Do you have any idea how much load encryption would add on server farms with as many hits as google or slashdot? The cost/benefit for the operators just doesn't justify it, especially if all it does is repatriate all future regulatory burdens upon themselves.
State your sources. Just where are you getting that 128-bit encryption actually uses 2 64-bit keys? How could you know that when the article doesn't even state WHICH algorithm is used on these devices?
Your claim is highly dubious, no common symmetric algorithms I know of use this method. Your talk of two primes indicates that you are confusing this with asymetric crypto (RSA in this case). I think that you may lack the knowledge to actually discuss cryptography intelligently. (Inscription??? God I hope that was a spellcheck error...)
That's bull. SOX doesn't require all that, someone at your company just went overboard. The only thing SOX reuqires is some sort of change management that's auditable. There's no reason why you'd need to fill out a bunch of forms, just a ticket that says roughly what you're going to do, why you're doing it and how you'll back it out if needed, and a manager's approuval for what you're doing. THAT'S IT! You should've been doing all of that anyway with proper project management.
Don't rail against SOX just 'cause your company implemented it wrong.
It's hard to get a firm answer on this, so I can't be sure, but as far as I know, SOX doesn't allow you to have a policy that doesn't include audit trails. Being fully auditable, at least as far as financial-related systems go, is one of the only firm requirements.
All of this is absolutely true, and they're all skills that you learn while earning a CS degree. While I agree that this is probably the type of hard math that the article was talking about, the sad reality is that most CS students will go on to become software engineers and never use any of these skills, as they will never program in any of the fields you mention. In fact, These are precisely the types of skills that require extra time to use, and are frowned upon in this RAD-oriented world.
Besides, I don't think these skills are what makes a good software engineer, you probably only need one person with these skills on a development team. Every software engineer worthy of the name that I've ever met was good at his/her job because of a completely different skillset.
> Actually, it is. Just like hardware stores put their spray paint under > lock-and-key.
That's a funny stance... Dangerous materials/drug paraphenalia are controled by the government as a society's choice. This situation is nothing like that.
This is more akin to an illegal drug dealer comming into the hardware store and threatening the manager because the available spray paint is cutting into his business as kids are getting a cheap buzz from it.
While I do agree that 3-5 years would be enough for most hardware, 3 years for all types of inventions would often not be enough to recoup the original development costs.
I don't particularly like patent law, or at least how it is applied nowadays, but I feel that allowing exclusivity for a window in which to recoup expenses is a worthwhile endeavor. I loath pharmaceutical companies, but let's be frank: they can't even bring a product to market within three years let alone recoup expenses, FDA approuval takes much longer than that.
It might be better, once the product is release-ready, to give exclusive rights until expenses are recouped or production is abandoned, whichever comes first.
Believe me, if they are required to publicly disclose all breaches, the impact on their reputation and the cost of publishing the disclosure will be punishment enough.
What this law really needs (it may be included, I haven't checked) is a clause that slaps them hard if they choose NOT to disclose.
That statement can't possibly have applied to 95. IE wasn't fully integrated into the OS until IE4, which wasn't out when win95 OSR2 shipped. If you'll remember, upgrading IE to version 4 on win95 completely changed it's behaviour. This might have been about 98, ME and 2000, maybe.
At this point, you and I are probably the two only people who will read this, but what the hell, this is the most well thought-out thread on this subject that I've read here in a long time.
But if someone invents, oh, a car wheel that cannot be booted
Well, I doubt that such a design would be simple, so of course it would be patentable. An ordinairy wheel, but 2mm wider than the next widest model, would be too obvious a design, and would not be patentable. Patent clerks seem better at judging this in physical things than in software implementations. Besides, patented or not, AFAIK, you can still legally reproduce it exactly for personnal use. Why not music?
It's just a simple application of the law of personal property.
Hard to imagine that an application could be simple when the law itself is anything but! Your argument would certainly be tenable in court, but I doubt that the issue is as clear-cut as you want to make it out to be. How can property law apply to something that isn't property? After all, you yourself say that the work contained on the CD is unownable. Is something nobody own "property"?
For example, let's say that there is a car parked on the street.
But the owner OWNS the car! The whole thing, including everything in it. (Barring perhaps the firmware on the computer, but that's a relatively recent development, so let's ignore that.) That's not a perfect metaphore. The closest parallel I can think of would be someone leaving something on your land, or renting out a part of your house. Those are examples of situations where you own the container, but not necessarily the content. Neither of those situations is a simple application of property law, both generated a slew of specific laws and regulations. I think the same is true of music on a medium, and the specific laws aren't there yet because the existing laws haven't REALLY been tested in court.
And the only thing stopping you is that while ownership of a CD is sufficient to give you a right to do so, copyright can step in and block you.
Is it? I've never found any part of copyright law that specifically covers copying for personnal use, and if it exists, I'd like to see it because I've been wondering where I really stand for a long time.
The situation is more clear in the patent field.
Well yeah, but that's a completely different set of laws, and not really pertinent to a discussion about copyrights. Copyright law needs to be clarified to be as, no, MORE, clear-cut than patent law.
Meh. I really don't have a problem with file sharing.
Well, I don't have a problem with it either, but that's more because of my dislike for the big corporations that own the copyrights. I still know that sharing (as in distributing, not downloading) is completly illegal under current copyright law, no revisions needed. And I believe that breaking the law has consequences. If one chooses to break a law that he feels is unjust, it may be right, but he must still face the consequences.
Well, barring copyrights, patents, and trademarks pertaining to various parts of the car. For example, if you build a Ford from scratch, you can't actually put the Ford logo or name on it
Well, that's a whole other issue. (Copyrights on parts of a car?!?) You can't pass them off as genuine Ford parts, but you can still make them. If the part is simple enough, the process of making it will be unpatentable, and you could even sell these generic parts. Note that I never said you paid for the rights to drive around in a Ford car, you just bought a car that happens to be a Ford. Barring any warranties (legally mandated or complimentary), Ford owes you nothing once you roll off the lot, and you owe them nothing either.
The right to listen to the music within stems from the ownership of the plastic disc. Copyright does not include a right to listen to the music -- such a right can only possibly stem from owning the copy.
This right doesn't stem from copyright because copyright has nothing to do with it. copyright is about the rights to distribute copies of a work. I'd like to see a legal text that states that the right stems from ownership of the media, I've never heard anyone other than the media companies make such a formal claim. I don't think anyone's ever established from where that right stems (other than de facto from the transfer of money from you to them) because up until now, no one has really had a worthwhile reason to.
It certainly never seemed obvious to me that the right is tied only to the medium, I think duplication for personnal media transfer and backup purposes should be a legal right. If it is, your argument doesn't hold water anymore. If a court should ever side with me on this, you can bet that the media corporations will start staing that you only own the medium. If so, from where will the right to listen to the music come from? They'll have to clear that up by lisensing the content. I'm sure this will start happeneing eventually.
Seriously, yes, the answer is absolutely known for sure, and it is 'no.'
That makes perfect sense, I certainly don't feel that it would be right for the answer to be 'yes'. Unfortunately, the law doesn't usually deal with common sense or righteousness anymore. You're the lawyer, and I may well be wrong here. But if there's jurisprudence to back up your claim, I'd very much like you to point me to it, because I've never seen any hard proof shown anywhere.
No one other than people on/. and similar boards even thinks otherwise.
That may be because the type of people that hang out at these boards are more likely to think about these kinds of details. What the majority thinks doesn't often line up with the law of the land, unfortunately. Most people think in terms of what makes sense to them in a "right or wrong" kind of way, not what may actually be legal or illegal.
P.S. None of these things makes file sharing legal, or even right.
> Just because the car or copy becomes obsolete doesn't entitle you to a replacement.
Ah! Now that's an interesting point of view, but it's much more of a stretch. There's a BIG difference here. You see, when you buy a car, you didn't pay for the right to move around in a vehicle, you paid for the car, and you own it entirely, all of it's parts and subcomponents are yours forever, to do as you please, including duplication. (As long as you didn't need to steal the original blueprints to do it.) If a car is scrapped, you can use any good parts remaining to build yourself a new car if you want.
A CD is different, you paid for the right to listen to the music contained within, that's undeniable. There's no way that you paid that price just for a plastic disc containing a thin metal film full of tiny holes.
Now, the big question is: "Does this distinction make your right eternal, do they owe you replacement media and media transfers for life?" The answer, AFAIK, is that nobedy knows for sure, and that it's sure to change from jurisdiction to jurisdiction.
> There's a type of home game where you can spell things out in "leet" speak, or you get cards > with strange letter and number cominations and you have to decipher the meaning. Anyone > remember what it's called? That's what I think of when I see someone writing "R U Their".
I believe you're refering to "Whatzit?" I loved that game. I think it's still at my folk's place...
Re:"Ma Bell" should be called "Big Brother" instea
on
Ma Bell is Back
·
· Score: 1
> This is generally the reason used to collect evidence from a motor vehicle. Since the > likelihood of loss of evidence is very great (the car can just take off) they can use > exigent circumstances to collect any evidence that was in plain view.
Actually, if memory (and the above referenced web page) serves, gathering evidence from a car after an arrest is specifically covered in the law, as is "plain sight". Neither of those need proof of exigent circumstances to apply. (Though I suspect these rules were added because the applicable situation often did represent an exigent circumstance.)
>... if the vehicle was closed and locked, and no one was around who might enter the car > and take off, they would likely need a search warrant...
Not only that, but if the show "Law & Order" is any reference (and I realize it often isn't, but in this case I think it is), the police aren't allowed to wait for you to enter your car to arrest you in order to search your car. Creating situations in order to utilise the allowances of the written law as loopholes is not permissible and results in exclusion of what would otherwise be perfectly admissible evidence if police had bothered with obtaining a warrant.
Re:"Ma Bell" should be called "Big Brother" instea
on
Ma Bell is Back
·
· Score: 1
That last comment was intended for the grandparent. I knew you weren't the one panicking.
Cheers!
Re:"Ma Bell" should be called "Big Brother" instea
on
Ma Bell is Back
·
· Score: 1
> The officer who claimed they didn't need a warrant was either grossly mistaken or lying > through his teeth.
Not necessarily true. The rules as defined on the referenced website are those required for legal search and seizure. If they don't plan on seizing any evidence, they don't need to meet those requirements. Exigent circumstances do exist and are considered acceptable reasons for search, but not seizure.
As such, they can come in and look for a person in need of help, who may be in risk of life and limb. They cannot, while they are there, search for and seize evidence against you. (They may be able to do so if it is in plain sight, and related to the reaon they were called to the site, that is debatable.)
Therefore, they cannot claim a false 911 call and use it as an excuse to enter and search your home for proof of another crime, or even to gather probable cause to get a warrant for such a suspected crime. They can use it to look for a person in need of help, but anything else they see may wind up being excluded as evidence in a case against you. They cannot use it for a so-called "fishing expedition" either, any thusly collected evidence will be excluded at trial.
No reason to panic, none of your fourth amendment rights were broken. (They couldn't be unless you were tried for a crime.)
> Why didn't zotob spread faster? I'll tell you why: NAT and RFC1918.
The worm (reportedly) only tries to spread to adresses with the same first 2 octets as the current machine. Even if it hit a machine through a static NATed public IP, once infected, it would detect only the private address of that host, and spread only within the company. It was poorly written to be able to spread quickly. It almost needs to be moved to another network manually! Witty went random, that's much smarter.
In fact, we're generally lucky that most virus writers are inept. Otherwise, we would have seen some MUCH WORSE infections already.
Well sure, there are tons of ways to avoid sending the password in cleartext every time, as my kerberos example was meant to demonstrate, but that doesn't change the point I was initially trying to make, which is that since you have to send the password in cleartext at least once, the grandparent's comment that it would be clear in the data structures until it was hashed and stored in the database is, to some degree, unavoidable.
And the fact that this is true even for encrypted transport layers such as SSL is therefore somewhat moot. I'd much rather send my passwords through SSL and have them in cleartext in the data structures for a short while rather than try to implement a complicated mechanism to scramble them with JavaScript, considering the small payoff versus the increased risk of not ujsing it for that initial password setting.
If SSL is avoided in favor of such a mechanism, that inital password transfer will be totally unprotected. Seems to me a much bigger security risk than that which the grandparent was trying to describe. Plus, I'm trying to make the point that creating a completely bullet-proof system is non-trivial. There are lots of pittfalls to consider, and it's easy to miss even an obvious one.
If you're encrypting the password with JavaScript, which is done on the client side, then the server has no way of verifying that you actually have the password and didn't just grab the resulting cyphertext from someone else's session. This would be equally stupid.
Unless of course, if by "encrypting", you mean something more than just doing a secure-hash. (Which I wouldn't trust most web designers to do.)
I suppose if you did something smart, like a Kerberos-style encrypting of the current timestamp with the password as the key, it would be fine. But for that to work, the server would need to have recieved the password in cleartext (or it's hash) at some point, bringing us back to the original problem...
Re:Games?
on
Game with God
·
· Score: 2, Informative
And then only in English! In French at least, the name of that chess piece is litteraly translated to "Court Jester".
Actually; unless you wrote your own compiler, in assembly, ENTIRELY FROM SCRATCH, and then proceeded to review then entire gcc code and compile it with your own compiler before using it, you may still be inserting plenty of back doors abnd trojan horses into your binaries.
There IS a reason in principle that stops appeals from going on against a defendant in the US: The double-jeopardy rule.
In criminal justice, it essentially stops the prosecutors from "getting a second bite at the apple". The only way an acquital could be overturned by appeal is if due process was so overlooked that the people can prove that the defendant was never in jeopardy in the first place, such as proving that the trial was fixed.
Slashdot Mirror
Do you have any idea how much load encryption would add on server farms with as many hits as google or slashdot? The cost/benefit for the operators just doesn't justify it, especially if all it does is repatriate all future regulatory burdens upon themselves.
State your sources. Just where are you getting that 128-bit encryption actually uses 2 64-bit keys? How could you know that when the article doesn't even state WHICH algorithm is used on these devices?
Your claim is highly dubious, no common symmetric algorithms I know of use this method. Your talk of two primes indicates that you are confusing this with asymetric crypto (RSA in this case). I think that you may lack the knowledge to actually discuss cryptography intelligently. (Inscription??? God I hope that was a spellcheck error...)
That's bull. SOX doesn't require all that, someone at your company just went overboard. The only thing SOX reuqires is some sort of change management that's auditable. There's no reason why you'd need to fill out a bunch of forms, just a ticket that says roughly what you're going to do, why you're doing it and how you'll back it out if needed, and a manager's approuval for what you're doing. THAT'S IT! You should've been doing all of that anyway with proper project management.
Don't rail against SOX just 'cause your company implemented it wrong.
It's hard to get a firm answer on this, so I can't be sure, but as far as I know, SOX doesn't allow you to have a policy that doesn't include audit trails. Being fully auditable, at least as far as financial-related systems go, is one of the only firm requirements.
All of this is absolutely true, and they're all skills that you learn while earning a CS degree. While I agree that this is probably the type of hard math that the article was talking about, the sad reality is that most CS students will go on to become software engineers and never use any of these skills, as they will never program in any of the fields you mention. In fact, These are precisely the types of skills that require extra time to use, and are frowned upon in this RAD-oriented world.
Besides, I don't think these skills are what makes a good software engineer, you probably only need one person with these skills on a development team. Every software engineer worthy of the name that I've ever met was good at his/her job because of a completely different skillset.
> Actually, it is. Just like hardware stores put their spray paint under
> lock-and-key.
That's a funny stance... Dangerous materials/drug paraphenalia are controled by the government as a society's choice. This situation is nothing like that.
This is more akin to an illegal drug dealer comming into the hardware store and threatening the manager because the available spray paint is cutting into his business as kids are getting a cheap buzz from it.
While I do agree that 3-5 years would be enough for most hardware, 3 years for all types of inventions would often not be enough to recoup the original development costs.
I don't particularly like patent law, or at least how it is applied nowadays, but I feel that allowing exclusivity for a window in which to recoup expenses is a worthwhile endeavor. I loath pharmaceutical companies, but let's be frank: they can't even bring a product to market within three years let alone recoup expenses, FDA approuval takes much longer than that.
It might be better, once the product is release-ready, to give exclusive rights until expenses are recouped or production is abandoned, whichever comes first.
Believe me, if they are required to publicly disclose all breaches, the impact on their reputation and the cost of publishing the disclosure will be punishment enough.
What this law really needs (it may be included, I haven't checked) is a clause that slaps them hard if they choose NOT to disclose.
That statement can't possibly have applied to 95. IE wasn't fully integrated into the OS until IE4, which wasn't out when win95 OSR2 shipped. If you'll remember, upgrading IE to version 4 on win95 completely changed it's behaviour. This might have been about 98, ME and 2000, maybe.
That'd be hilarious, if it wasn't probably true.
Wonder how many non-Canucks out there are scratching their heads at that one...
At this point, you and I are probably the two only people who will read this, but what the hell, this is the most well thought-out thread on this subject that I've read here in a long time.
But if someone invents, oh, a car wheel that cannot be booted
Well, I doubt that such a design would be simple, so of course it would be patentable. An ordinairy wheel, but 2mm wider than the next widest model, would be too obvious a design, and would not be patentable. Patent clerks seem better at judging this in physical things than in software implementations. Besides, patented or not, AFAIK, you can still legally reproduce it exactly for personnal use. Why not music?
It's just a simple application of the law of personal property.
Hard to imagine that an application could be simple when the law itself is anything but! Your argument would certainly be tenable in court, but I doubt that the issue is as clear-cut as you want to make it out to be. How can property law apply to something that isn't property? After all, you yourself say that the work contained on the CD is unownable. Is something nobody own "property"?
For example, let's say that there is a car parked on the street.
But the owner OWNS the car! The whole thing, including everything in it. (Barring perhaps the firmware on the computer, but that's a relatively recent development, so let's ignore that.) That's not a perfect metaphore. The closest parallel I can think of would be someone leaving something on your land, or renting out a part of your house. Those are examples of situations where you own the container, but not necessarily the content. Neither of those situations is a simple application of property law, both generated a slew of specific laws and regulations. I think the same is true of music on a medium, and the specific laws aren't there yet because the existing laws haven't REALLY been tested in court.
And the only thing stopping you is that while ownership of a CD is sufficient to give you a right to do so, copyright can step in and block you.
Is it? I've never found any part of copyright law that specifically covers copying for personnal use, and if it exists, I'd like to see it because I've been wondering where I really stand for a long time.
The situation is more clear in the patent field.
Well yeah, but that's a completely different set of laws, and not really pertinent to a discussion about copyrights. Copyright law needs to be clarified to be as, no, MORE, clear-cut than patent law.
Meh. I really don't have a problem with file sharing.
Well, I don't have a problem with it either, but that's more because of my dislike for the big corporations that own the copyrights. I still know that sharing (as in distributing, not downloading) is completly illegal under current copyright law, no revisions needed. And I believe that breaking the law has consequences. If one chooses to break a law that he feels is unjust, it may be right, but he must still face the consequences.
Well, barring copyrights, patents, and trademarks pertaining to various parts of the car. For example, if you build a Ford from scratch, you can't actually put the Ford logo or name on it
Well, that's a whole other issue. (Copyrights on parts of a car?!?) You can't pass them off as genuine Ford parts, but you can still make them. If the part is simple enough, the process of making it will be unpatentable, and you could even sell these generic parts. Note that I never said you paid for the rights to drive around in a Ford car, you just bought a car that happens to be a Ford. Barring any warranties (legally mandated or complimentary), Ford owes you nothing once you roll off the lot, and you owe them nothing either.
The right to listen to the music within stems from the ownership of the plastic disc. Copyright does not include a right to listen to the music -- such a right can only possibly stem from owning the copy.
This right doesn't stem from copyright because copyright has nothing to do with it. copyright is about the rights to distribute copies of a work. I'd like to see a legal text that states that the right stems from ownership of the media, I've never heard anyone other than the media companies make such a formal claim. I don't think anyone's ever established from where that right stems (other than de facto from the transfer of money from you to them) because up until now, no one has really had a worthwhile reason to.
It certainly never seemed obvious to me that the right is tied only to the medium, I think duplication for personnal media transfer and backup purposes should be a legal right. If it is, your argument doesn't hold water anymore. If a court should ever side with me on this, you can bet that the media corporations will start staing that you only own the medium. If so, from where will the right to listen to the music come from? They'll have to clear that up by lisensing the content. I'm sure this will start happeneing eventually.
Seriously, yes, the answer is absolutely known for sure, and it is 'no.'
That makes perfect sense, I certainly don't feel that it would be right for the answer to be 'yes'. Unfortunately, the law doesn't usually deal with common sense or righteousness anymore. You're the lawyer, and I may well be wrong here. But if there's jurisprudence to back up your claim, I'd very much like you to point me to it, because I've never seen any hard proof shown anywhere.
No one other than people on /. and similar boards even thinks otherwise.
That may be because the type of people that hang out at these boards are more likely to think about these kinds of details. What the majority thinks doesn't often line up with the law of the land, unfortunately. Most people think in terms of what makes sense to them in a "right or wrong" kind of way, not what may actually be legal or illegal.
P.S. None of these things makes file sharing legal, or even right.
> Actually, I've never seen them make that claim.
Me either. Good point.
> Just because the car or copy becomes obsolete doesn't entitle you to a replacement.
Ah! Now that's an interesting point of view, but it's much more of a stretch. There's a BIG difference here. You see, when you buy a car, you didn't pay for the right to move around in a vehicle, you paid for the car, and you own it entirely, all of it's parts and subcomponents are yours forever, to do as you please, including duplication. (As long as you didn't need to steal the original blueprints to do it.) If a car is scrapped, you can use any good parts remaining to build yourself a new car if you want.
A CD is different, you paid for the right to listen to the music contained within, that's undeniable. There's no way that you paid that price just for a plastic disc containing a thin metal film full of tiny holes.
Now, the big question is: "Does this distinction make your right eternal, do they owe you replacement media and media transfers for life?" The answer, AFAIK, is that nobedy knows for sure, and that it's sure to change from jurisdiction to jurisdiction.
Yeah, it was a joke, hence the ";-)" ...
You forgot the semicolon, that ain't gonna compile! ;-)
> There's a type of home game where you can spell things out in "leet" speak, or you get cards
l es_Waddington_Sanders.html
> with strange letter and number cominations and you have to decipher the meaning. Anyone
> remember what it's called? That's what I think of when I see someone writing "R U Their".
I believe you're refering to "Whatzit?" I loved that game. I think it's still at my folk's place...
I don't think it's still available for sale, but check out:
http://www.gameroom.com/gamebits/RULES/Whatzit_Ru
> This is generally the reason used to collect evidence from a motor vehicle. Since the
... if the vehicle was closed and locked, and no one was around who might enter the car ...
> likelihood of loss of evidence is very great (the car can just take off) they can use
> exigent circumstances to collect any evidence that was in plain view.
Actually, if memory (and the above referenced web page) serves, gathering evidence from a car after an arrest is specifically covered in the law, as is "plain sight". Neither of those need proof of exigent circumstances to apply. (Though I suspect these rules were added because the applicable situation often did represent an exigent circumstance.)
>
> and take off, they would likely need a search warrant
Not only that, but if the show "Law & Order" is any reference (and I realize it often isn't, but in this case I think it is), the police aren't allowed to wait for you to enter your car to arrest you in order to search your car. Creating situations in order to utilise the allowances of the written law as loopholes is not permissible and results in exclusion of what would otherwise be perfectly admissible evidence if police had bothered with obtaining a warrant.
That last comment was intended for the grandparent.
I knew you weren't the one panicking.
Cheers!
> The officer who claimed they didn't need a warrant was either grossly mistaken or lying
> through his teeth.
Not necessarily true. The rules as defined on the referenced website are those required for legal search and seizure. If they don't plan on seizing any evidence, they don't need to meet those requirements. Exigent circumstances do exist and are considered acceptable reasons for search, but not seizure.
As such, they can come in and look for a person in need of help, who may be in risk of life and limb. They cannot, while they are there, search for and seize evidence against you. (They may be able to do so if it is in plain sight, and related to the reaon they were called to the site, that is debatable.)
Therefore, they cannot claim a false 911 call and use it as an excuse to enter and search your home for proof of another crime, or even to gather probable cause to get a warrant for such a suspected crime. They can use it to look for a person in need of help, but anything else they see may wind up being excluded as evidence in a case against you. They cannot use it for a so-called "fishing expedition" either, any thusly collected evidence will be excluded at trial.
No reason to panic, none of your fourth amendment rights were broken. (They couldn't be unless you were tried for a crime.)
> Why didn't zotob spread faster?
I'll tell you why: NAT and RFC1918.
The worm (reportedly) only tries to spread to adresses with the same first 2 octets as the current machine. Even if it hit a machine through a static NATed public IP, once infected, it would detect only the private address of that host, and spread only within the company. It was poorly written to be able to spread quickly. It almost needs to be moved to another network manually! Witty went random, that's much smarter.
In fact, we're generally lucky that most virus writers are inept. Otherwise, we would have seen some MUCH WORSE infections already.
Well sure, there are tons of ways to avoid sending the password in cleartext every time, as my kerberos example was meant to demonstrate, but that doesn't change the point I was initially trying to make, which is that since you have to send the password in cleartext at least once, the grandparent's comment that it would be clear in the data structures until it was hashed and stored in the database is, to some degree, unavoidable.
And the fact that this is true even for encrypted transport layers such as SSL is therefore somewhat moot. I'd much rather send my passwords through SSL and have them in cleartext in the data structures for a short while rather than try to implement a complicated mechanism to scramble them with JavaScript, considering the small payoff versus the increased risk of not ujsing it for that initial password setting.
If SSL is avoided in favor of such a mechanism, that inital password transfer will be totally unprotected. Seems to me a much bigger security risk than that which the grandparent was trying to describe. Plus, I'm trying to make the point that creating a completely bullet-proof system is non-trivial. There are lots of pittfalls to consider, and it's easy to miss even an obvious one.
If you're encrypting the password with JavaScript, which is done on the client side, then the server has no way of verifying that you actually have the password and didn't just grab the resulting cyphertext from someone else's session. This would be equally stupid.
Unless of course, if by "encrypting", you mean something more than just doing a secure-hash. (Which I wouldn't trust most web designers to do.)
I suppose if you did something smart, like a Kerberos-style encrypting of the current timestamp with the password as the key, it would be fine. But for that to work, the server would need to have recieved the password in cleartext (or it's hash) at some point, bringing us back to the original problem...
And then only in English! In French at least, the name of that chess piece is litteraly translated to "Court Jester".
Read here to find out why:
There IS a reason in principle that stops appeals from going on against a defendant in the US: The double-jeopardy rule.
In criminal justice, it essentially stops the prosecutors from "getting a second bite at the apple". The only way an acquital could be overturned by appeal is if due process was so overlooked that the people can prove that the defendant was never in jeopardy in the first place, such as proving that the trial was fixed.