Well, the trick is to establish enough code words ahead of time to be useful. But no, people/names and locations are very easy to make codes for, not hard. It's changes in the plan that are hard to communicate, since those require a dynamic code. Otherwise, an innocent phrase like "Charlie and Joey are going to pick up the pizza from Papa John's at 3pm and take it to Willie's house" could easily communicate actors, places, timing, and victims very easily... and sound incredibly normal on the phone. Hell, you don't even really need to disguise the names that much, since if you are being watched, using names that are completely out of context is a red flag.
Re:Not to start a flame war;)
on
VIM 6.0 is Out
·
· Score: 1
pico stinks. use nano (more features and Debian-Free approved).:p
It does apply to tangible goods. People lease cars, the phone company used to own your actual phone, my cable modem belongs to RoadRunner, and just about anything in the world can be rented to own. The real difference with that stuff is that you have to actually sign a contract that clearly states the terms and agreements-- and you get to read the contract before you pay the money to the vendor. But in most of those lease cases, one of my terms of agreement is that I can keep the item in question by paying a fee (which would allow me to later sell it).
However, if I buy software from Best Buy or Fry's or Computer City without signing a lease agreement, in standard retail parlance I haven't leased (or licensed) anything. I *bought* it. I don't think we need to worry about Joe Sixpack revolting, Joe Sixpack will just bitch about it over Buds during commercials on TV. What we need is for corporations and businesses and people with legal ability to take a stand against this sort of crap, instead of knuckling under when the BSA comes calling with their extortion racket.
1. Are you sure? Because you spelled it both ways in the posting.
2. So you're tight. Excellent.
3. I wouldn't know. Never met him or spoke to him on the phone.
4. Are you saying you didn't check the signature?
I'm sorry to be such a dink in my previous posting, but none of 1-4 helps those of us who are just readers of your fine web site, and seeing a signature have an compulsive need to verify it. Security is a process, right? Running checks once in a while is part of the process.:)
Not only that, he abused the trust of his fellow hackers (if the article is credible) by lying about his intentions. This doesn't help any of us, since next time we see a case against someone like Dmitry Sklyarov or Randal Schwartz it's going to make it that much harder for those of us who understand the issues (even if only vaguely at times) to trust the accused-- and it certainly doesn't help the general public come to understand or trust the hacker community.
Well, in your case you're missing the correct key, which can probably be gotten from www.philzimmerman.com or keys.pgp.com, rather than the default keyserver in GnuPG. But unless your signed message has a header and exactly matches the original signed message, you have no way to verify the signature. In this case we don't know where the message starts, whether it includes the hypertext markup or not, or how the whitespace looks in the original. This makes it hard for the verifying program to work with the message.
Do you think you could give the Slashdot crew a quick lesson in using crypto? From the way they've posted the last two missives from you, it's obvious they don't actually use PGP or GnuPG and have no clue how to transfer information in such a way that the digital signature remains valid.
I mean, providing a link to the original text file seems to be too hard for them, so maybe you could walk them through the procedure for verifying a document and then ask them to try and do that on their own postings, to see what they are doing to those of us who verify signatures when we see them?
I mean, what's the point of signing a message if no one can verify it? Not that I think Slashdot would lie, but for all we know they've been duped into posting something that isn't from the real Phil Zimmerman. Or maybe their stories are being tampered with-- it's happened to bigger fish recently (and Slashdot itself has been hacked before).
Not to mention that the air force is actively ousting out gays right now-- in spite of their other orders to discontinue many types of discharge to stem personnel loss.
Yeah, except that you don't need to do most of that *in* class do you?
Although, if science fiction is any indication, 25 years from now, you will need to constantly access some sort of network constantly to function in a place like college.
The question that really needs to be asked here is whether large, non-participatory classes are going to be of much use in 25 years, and if not, how will we replace them? I personally haven't found any non-participatory classes I've taken to be more useful than a decent book (and hell, why can't they just tape the thing and I'll watch it on VHS, DVD, or QuickTime?). With network access, school should become a meeting of tutors with students via email or other messaging (IRC, AIM, whatever), and scheduled appointments for more difficult questions. Using moderated forums and FAQs teaching redundancy goes down, and if more than a couple students ask the same question or have trouble with a specific topical area, the tutor sets up a quick meeting with the lot of them to sort it out.
I remember my junior high math classes were similar to this, it was called "packet math" and we rarely had full class lectures since everyone in the class worked on topical packets. You took a pretest. If you passed that you skipped the packet. If you didn't pass, you worked through the packet-- reading and solving sample problems. If you solved the sample problems correctly you took a post-test. If you passed that you went to the next packet. Otherwise you worked through the material again, this time with more supervision from the tutor/teacher.
Applying this model to higher education (say 10th grade and beyond), instead of tuition, your billing rates could be based on how much of a tutor/teacher/professors time you used up, in addition to straight fees for each topic/class. Schools would still want to offer certain topics/classes where groups (for live discussion, interactivity, or critiques) were necessary or as seminars. But to get past the required courses of a general nature, some students would be far more efficient under a test, work, test approach. And for those students who need more individual attention, it's there.
Me too. But what worries me is that, given how easy these things are to find-- and the fact that they need to be easy to find in order to be useful (i.e. not "sharing with yourself"), that once the RIAA is done screwing with Napster and passing the SSSCA that they will go after people hosting Open Nap servers and the like.
Not that any of this will stop file sharing. I can fit several CDs worth of music on a CD-R as Ogg Vorbis or mp3. In the process of ripping my CDs I get a track listing. I can easily create a catalog for friends to pick and choose from, and we trade CD-Rs via mail or in person.
Considering it cost $1000 for the cheapest one, why wouldn't I just buy a laptop with a decent sound card? Hell, my car isn't even worth $1000. I'd use an old P/133 in the trunk before I spent this much on a Rio Car Player. I mean it's a car. The sound in a car is bound to pretty much suck since you're out there driving anyway. How is any car audio worth this much unless you are a truck driver and spend more time in the cab than anywhere else in the world?
Sure, you could distribute it, but since the way it's presented prevents verification of the signature, nobody would have any reason to believe you that it was really from him any more than the Washington Post article was supposedly legit.
Re:Time to get learned. Which package do we get?
on
Blaming Encryption
·
· Score: 1
We might lose the convenience of the public key databases, but people who know each other can easily trade public keys via email and verify the fingerprints using another channel, like the telephone. The web of trust persists as long as you get your public keys either from people you can verify them with yourself, or from people you trust to have verified them correctly themselves. A public key server doesn't imply the keys are trustworthy all on its own. Anyone could upload keys and say they are someone, but until there is a verification of that identity the key is only valid in a somewhat circular way.
Of course, if owning/using keys related to strong crypto is illegal, this becomes a chancy proposition for large groups, since the probably of being caught goes up pretty quickly with each new person distributing keys.
It's not even a bad law, it's a faulty contract which may well fail to persist under judicial scrutiny. Frankly, though, if you are using Frontpage, you have bigger problems than this EULA.
Encryption can be broken, it just takes a lot of equipement and possibly time.
This is only partially true. Some encryption methods can't be "broken", although I suppose given an infinite amount of time you might generate all possible permutations of the encrypted data and weed out the results that look like reasonable messages. One-time pads are immune to cracking because the key changes with every message. And you might crack one message, only to have to start over on the next message.
Why this whole idea of a backdoored security product is insane is that the terrorists won't use it and there will be no way to tell illegitimate (unbackdoored) messages from legitimate (backdoored) without decrypting each message. And even so, this would only affect the public key infrastructure, not a privately-run key system. And it certainly doesn't affect a one-time-pad system, which any terrorist would probably be using anyway, since it is simple to implement securely without having to trust any external code-- i.e. we don't need an expert like Phil Zimmerman to write a one-time-pad encryption program, we just need a way to share the one-time-pad before we start exchanging messages.
er, you keep the services turned on while you go back online (running only client software) to fetch the patches. Then, after patching the services, you return to full functionality. Is what I mean.
Considering that the McAfee software is only going to remove known threats, it would be better to perform a data backup and reinstall the system software on an infected host-- who knows if McAfee missed something in the clean up? Better to get a clean copy running than a patched version of an infected copy, and then, before you put the clean system back on line, you take the necessary steps to prevent getting infected (like turning off IIS) while you obtain patches for the vulnerable services. Considering that these are residential accounts, there is no revenue to be lost from server downtime, right? And the host owner should take his/her time to do the job right.
Depends on the university, the program, and the types of work in question. They may not assume the copyright, but they may have an unfettered usage license. And yes, the terms under which most students attend educational institutions are sucky, especially smaller, private institutions.
"It's only illegal if you get caught" is a poor attempt to play games with semantics. The fact is the activity is still proscribed by law-- and that's the usual definition of "illegal". But you're absolutely right, as long as no one reports it, it will happen. In fact, paying people who are not legally allowed to work in the USA less than minimum wage is probably doing wonders (or was, until last week anyway) for our economy.
AFAIK, they are only obligated to provide machine-readable source code to the person to whom they gave the binary executables. Therefore, anyone purchasing the server can ask and receive the source-- but this could be FTP, HTTP, CD-ROM or any other reasonable solution to that problem.
well, if you accepted it thats fine.
It would be different if they had lowered your wage below the minimum set by your state AFTER you accepted the intial legal of
um, dumbass, unless you are a waiter or waitress, an offer that is below minimum wage IS illegal. That's why there's a law about it.
Actually, if a gun owner needed money, most of them are likely to sell the gun, rather than risk criminal status.
But seriously, I think Australia is "safer" because of a host of other factors that have nothing to do with guns. My guess is that most Australians would only want guns for shooting kangaroos, and even then, most of them wouldn't consider that a worthwhile pasttime.
I mean, if guns were the only difference, your crime rates for things unrelated to guns would be comparable to US rates, and I bet they ain't.
The debate over gun control can't be isolated and turned into a flashpoint issue. It must be considered inside a framework, and I'd have to say I think the Australian framework is worlds different from the US framework.
Slashdot Mirror
Well, the trick is to establish enough code words ahead of time to be useful. But no, people/names and locations are very easy to make codes for, not hard. It's changes in the plan that are hard to communicate, since those require a dynamic code. Otherwise, an innocent phrase like "Charlie and Joey are going to pick up the pizza from Papa John's at 3pm and take it to Willie's house" could easily communicate actors, places, timing, and victims very easily... and sound incredibly normal on the phone. Hell, you don't even really need to disguise the names that much, since if you are being watched, using names that are completely out of context is a red flag.
pico stinks. use nano (more features and Debian-Free approved). :p
It does apply to tangible goods. People lease cars, the phone company used to own your actual phone, my cable modem belongs to RoadRunner, and just about anything in the world can be rented to own. The real difference with that stuff is that you have to actually sign a contract that clearly states the terms and agreements-- and you get to read the contract before you pay the money to the vendor. But in most of those lease cases, one of my terms of agreement is that I can keep the item in question by paying a fee (which would allow me to later sell it).
However, if I buy software from Best Buy or Fry's or Computer City without signing a lease agreement, in standard retail parlance I haven't leased (or licensed) anything. I *bought* it. I don't think we need to worry about Joe Sixpack revolting, Joe Sixpack will just bitch about it over Buds during commercials on TV. What we need is for corporations and businesses and people with legal ability to take a stand against this sort of crap, instead of knuckling under when the BSA comes calling with their extortion racket.
1. Are you sure? Because you spelled it both ways in the posting.
:)
2. So you're tight. Excellent.
3. I wouldn't know. Never met him or spoke to him on the phone.
4. Are you saying you didn't check the signature?
I'm sorry to be such a dink in my previous posting, but none of 1-4 helps those of us who are just readers of your fine web site, and seeing a signature have an compulsive need to verify it. Security is a process, right? Running checks once in a while is part of the process.
Not only that, he abused the trust of his fellow hackers (if the article is credible) by lying about his intentions. This doesn't help any of us, since next time we see a case against someone like Dmitry Sklyarov or Randal Schwartz it's going to make it that much harder for those of us who understand the issues (even if only vaguely at times) to trust the accused-- and it certainly doesn't help the general public come to understand or trust the hacker community.
Well, in your case you're missing the correct key, which can probably be gotten from www.philzimmerman.com or keys.pgp.com, rather than the default keyserver in GnuPG. But unless your signed message has a header and exactly matches the original signed message, you have no way to verify the signature. In this case we don't know where the message starts, whether it includes the hypertext markup or not, or how the whitespace looks in the original. This makes it hard for the verifying program to work with the message.
Dear Phil,
Do you think you could give the Slashdot crew a quick lesson in using crypto? From the way they've posted the last two missives from you, it's obvious they don't actually use PGP or GnuPG and have no clue how to transfer information in such a way that the digital signature remains valid.
I mean, providing a link to the original text file seems to be too hard for them, so maybe you could walk them through the procedure for verifying a document and then ask them to try and do that on their own postings, to see what they are doing to those of us who verify signatures when we see them?
I mean, what's the point of signing a message if no one can verify it? Not that I think Slashdot would lie, but for all we know they've been duped into posting something that isn't from the real Phil Zimmerman. Or maybe their stories are being tampered with-- it's happened to bigger fish recently (and Slashdot itself has been hacked before).
Thanks!
Not to mention that the air force is actively ousting out gays right now-- in spite of their other orders to discontinue many types of discharge to stem personnel loss.
Yeah, except that you don't need to do most of that *in* class do you?
Although, if science fiction is any indication, 25 years from now, you will need to constantly access some sort of network constantly to function in a place like college.
The question that really needs to be asked here is whether large, non-participatory classes are going to be of much use in 25 years, and if not, how will we replace them? I personally haven't found any non-participatory classes I've taken to be more useful than a decent book (and hell, why can't they just tape the thing and I'll watch it on VHS, DVD, or QuickTime?). With network access, school should become a meeting of tutors with students via email or other messaging (IRC, AIM, whatever), and scheduled appointments for more difficult questions. Using moderated forums and FAQs teaching redundancy goes down, and if more than a couple students ask the same question or have trouble with a specific topical area, the tutor sets up a quick meeting with the lot of them to sort it out.
I remember my junior high math classes were similar to this, it was called "packet math" and we rarely had full class lectures since everyone in the class worked on topical packets. You took a pretest. If you passed that you skipped the packet. If you didn't pass, you worked through the packet-- reading and solving sample problems. If you solved the sample problems correctly you took a post-test. If you passed that you went to the next packet. Otherwise you worked through the material again, this time with more supervision from the tutor/teacher.
Applying this model to higher education (say 10th grade and beyond), instead of tuition, your billing rates could be based on how much of a tutor/teacher/professors time you used up, in addition to straight fees for each topic/class. Schools would still want to offer certain topics/classes where groups (for live discussion, interactivity, or critiques) were necessary or as seminars. But to get past the required courses of a general nature, some students would be far more efficient under a test, work, test approach. And for those students who need more individual attention, it's there.
Me too. But what worries me is that, given how easy these things are to find-- and the fact that they need to be easy to find in order to be useful (i.e. not "sharing with yourself"), that once the RIAA is done screwing with Napster and passing the SSSCA that they will go after people hosting Open Nap servers and the like.
Not that any of this will stop file sharing. I can fit several CDs worth of music on a CD-R as Ogg Vorbis or mp3. In the process of ripping my CDs I get a track listing. I can easily create a catalog for friends to pick and choose from, and we trade CD-Rs via mail or in person.
Considering it cost $1000 for the cheapest one, why wouldn't I just buy a laptop with a decent sound card? Hell, my car isn't even worth $1000. I'd use an old P/133 in the trunk before I spent this much on a Rio Car Player. I mean it's a car. The sound in a car is bound to pretty much suck since you're out there driving anyway. How is any car audio worth this much unless you are a truck driver and spend more time in the cab than anywhere else in the world?
Your post would be more believable is you hadn't confused Mississippi with Missouri.
Sure, you could distribute it, but since the way it's presented prevents verification of the signature, nobody would have any reason to believe you that it was really from him any more than the Washington Post article was supposedly legit.
We might lose the convenience of the public key databases, but people who know each other can easily trade public keys via email and verify the fingerprints using another channel, like the telephone. The web of trust persists as long as you get your public keys either from people you can verify them with yourself, or from people you trust to have verified them correctly themselves. A public key server doesn't imply the keys are trustworthy all on its own. Anyone could upload keys and say they are someone, but until there is a verification of that identity the key is only valid in a somewhat circular way.
Of course, if owning/using keys related to strong crypto is illegal, this becomes a chancy proposition for large groups, since the probably of being caught goes up pretty quickly with each new person distributing keys.
How is the ports system an improvement over Debian's apt-get system?
It's not even a bad law, it's a faulty contract which may well fail to persist under judicial scrutiny. Frankly, though, if you are using Frontpage, you have bigger problems than this EULA.
Encryption can be broken, it just takes a lot of equipement and possibly time.
This is only partially true. Some encryption methods can't be "broken", although I suppose given an infinite amount of time you might generate all possible permutations of the encrypted data and weed out the results that look like reasonable messages. One-time pads are immune to cracking because the key changes with every message. And you might crack one message, only to have to start over on the next message.
Why this whole idea of a backdoored security product is insane is that the terrorists won't use it and there will be no way to tell illegitimate (unbackdoored) messages from legitimate (backdoored) without decrypting each message. And even so, this would only affect the public key infrastructure, not a privately-run key system. And it certainly doesn't affect a one-time-pad system, which any terrorist would probably be using anyway, since it is simple to implement securely without having to trust any external code-- i.e. we don't need an expert like Phil Zimmerman to write a one-time-pad encryption program, we just need a way to share the one-time-pad before we start exchanging messages.
er, you keep the services turned on while you go back online (running only client software) to fetch the patches. Then, after patching the services, you return to full functionality. Is what I mean.
Considering that the McAfee software is only going to remove known threats, it would be better to perform a data backup and reinstall the system software on an infected host-- who knows if McAfee missed something in the clean up? Better to get a clean copy running than a patched version of an infected copy, and then, before you put the clean system back on line, you take the necessary steps to prevent getting infected (like turning off IIS) while you obtain patches for the vulnerable services. Considering that these are residential accounts, there is no revenue to be lost from server downtime, right? And the host owner should take his/her time to do the job right.
Depends on the university, the program, and the types of work in question. They may not assume the copyright, but they may have an unfettered usage license. And yes, the terms under which most students attend educational institutions are sucky, especially smaller, private institutions.
"It's only illegal if you get caught" is a poor attempt to play games with semantics. The fact is the activity is still proscribed by law-- and that's the usual definition of "illegal". But you're absolutely right, as long as no one reports it, it will happen. In fact, paying people who are not legally allowed to work in the USA less than minimum wage is probably doing wonders (or was, until last week anyway) for our economy.
AFAIK, they are only obligated to provide machine-readable source code to the person to whom they gave the binary executables. Therefore, anyone purchasing the server can ask and receive the source-- but this could be FTP, HTTP, CD-ROM or any other reasonable solution to that problem.
well, if you accepted it thats fine.
It would be different if they had lowered your wage below the minimum set by your state AFTER you accepted the intial legal of
um, dumbass, unless you are a waiter or waitress, an offer that is below minimum wage IS illegal. That's why there's a law about it.
Actually, if a gun owner needed money, most of them are likely to sell the gun, rather than risk criminal status.
But seriously, I think Australia is "safer" because of a host of other factors that have nothing to do with guns. My guess is that most Australians would only want guns for shooting kangaroos, and even then, most of them wouldn't consider that a worthwhile pasttime.
I mean, if guns were the only difference, your crime rates for things unrelated to guns would be comparable to US rates, and I bet they ain't.
The debate over gun control can't be isolated and turned into a flashpoint issue. It must be considered inside a framework, and I'd have to say I think the Australian framework is worlds different from the US framework.
Erm, rather that second line should start "no contract can..."