Actually, a statistical system will get this right. It will find that the pattern "fruit flies" is common as a noun phrase, while "time flies" is rare as a noun phrase. It will also find that "time flies" is a common complete sentence, suggesting that "like an arrow" is an adjuct to it. "fruit flies" is rare as a complete sentence, suggesting that "like a banana" is not an adjuct, and must be a verb and direct object.
Actually, at this point a statistical system based on an automatically collected corpus is likely to have seen the quotation before, and identify it as both a pun and a quotation from Groucho Marx. It'll also tell you that "Time flies like an arrow and fruit flies like a banana" is supposed to be "Time flies like and arrow; fruit flies like a banana" by a vote of 18,600 to 279.
Statistical systems are actually quite good at the syntactically tricky cases, because they're going on the usage patterns, which are generally quite unambiguous. People generally go on the syntax, so the things they see as potentially tricky for naive software are actually easy, while the cases that are tricky are the ones where the usage is unusual but clear for some other reason: "The creaking floors. The rattling windows. The wolf howls in the night." It'll be a while before a system translates that third item as a bare noun, because common usage goes the opposite way from the way that it is used in this case.
Would you trust your credit card to some entity that was verified by Thawte, like this spoof site? In Firefox, at least, getting a non-najor-CA-issued certificate actually tells you to decide if you think it is valid or not, and if you decide that it is valid, you keep it. That way, if you get a different certificate, it will tell you it is new (unless, of course, it is issued by some CA you trust), so you have a chance of identifying the hoax.
Certificate Authorities don't actually know anything relevant. Signatures on certificates would actually be useful if they never caused the certificate to be essentially ignored, and if they were applied by organizations that actually check on businesses: localities in which businesses are incorporated, better business bureaus, credit card processing companies, and so forth.
Enlightenment and Gtk has fundamentally different design philosophies. Enlightenment can throw out old ideas without worrying too much about breaking everything, because they don't have a large and diverse user base. Gtk has to be much more conservative. This means that Gtk will be a few years behind Enlightenment, but it'll be functional more of the time. Really, neither project should become more like the other, but Gtk should look at Enlightenment's solutions when it has problems to solve.
I don't think you're all that lucky if they guess Reversi. The most casual observation is sufficient to realize that Go stone are the same color on both sides. I wouldn't be too surprised if the average American didn't know how to play Go or even recognize it, but Othello is pretty common as something people had growing up. They should really be guessing Pente, which you could play with a Go set if you wanted.
Now I want to know whether he was thinking of Go Fish or Cribbage.
The Common Criteria sort of goes past EAL4 to the proof of correctness stage, but the CC members don't all agree on the higher levels, probably because the code proving theory is not entirely worked out to everybody's satisfaction.
If higher EAL levels were well defined, it might actually be easier for Linux to achieve them, because it would simply be a matter of writing out how Linux security is supposed to work, and then checking that no transition from an allowed state to a disallowed state can happen. In order for the proof to be trusted completely, it has to be possible to check it mechanically (because no organization is going to be able to check a proof of the necessary size by hand with the required accuracy), in which case OSDL can just do it for each release.
Of course, there is a long way to go before real code on real computers can be verified. It still takes people with PhDs paying attention to catch issues in the specification of virtual machines, let alone real processors, and being able to precisely characterize the processor is obviously a necessary condition to being able to say anything about the behavior of code running on it. (An internal draft revision of the Java memory model had this problem: if one thread copied a variable at the same time that another thread copied it back without any locking, the VM would be allowed to set both variables equal to anything at all, in each case claiming that it was a copy of the other thread's value. An implementation which did value prediction might load some arbitrary value speculatively, and then check that it was correct, which it would be by the time the check was done. This would allow a situation in which the VM could accidentally fabricate a char[] pointing at the SecurityManager or something, allowing the code to scribble on important stuff. It's not even practical to catch this sort of thing programatically, let alone subtle ways in which implementations may fail to be secure.)
I assume they look at "the development" of the EAL4 version as starting from where they take in a particular kernel release and making it secure (which may involve a significant amount of work, depending on what their design actually is). The concern is that someone could change something after you've evaluated it; you avoid that by not taking patches from anyone else unless you verify them.
The Linux kernel could never get an EAL rating as it is developed by Linus et al, but that doesn't mean that a process couldn't start from a kernel snapshot and get to an EAL rating.
Linux probably does have a greater market share in research handhelds. It's just that there are very few research handhelds, so it doesn't affect the handheld market as a whole.
Handhelds weren't really a market that Windows had much going into; inertia would suggest that people running Windows would want to develop handheld software under Windows, but the usual PalmOS development environments are under Windows anyway. It's not like you could possibly use the same software on a desktop and a handheld effective without changing most of it to make the interface usable with the completely different user affordances. I actually suspect that Windows is gaining on PalmOS now due to handhelds dying to the point where the similarity with tablets (which tend to run Windows because Microsoft pushed the whole idea so much) is more significant for people who haven't gone to Symbian/Java/Linux phones than the inertia towards PalmOS.
The requirement is actually that you document what your security model is and how your implementation achieves it, and then they verify that you're right.
There are no restrictions on the development process. The point is that it gets validated as a finished item, so it doesn't matter how it got that way. It also doesn't matter who writes the documents, so long as they have the necessary information.
It will be interesting to see when SuSE does with the documents which were part of the process. It would also be interesting to see what, exactly, SuSE's security model is. (EAL4 doesn't require you to have a particularly useful security model; IIRC, Windows got EAL4 in configurations without network or disk drives.) It would be interesting for the kernel tree to include all of the necessary documentation for EAL4 in various ways, such that anyone who wants to get a version certified just has to build a suitable configuration and submit it for verification.
If Congress passes a law prohibiting the president from doing something (like dismissing cabinet members without Congressional approval), and he does it anyway, that's plausibly a "High Crime or Misdemeanor". I mean, there wouldn't be any point in a law which applies specifically to the president if it weren't.
The phone only tells the 911 operator your location when you dial 911. If you have any interaction with a 911 operator at all without doing anything, something is terribly wrong.
Yeah, living entirely in one place is too risky. Personally, I relocated my lower half to Florida, my head and hands to Boston, my lungs to the midwest, and my digestive tract to Seattle. And I left my heart in San Francisco.
There are three bodies: the Parliament, the Council, and the Commission. The Parliament represents the people in general. The Council represents the nations; remember that the EU is a democratic group of democratic nations, so a certain amount of power is in the hands of the nations rather than the people (similarly, the US president is elected by the states as directed by their citizens). The Parliament and Council need to agree on directives in order for them to go into effect. The Commission is responsible for determining what things need to be decided in the first place and for figuring out what has happened when the Council and Parliament have done something.
The current situation is a loophole where the Parliament passed a patent directive with a set of amendments which prohibits software patents, and the Council passed it without the amendments. It then goes to the Council to rubberstamp (because both groups passed something), then back to the other groups to make sure that the final thing is right. But the Parliament is upset, because the Concil version, while almost identical text, is exactly opposite in effect (they essentially scratched out the "not" the Parliament had decided to add to "software can be patented"). There is some concern that not enough members of Parliament will show up on the day they check things over to veto the Council text, and the Parliament is generically upset about the process being subverted.
IIRC, the Parliament can dissolve the Council (or Commission?) with a vote of no confidence. They obviously wouldn't do that just on a whim, but they might if the other bodies ignore repeated demands from different portions of the Parliament.
This is a bit like the US legislature. They can pass laws, but the Justice Department can fail to enforce them (or the FCC can ignore them, etc.). If the Executive Branch department fails to respond, they can complain to the President, who can fire people. If the President fails to do anything, they can impeach him. This is, in fact, what happened to Andrew Johnson (backwards; he fired an executive for doing what Congress wanted), although he was acquitted by one vote.
So this is another step with which the Parliament can try to exert influence on the other branches without actually going all the way and using their actual power, which would be enormously disruptive to everything.
Note that the Parliament can also reject the directive on the second reading, but it's difficult and depends on enough MEPs actually showing up that day; if Parliament complains enough beforehand, the Commission is more likely to think that enough MEPs will show up to the vote to kill it, and the less interested they are in pushing the Council's text through (the Commission's mandate is to get some directive passed on software patents, because the current situation is broken, and their job is to get broken situations resolved in some way or other). If it's going to get killed in the second reading, they would rather save face and restart the process; if it's not going to get killed in the second reading, they want to get it done.
There is no Linux IP issue. SCO dropped those claims. SCO's current claims are breach of contract against IBM and copyright infringement in AIX from IBM continuing their AIX work after SCO said they couldn't. Chances are that nobody actually wants SCO's assets, since they're probably mostly liabilities at this point, and there's nothing really unique and useful. So it wouldn't, at that point, matter if there was SCO IP in Linux, so long as nobody wanted to acquire it and try to argue it.
The claim that GTA trained Thompson to do this is absurd. First, you can't get things from people in GTA unless you've already killed them. Second, the gun mechanic in GTA is completely hopeless, as well as unrealistic in a number of ways (wherever he learned to turn off the safety, it wasn't GTA). Finally, when they caught him, he said you have to die sometime, but you never die in GTA.
About the only thing that he might have gotten from GTA is the idea that you can kill several cops after they've called in and still somehow get away. Not that killing cops in GTA actually helps for getting away, particularly if you're in a vehicle. If someone was taking cues from GTA, they'd certainly never let themself get pulled over without a high speed chase and barricades.
GPS systems that tell you where you are (or tell the operator when you're calling 911) are a totally different thing from GPS systems that tell other people where you are without you doing anything, aside from the largely irrelevant technology used by the device to find where it is.
Marvin was made by the Sirius Cybernetics Corp, which makes insipid talking doors and elevators. It makes sense that they'd put Marvin in a completely inappropriate Teletubbie-style body.
It is a pity that they didn't do much of Zaphod's second head, though, since the technology is available to make someone really look like they have an extra head grafted on. (Sure, they couldn't make it look natural, but it's supposed to be not quite coordinated with the first head and body, because it's a late addition.)
I still want to see someone with spherical running shoes.
For that matter, if government-issued GPS devices get associated in the public's mind with convicted criminals, people will be less willing to accept them in other situations. "A device that tracks my kids" is a lot more teampting for parents than "a device that tracks my kids, just like sex offenders have to wear".
Re:Info on what exactly SHA-1 is ...
on
SHA-1 Broken
·
· Score: 1
Half of the NSA's job is to recommend to the government security measures which are likely to protect it (and also, these days, to recommend such measures to vital national infrastructure in the private sector). If they know of a weakness in something, they're smart enough to guess that someone else will find the weakness before too long, and they won't recommend using it. "A Chinese group announces that they found a flaw we knew about in something we were still recommending" is an NSA director's worst nightmare.
Of course, it's possible that this flaw has been known to the NSA and they know of a reason that it is not going to lead to a worse break. They have said recently that by 2010, you should be using SHA-256 or SHA-512, so it's plausible that they understand exactly how deep this flaw goes, and 2010 is when a computer capable of implementing the best version of an algorithm of this form will be available.
Re:So what's the big deal for the rest of us?
on
SHA-1 Broken
·
· Score: 5, Insightful
It is still probably difficult (hard to say without looking at the paper) for someone to find a different document with the same hash as a document you create, but it's now not all that hard to find a pair of documents with the same hash. Someone could give you a document to sign, and get your signature on a different document. Also, IIRC for previous work by this group, the attack applies to chosen pairs of documents with sufficient "random" padding; you can search for a padding for each to generate a hash collision.
Essentially, don't sign anything that someone else has given you without changing it in some way, or your signature might also apply to some other document they have chosen.
I think most teams would be glad to have such a person; the danger is more that you'll be unable to get an explanation to base your documentation on.
One way to start might be to follow a mailing list and write up results of discussions, like lwn's kernel page or wine-traffic. This lets you show off your work in a relevant way before you start asking questions. It's also quite useful for many mailing lists, where things get discussed for a while until people lose interest without a clear conclusion.
The issue with a universally single sign on is that people don't universally trust anyone. However, that doesn't mean that there isn't a use for a single sign on for a collection of related services. It would make sense to have a single OSDN signon, a single signon for all your work services (printer, fileserver, mail server, etc), one for home, one for school, and so forth.
Green Day's middle albums were very different from their first few. I lost interest around that point, so I don't know if they've gone back to their roots, but if punk is defined by Kerplunk, then Insomniac wasn't punk. It's hard to say if it's because they got popular, or got married, or got older, but they changed around then.
Slashdot Mirror
Actually, a statistical system will get this right. It will find that the pattern "fruit flies" is common as a noun phrase, while "time flies" is rare as a noun phrase. It will also find that "time flies" is a common complete sentence, suggesting that "like an arrow" is an adjuct to it. "fruit flies" is rare as a complete sentence, suggesting that "like a banana" is not an adjuct, and must be a verb and direct object.
Actually, at this point a statistical system based on an automatically collected corpus is likely to have seen the quotation before, and identify it as both a pun and a quotation from Groucho Marx. It'll also tell you that "Time flies like an arrow and fruit flies like a banana" is supposed to be "Time flies like and arrow; fruit flies like a banana" by a vote of 18,600 to 279.
Statistical systems are actually quite good at the syntactically tricky cases, because they're going on the usage patterns, which are generally quite unambiguous. People generally go on the syntax, so the things they see as potentially tricky for naive software are actually easy, while the cases that are tricky are the ones where the usage is unusual but clear for some other reason: "The creaking floors. The rattling windows. The wolf howls in the night." It'll be a while before a system translates that third item as a bare noun, because common usage goes the opposite way from the way that it is used in this case.
Would you trust your credit card to some entity that was verified by Thawte, like this spoof site? In Firefox, at least, getting a non-najor-CA-issued certificate actually tells you to decide if you think it is valid or not, and if you decide that it is valid, you keep it. That way, if you get a different certificate, it will tell you it is new (unless, of course, it is issued by some CA you trust), so you have a chance of identifying the hoax.
Certificate Authorities don't actually know anything relevant. Signatures on certificates would actually be useful if they never caused the certificate to be essentially ignored, and if they were applied by organizations that actually check on businesses: localities in which businesses are incorporated, better business bureaus, credit card processing companies, and so forth.
Enlightenment and Gtk has fundamentally different design philosophies. Enlightenment can throw out old ideas without worrying too much about breaking everything, because they don't have a large and diverse user base. Gtk has to be much more conservative. This means that Gtk will be a few years behind Enlightenment, but it'll be functional more of the time. Really, neither project should become more like the other, but Gtk should look at Enlightenment's solutions when it has problems to solve.
I don't think you're all that lucky if they guess Reversi. The most casual observation is sufficient to realize that Go stone are the same color on both sides. I wouldn't be too surprised if the average American didn't know how to play Go or even recognize it, but Othello is pretty common as something people had growing up. They should really be guessing Pente, which you could play with a Go set if you wanted.
Now I want to know whether he was thinking of Go Fish or Cribbage.
The Common Criteria sort of goes past EAL4 to the proof of correctness stage, but the CC members don't all agree on the higher levels, probably because the code proving theory is not entirely worked out to everybody's satisfaction.
If higher EAL levels were well defined, it might actually be easier for Linux to achieve them, because it would simply be a matter of writing out how Linux security is supposed to work, and then checking that no transition from an allowed state to a disallowed state can happen. In order for the proof to be trusted completely, it has to be possible to check it mechanically (because no organization is going to be able to check a proof of the necessary size by hand with the required accuracy), in which case OSDL can just do it for each release.
Of course, there is a long way to go before real code on real computers can be verified. It still takes people with PhDs paying attention to catch issues in the specification of virtual machines, let alone real processors, and being able to precisely characterize the processor is obviously a necessary condition to being able to say anything about the behavior of code running on it. (An internal draft revision of the Java memory model had this problem: if one thread copied a variable at the same time that another thread copied it back without any locking, the VM would be allowed to set both variables equal to anything at all, in each case claiming that it was a copy of the other thread's value. An implementation which did value prediction might load some arbitrary value speculatively, and then check that it was correct, which it would be by the time the check was done. This would allow a situation in which the VM could accidentally fabricate a char[] pointing at the SecurityManager or something, allowing the code to scribble on important stuff. It's not even practical to catch this sort of thing programatically, let alone subtle ways in which implementations may fail to be secure.)
I assume they look at "the development" of the EAL4 version as starting from where they take in a particular kernel release and making it secure (which may involve a significant amount of work, depending on what their design actually is). The concern is that someone could change something after you've evaluated it; you avoid that by not taking patches from anyone else unless you verify them.
The Linux kernel could never get an EAL rating as it is developed by Linus et al, but that doesn't mean that a process couldn't start from a kernel snapshot and get to an EAL rating.
However, I suggest you strip it down to Threat-Asset-Vulnerability (the TAV in OC-TAV-E) and run with that for a while.
The "OC" doesn't *really* stand for Obsessive-Compulsive, you know.
Linux probably does have a greater market share in research handhelds. It's just that there are very few research handhelds, so it doesn't affect the handheld market as a whole.
Handhelds weren't really a market that Windows had much going into; inertia would suggest that people running Windows would want to develop handheld software under Windows, but the usual PalmOS development environments are under Windows anyway. It's not like you could possibly use the same software on a desktop and a handheld effective without changing most of it to make the interface usable with the completely different user affordances. I actually suspect that Windows is gaining on PalmOS now due to handhelds dying to the point where the similarity with tablets (which tend to run Windows because Microsoft pushed the whole idea so much) is more significant for people who haven't gone to Symbian/Java/Linux phones than the inertia towards PalmOS.
The requirement is actually that you document what your security model is and how your implementation achieves it, and then they verify that you're right.
There are no restrictions on the development process. The point is that it gets validated as a finished item, so it doesn't matter how it got that way. It also doesn't matter who writes the documents, so long as they have the necessary information.
It will be interesting to see when SuSE does with the documents which were part of the process. It would also be interesting to see what, exactly, SuSE's security model is. (EAL4 doesn't require you to have a particularly useful security model; IIRC, Windows got EAL4 in configurations without network or disk drives.) It would be interesting for the kernel tree to include all of the necessary documentation for EAL4 in various ways, such that anyone who wants to get a version certified just has to build a suitable configuration and submit it for verification.
If Congress passes a law prohibiting the president from doing something (like dismissing cabinet members without Congressional approval), and he does it anyway, that's plausibly a "High Crime or Misdemeanor". I mean, there wouldn't be any point in a law which applies specifically to the president if it weren't.
The phone only tells the 911 operator your location when you dial 911. If you have any interaction with a 911 operator at all without doing anything, something is terribly wrong.
Yeah, living entirely in one place is too risky. Personally, I relocated my lower half to Florida, my head and hands to Boston, my lungs to the midwest, and my digestive tract to Seattle. And I left my heart in San Francisco.
There are three bodies: the Parliament, the Council, and the Commission. The Parliament represents the people in general. The Council represents the nations; remember that the EU is a democratic group of democratic nations, so a certain amount of power is in the hands of the nations rather than the people (similarly, the US president is elected by the states as directed by their citizens). The Parliament and Council need to agree on directives in order for them to go into effect. The Commission is responsible for determining what things need to be decided in the first place and for figuring out what has happened when the Council and Parliament have done something.
The current situation is a loophole where the Parliament passed a patent directive with a set of amendments which prohibits software patents, and the Council passed it without the amendments. It then goes to the Council to rubberstamp (because both groups passed something), then back to the other groups to make sure that the final thing is right. But the Parliament is upset, because the Concil version, while almost identical text, is exactly opposite in effect (they essentially scratched out the "not" the Parliament had decided to add to "software can be patented"). There is some concern that not enough members of Parliament will show up on the day they check things over to veto the Council text, and the Parliament is generically upset about the process being subverted.
Call me a fanboy, but I sure do like the AMD kool aid.
Wouldn't it be more appropriate this time to call you a nofanboy?
IIRC, the Parliament can dissolve the Council (or Commission?) with a vote of no confidence. They obviously wouldn't do that just on a whim, but they might if the other bodies ignore repeated demands from different portions of the Parliament.
This is a bit like the US legislature. They can pass laws, but the Justice Department can fail to enforce them (or the FCC can ignore them, etc.). If the Executive Branch department fails to respond, they can complain to the President, who can fire people. If the President fails to do anything, they can impeach him. This is, in fact, what happened to Andrew Johnson (backwards; he fired an executive for doing what Congress wanted), although he was acquitted by one vote.
So this is another step with which the Parliament can try to exert influence on the other branches without actually going all the way and using their actual power, which would be enormously disruptive to everything.
Note that the Parliament can also reject the directive on the second reading, but it's difficult and depends on enough MEPs actually showing up that day; if Parliament complains enough beforehand, the Commission is more likely to think that enough MEPs will show up to the vote to kill it, and the less interested they are in pushing the Council's text through (the Commission's mandate is to get some directive passed on software patents, because the current situation is broken, and their job is to get broken situations resolved in some way or other). If it's going to get killed in the second reading, they would rather save face and restart the process; if it's not going to get killed in the second reading, they want to get it done.
There is no Linux IP issue. SCO dropped those claims. SCO's current claims are breach of contract against IBM and copyright infringement in AIX from IBM continuing their AIX work after SCO said they couldn't. Chances are that nobody actually wants SCO's assets, since they're probably mostly liabilities at this point, and there's nothing really unique and useful. So it wouldn't, at that point, matter if there was SCO IP in Linux, so long as nobody wanted to acquire it and try to argue it.
The claim that GTA trained Thompson to do this is absurd. First, you can't get things from people in GTA unless you've already killed them. Second, the gun mechanic in GTA is completely hopeless, as well as unrealistic in a number of ways (wherever he learned to turn off the safety, it wasn't GTA). Finally, when they caught him, he said you have to die sometime, but you never die in GTA.
About the only thing that he might have gotten from GTA is the idea that you can kill several cops after they've called in and still somehow get away. Not that killing cops in GTA actually helps for getting away, particularly if you're in a vehicle. If someone was taking cues from GTA, they'd certainly never let themself get pulled over without a high speed chase and barricades.
GPS systems that tell you where you are (or tell the operator when you're calling 911) are a totally different thing from GPS systems that tell other people where you are without you doing anything, aside from the largely irrelevant technology used by the device to find where it is.
Marvin was made by the Sirius Cybernetics Corp, which makes insipid talking doors and elevators. It makes sense that they'd put Marvin in a completely inappropriate Teletubbie-style body.
It is a pity that they didn't do much of Zaphod's second head, though, since the technology is available to make someone really look like they have an extra head grafted on. (Sure, they couldn't make it look natural, but it's supposed to be not quite coordinated with the first head and body, because it's a late addition.)
I still want to see someone with spherical running shoes.
For that matter, if government-issued GPS devices get associated in the public's mind with convicted criminals, people will be less willing to accept them in other situations. "A device that tracks my kids" is a lot more teampting for parents than "a device that tracks my kids, just like sex offenders have to wear".
Half of the NSA's job is to recommend to the government security measures which are likely to protect it (and also, these days, to recommend such measures to vital national infrastructure in the private sector). If they know of a weakness in something, they're smart enough to guess that someone else will find the weakness before too long, and they won't recommend using it. "A Chinese group announces that they found a flaw we knew about in something we were still recommending" is an NSA director's worst nightmare.
Of course, it's possible that this flaw has been known to the NSA and they know of a reason that it is not going to lead to a worse break. They have said recently that by 2010, you should be using SHA-256 or SHA-512, so it's plausible that they understand exactly how deep this flaw goes, and 2010 is when a computer capable of implementing the best version of an algorithm of this form will be available.
It is still probably difficult (hard to say without looking at the paper) for someone to find a different document with the same hash as a document you create, but it's now not all that hard to find a pair of documents with the same hash. Someone could give you a document to sign, and get your signature on a different document. Also, IIRC for previous work by this group, the attack applies to chosen pairs of documents with sufficient "random" padding; you can search for a padding for each to generate a hash collision.
Essentially, don't sign anything that someone else has given you without changing it in some way, or your signature might also apply to some other document they have chosen.
I think most teams would be glad to have such a person; the danger is more that you'll be unable to get an explanation to base your documentation on.
One way to start might be to follow a mailing list and write up results of discussions, like lwn's kernel page or wine-traffic. This lets you show off your work in a relevant way before you start asking questions. It's also quite useful for many mailing lists, where things get discussed for a while until people lose interest without a clear conclusion.
The issue with a universally single sign on is that people don't universally trust anyone. However, that doesn't mean that there isn't a use for a single sign on for a collection of related services. It would make sense to have a single OSDN signon, a single signon for all your work services (printer, fileserver, mail server, etc), one for home, one for school, and so forth.
Green Day's middle albums were very different from their first few. I lost interest around that point, so I don't know if they've gone back to their roots, but if punk is defined by Kerplunk, then Insomniac wasn't punk. It's hard to say if it's because they got popular, or got married, or got older, but they changed around then.