all unreasonable.
If it's unclear what the code does, run it in a debugger and control the inputs. Step through the code line by line. If the debugger doesn't do everything you want, write a better debugger.
Is that right?
Here, I'll describe a program so simple it can be coded in under 100 lines, and can be fully specified in a few sentences, then ask you a question about its behavior. It should be easy, right?
There is a 100x100 grid of cells. Each cell is in one of two states "live" or "dead". Each cell has 8 neighbors, the cells horizontally, vertically and diagonally adjacent (the edges of the grid "wrap", so this is true even for edge cells). Each "generation", the state of the cells is updated according to the following rules:
That's it. Now, given an initial state of the grid, tell me what the state is after 100, 500 and 1000 generations. Further, tell me whether or not any patterns of live cells will survive across across generations. Will patterns repeat? Can patterns move? Interact?
Amazing complexity can arise from very simple rules. In this case (known as Conway's Game of Life, if you hadn't recognized it), the above rules contain enough power that if you make the grid infinite in size, the result is a Turing-complete computation system. In addition, the shifting patterns it creates are bewildering in their number, complexity and behavior.
Now scale that up to thousands of lines of code. Granted, not code specifically chosen to create interesting interactions, but still 2-3 orders of magnitude more complex. Further, code that itself lives in and interacts with a complex and varied ecosystem of other code, some of which is trying to detect the code and kill it -- so the code is written to be self-modifying, to "mutate" a bit, after a fashion. Also add in the ability to migrate between "ecosystems", reproduce, receive deliberate external updates and instructions, etc.
Simulation is the only way to get a handle on this sort of thing. And that's why the very smart people who designed and built the world's first million-machine simulator decided to do it.
because we all need to provide movie suggestions to our millions of users?
Because there are many, many organizations who can effectively use a high quality, freely-available automatic preference identification system. Some aspects of the winner are probably very specific to movies, but I'm sure most of the core, and the underlying ideas, are relevant to any sort of preference identification and clustering.
Okay... I'm no Microsoft fan by a long shot, but so what if they had been violating the GPL all this time before releasing the source code? I think that the important point is that they are doing so *NOW*... because, after all, isn't that the point of the GPL?
If there are no negative consequences to violating the GPL, companies can do it as a matter of course, and then only come into compliance when forced to. This hugely increases the burden on those enforcing the GPL, because as long as there's any value in non-compliance for a time, companies may as well not comply. That's why the FSF has begun demanding cash settlements and other punitive measures for violators.
Additionally, as other posters have noted, it appears that Microsoft is actually still *NOT* in compliance. Providing the source to the Linux kernel team is not sufficient per the terms of the GPL. Since MS is distributing binaries, the GPL requires them to either distribute the source with the binaries, or to accompany the binaries with an offer, valid for at least 3 years, to provide the source upon request. Also, MS must not impose additional licensing requirements beyond those of the GPL, but it seems they are imposing additional requirements which violates the GPL another way.
Strangely enough...I started out life having multiple LONG term relationships. In high school through college I had girlfriends for 5 years, 5 years and 3 years at a time.
Hehe. I've been married for 20 years. Five years doesn't seem like a long (much less LONG) relationship to me. In fact, I'd say that after five years my wife and I were just getting to really know one another.
Different perspectives, I suppose.