Oh, and the Dutch service is way more reliable. SA service had occasional glitches and it seemed to be impossible to get a competant technician to fix my dish.
In South Africa I had digital satelite TV which had about 70 channels. Later they came out with a DVR with time shifting. After moving to the Netherlands I expected a way-better service (being "1st world") and everything. Not so: the UPC digital cable service was pretty much the same and in the same order of price. It also had about the same number of channels but there are many Dutch language channels that I don't watch. Major differences are the prevalence of sub-titles in the Dutch service on all English channels except for things like Euro news and CNN, CNBC etc. Also less film info on the film channels (the SA film info always had date of film, directory and leads). Film channels are a premium extra. And no BBC food channel - *sigh*.
The article says that in 20 years users have not gotten better at creating good passwords.
Logically then the solution is NOT to get users to take "password security seriously". This is like trying to stop VD by convincing teens to abstain from sex - it's in the never-going-to-happen catagory.
The solution is to mitigate the damage of a brute force attack - when bots make password guess attempts, you need counter-"bots" to detect patterns of access and then block IPs, warn users, or disable accounts. This is a form of intrusion detection.
This is not to mention that for most web accounts, a break in doesn't matter - what damage can the hacker really do? Like post things-you-didn't-say and trash your reputation on www.social-site-for-people-who-spend-to-much-time-online.com? Heck, that's major dude.
Just a wild guess here, but let's ask: Are there web site owners who think the logins they host are way more important to their customers than they actually are?
Simply put, the bulk of security problems are not solved by encryption.
In fact encryption and authentication often create more problems than they solve. Corporations are asking for many passwords where they aren't needed, certificates create admin overhead, and encryption is more difficult to set up and get working in-time-to-market than if there were no encryption.
One doesn't invest in something "because it sounds like -- real cool, man". Rather, one must begin with a problem and think creatively to solve that problem....and encryption is just one of the available tools.
Also, you can't take the protocols SSL, DNSSEC, SFTP, IPSEC and pool them into one bucket and call it "encryption". Each are separate solutions to separate problems, and indeed will usually be only one component within the solution.
June 2010: "Scientists analysing martian meteorites mysteriously dissappear after announcing they where close to a breakthrough. Majestic 12 suspected."
The purpose of privacy is to protect the people who are protecting the public from governments.
Governments are the biggest evil, and therefore our society needs privacy.
It is not criminals who are the biggest threat to society.
By dissalowing privacy, it becomes impossible for institutions like the press to hold governments accountable.
Democracy functions on the pillars of human rights not only because of moral concerns, but because those pillars are necessary cogs in the social machine.
- Right to privacy - Freedom of press - One man one vote - Separation of church and state - Term limits - Independence of the supreme court etc.
Remove any of these pillars and democracy stops working.
A recent example is George W Bush - America blurred the line between church and state by electing someone purely because he stood against abortion... elected in spite of the fact that he had no other positive attributes besides being a devout Christian....and look what happened.
Am OpenSSL patch (http://www.links.org/files/no-renegotiation-2.patch) disables SSL renegotiation, closing the security hole.
But let me ask this : who would ever require SSL renegotiation in practice?
I mean seriously -- changing the cipher in the middle of an SSL session??
-- no mainstream scenario would ever do this.
A question comes to mind why renegotiation was ever supported in the first place.
The next question is what OTHER seldom-used "features" are supported by most SSL implementations that are just supported so that the implementation can claim full RFC compliance, but are never actually used by real web sites.
My own SSL builds disable everything except RC4-*-RSA
When did anybody ever get the idea that this was any other way?
Here at work we have to use a Sun VirtualBox to run IE7 just to access one web app that doesn't work on Fedora - IBM Irrational @#$%*&g ClearQuest Web - the worst GUI interface since the punch card reader.
From the judgment "...fair to describe Microsoftâ(TM)s evidence as more or less conclusory on this point." I.e. that the patent was an obvious modification to prior work.
I am glad about this. It shows that the patent system is not so broke as some think. This patent basically is merely the means by which one can type in a license key after downloading some free-trial software. Much free-trial software has some kind of typing-in-of-a-license-key, and if Microsoft lost it would mean no one could do this in their own products without fear of a law suite - a ridiculous situation.
This guy was just gold-digging. Well done to the judge.
I have ALL OSs installed because I need to port software to ALL OSs. This means Linux, Mac, WindowsXP/64/03/08, Solaris, FreeBSD, etc. etc.
There is nothing huge to distinguish any of these systems from each other.
They are ALL crap in their own way.
The only difference is in their Pundits: Linux people think that are knights of some kind of OS crusade. They don't know it, but they are marketing people employed by RedHat and IBM - employed WITHOUT PAY that is.
Come to think - there is one good thing I can say about about astroturfing scum from Microsoft - at least they ARE paid.
Linux pundits represent meaninglessness in its worst form - they don't contribute source code, they don't earn money off it, they don't do Linux support, they only spend money on games.
They only ever rave about how good it would be for OTHER PEOPLE to use Linux, and how terrible it is that OTHER PEOPLE aren't suing violators of the GPL.
The reason why they "violate" is because they just do not care.
It has nothing to do with deadlines or politics or competition or margins.
The code they are using is seen as "some free stuff I downloaded which happens to work - cool for me".
The point of a company is to make money, not to further ethical causes. If it doesn't SEEM like a massive no-no I don't think it would enter the head of even one person in this supply chain to question it. And by the time anyone does, its already 3 generations of products later and they are wondering why someone is bothered with a product that is nearly ending its life cycle.
I mean, if asked, they would probably ask if there is any tangible heavy institution that is likely to find out, or even to care if they did.
Ultimately, you need to also ask if it really matters at all. How often do you think this provided source code is really going to be useful to a mass audience? As you say: the products in question have a very short life span, and the changes must be small to be able to be completed in time.
FreeBSD benefits enormously from user contributions (both commercial and hobbiest), yet has no requirement to make changes public.
Oh it MUST matter you say - it's the PRINCIPLE.
Well it's YOUR principle.
The title should be rephrase: "How Hardware Makers Come to Comply With Free Software Licenses" These are the extremely rare cases, and in truth any company that is spending time worrying about little things like this has probably so lost focus it won't be around for long.
Alan Turing's biography is a fascinating read - ISBN 0099116413
Most people know Turing for his contributions to computer science, but his role in ending the war was monumentally important.
Turing helped crack the German encrypted communications allowing interception of critical commands. So difficult was this work that the Germans never suspected it as a possibility.
Without Turing the war would have certainly gone on longer.
The judgement concludes that the issue ought to go to trial, NOT that SCO owns the copyright. It also concludes that royalties due to Novell are still due.
The debate within the 50 page judgment is mostly about the wording of the contracts. The wording of the transfer of ownership is indirect and vague.
What is interesting is that the signatories both agree that the INTENTION AT THE TIME was to fully transfer copyright ownership of Unix. California law however prohibits this fact as admissible evidence. It is truly curious that lawyers chose to express this in a way that could have been open to debate!!
Perhaps Novell was deliberately leaving a backdoor open - ???
-paul
@@@ never ascribe to conspiracy what can more easily be explained by ineptitude @@@
why couldn't the standards have defined that every IPv4 address *is* an IPv6 address?
Then I can keep my addresses and switch to IPv6 without having to encapsulate or proxy anything.
at the border between IPv4 and IPv6, if the address space of IPv4 is within IPv6, then all the router needs to do is translate the IPv4 packet into IPv6 and back again, because translation is 1:1.
> Seriously, just because no one on your block uses IPv6, does not mean that businesses, > universities, government agencies, and telecos are not using IPv6 in large deployments
bullshit.
NO ONE is the slightest bit interested in IPv6 at the moment, except for extremely rare niche deployments LIKE universities.
YOU need to go speak to a real owner of a real ISP and ask them why they are not interested in IPv6. You won't get an answer - you'll just get a laugh.
> The transition plan is solid, and works very well in practice... What's lacking is the ISP motivation,
Moron, the very definition of a "solid plan" is that ISPs would have "motivation".
Yes, this is what "geeks" (in the most derogatory propeller-head sense of the word) always say:
1. It is technically sound.
2. There are no bugs.
3. My users do not seem to like it.
4. Ergo - there is something wrong with my users.
With people-like-YOU it is always someone-ELSE that has the problem.
Let me slap you in face and point out a flaw in your logic: If everything is as perfect as you say, WHY don't people want to migrate?
5. Ergo - the thing that is wrong with my users is that a religious outside force is sabotaging my perfect plan.
6. Ergo - it is not my fault.
7. Ergo - I can take full credit for a perfectly conceived plan even though I have failed to produce anything useful.
Dude, this is a REAL problem not some piece of theory you can stir in your brain and decide if its "true" or not:
Look, there are several major Linux distributions all with weird release names, and
there is categorically no resource on the Internet that lists all the release names, what OS they correspond with and what release number.
At least with FreeBSD it calls itself "FreeBSD X.Y" so you know -
a) which distribution it is (i.e. you know its not OpenBSD NetBSD BSDi or some Linux-based thing)
b) which version of the distribution it is.
Any person using Linux over a long period in time who is NOT interested in the operating system per se gets totally confused and annoyed because all these release names are just one big blur.
Linux distributions LOVE to come up with catchy names for their releases.
But sit down at a random machine and try work out WHAT release of Debian (or Fedora or whatever) you are actually sitting in front of and you can pull your hair out.
How is anyone supposed to remember that "Debian <insert-dumb-release-name-here>" is MORE recent that "Debian <insert-other-dumb-release-name>" ????
I suppose you are going to tell me to check/etc/issue
Oh THAT'S user friendly.
And what if/etc/issue has been emptied "for security reasons".
I can hear the support call already: "Er... Sir, if you can't work out what version of Linux you are running we recommend that you re-install, and also check the Wikipedia entry for Debian..... Yes that's D-E-B-I-A-N"
I know as a maintainer that at one point "Sarge" was the most important word in your life, but for the USER (that's the person that is actually going to be using the OS you are working on), he doesn't know "Sarge" from "Etch" from "Horcrux".
Slashdot Mirror
sick
Oh, and the Dutch service is way more reliable. SA service had occasional glitches and it seemed to be impossible to get a competant technician to fix my dish.
In South Africa I had digital satelite TV which had about 70 channels. Later they came out with a DVR with time shifting. After moving to the Netherlands I expected a way-better service (being "1st world") and everything. Not so: the UPC digital cable service was pretty much the same and in the same order of price. It also had about the same number of channels but there are many Dutch language channels that I don't watch. Major differences are the prevalence of sub-titles in the Dutch service on all English channels except for things like Euro news and CNN, CNBC etc. Also less film info on the film channels (the SA film info always had date of film, directory and leads). Film channels are a premium extra. And no BBC food channel - *sigh*.
The article says that in 20 years users have not gotten better at creating good passwords.
Logically then the solution is NOT to get users to take "password security seriously". This is like trying to stop VD by convincing teens to abstain from sex - it's in the never-going-to-happen catagory.
The solution is to mitigate the damage of a brute force attack - when bots make password guess attempts, you need counter-"bots" to detect patterns of access and then block IPs, warn users, or disable accounts. This is a form of intrusion
detection.
This is not to mention that for most web accounts, a break in doesn't matter - what damage can the hacker really do? Like post things-you-didn't-say and trash your reputation on www.social-site-for-people-who-spend-to-much-time-online.com? Heck, that's major dude.
Just a wild guess here, but let's ask: Are there web site owners who think the logins they host are way more important to their customers than they actually are?
Hmmm
-paul
Simply put, the bulk of security problems are not solved by encryption.
In fact encryption and authentication often create more problems than they solve. Corporations are asking for many passwords where they aren't needed, certificates create admin overhead, and encryption is more difficult to set up and get working in-time-to-market than if there were no encryption.
One doesn't invest in something "because it sounds like -- real cool, man". Rather, one must begin with a problem and think creatively to solve that problem. ...and encryption is just one of the available tools.
Also, you can't take the protocols SSL, DNSSEC, SFTP, IPSEC and pool them into one bucket and call it "encryption". Each are separate solutions to separate problems, and indeed will usually be only one component within the solution.
-paul
June 2010: "Scientists analysing martian meteorites mysteriously dissappear after announcing they where close to a breakthrough. Majestic 12 suspected."
-paul
The purpose of privacy is to protect the people who are protecting the public
from governments.
Governments are the biggest evil, and therefore our society needs privacy.
It is not criminals who are the biggest threat to society.
By dissalowing privacy, it becomes impossible for institutions like the press to
hold governments accountable.
Democracy functions on the pillars of human rights not only because of moral
concerns, but because those pillars are necessary cogs in the social machine.
- Right to privacy
- Freedom of press
- One man one vote
- Separation of church and state
- Term limits
- Independence of the supreme court
etc.
Remove any of these pillars and democracy stops working.
A recent example is George W Bush - America blurred the line between ...and look what happened.
church and state by electing someone purely because he stood against
abortion... elected in spite of the fact that he had no other positive attributes
besides being a devout Christian.
-paul
what about high winds?
-paul
> "Never attribute to malice that which may be adequately explained by incompetence."
this is MY line. f765ing plagiarist
-paul
Am OpenSSL patch (http://www.links.org/files/no-renegotiation-2.patch) disables SSL
renegotiation, closing the security hole.
But let me ask this : who would ever require SSL renegotiation in practice?
I mean seriously -- changing the cipher in the middle of an SSL session??
-- no mainstream scenario would ever do this.
A question comes to mind why renegotiation was ever supported in the first place.
The next question is what OTHER seldom-used "features" are supported by
most SSL implementations that are just supported so that the implementation
can claim full RFC compliance, but are never actually used by real web sites.
My own SSL builds disable everything except RC4-*-RSA
When did anybody ever get the idea that this was any other way?
Here at work we have to use a Sun VirtualBox to run IE7 just to access
one web app that doesn't work on Fedora -
IBM Irrational @#$%*&g ClearQuest Web -
the worst GUI interface since the punch card reader.
-paul
From the judgment "...fair to describe Microsoftâ(TM)s evidence as more or less
conclusory on this point." I.e. that the patent was an obvious modification to
prior work.
I am glad about this. It shows that the patent system is not so broke as some think.
This patent basically is merely the means by which one can type in a license key
after downloading some free-trial software. Much free-trial software has some kind
of typing-in-of-a-license-key, and if Microsoft lost it would mean no one could do
this in their own products without fear of a law suite - a ridiculous situation.
This guy was just gold-digging. Well done to the judge.
rather
sed -e "s/don.t/do insignificantly small amounts of/g"
-paul
Linux is not a religion you moron.
I have ALL OSs installed because I need to port software to ALL OSs.
This means Linux, Mac, WindowsXP/64/03/08, Solaris, FreeBSD, etc. etc.
There is nothing huge to distinguish any of these systems from each other.
They are ALL crap in their own way.
The only difference is in their Pundits: Linux people think that are
knights of some kind of OS crusade. They don't know it, but they
are marketing people employed by RedHat and IBM - employed
WITHOUT PAY that is.
Come to think - there is one good thing I can say about about
astroturfing scum from Microsoft - at least they ARE paid.
Linux pundits represent meaninglessness in its worst form -
they don't contribute source code, they don't earn money off it,
they don't do Linux support, they only spend money on games.
They only ever rave about how good it would be for OTHER
PEOPLE to use Linux, and how terrible it is that OTHER PEOPLE
aren't suing violators of the GPL.
-paul
The reason why they "violate" is because they just do not care.
It has nothing to do with deadlines or politics or competition or margins.
The code they are using is seen as "some free stuff I downloaded which happens to work - cool for me".
The point of a company is to make money, not to further ethical causes. If it doesn't SEEM like a massive no-no I don't think it would enter the head of even one person in this supply chain to question it. And by the time anyone does, its already 3 generations of products later and they are wondering why someone is bothered with a product that is nearly ending its life cycle.
I mean, if asked, they would probably ask if there is any tangible heavy institution that is likely to find out, or even to care if they did.
Ultimately, you need to also ask if it really matters at all. How often do you think this provided source code is really going to be useful to a mass audience? As you say: the products in question have a very short life span, and the changes must be small to be able to be completed in time.
FreeBSD benefits enormously from user contributions (both commercial and hobbiest), yet has no requirement to make changes public.
Oh it MUST matter you say - it's the PRINCIPLE.
Well it's YOUR principle.
The title should be rephrase:
"How Hardware Makers Come to Comply With Free Software Licenses" These are the extremely rare cases, and in truth any company that is spending time worrying about little things like this has probably so lost focus it won't be around for long.
Alan Turing's biography is a fascinating read - ISBN 0099116413
Most people know Turing for his contributions to computer science, but
his role in ending the war was monumentally important.
Turing helped crack the German encrypted communications allowing
interception of critical commands. So difficult was this work that the
Germans never suspected it as a possibility.
Without Turing the war would have certainly gone on longer.
-paul
The judgement concludes that the issue ought to go to trial, NOT that SCO owns the copyright. It also concludes that royalties due to Novell are still due.
The debate within the 50 page judgment is mostly about the wording of the contracts. The wording of the transfer of ownership is indirect and vague.
What is interesting is that the signatories both agree that the INTENTION AT THE TIME was to fully transfer copyright ownership of Unix. California law however prohibits this fact as admissible evidence. It is truly curious that lawyers chose to express this in a way that could have been open to debate!!
Perhaps Novell was deliberately leaving a backdoor open - ???
-paul
@@@ never ascribe to conspiracy what can more easily be explained by ineptitude @@@
exactly right
> You're not strictly running native ipv6,
this is ridiculous.
why couldn't the standards have defined that every IPv4 address *is* an IPv6 address?
Then I can keep my addresses and switch to IPv6 without having to encapsulate or proxy anything.
at the border between IPv4 and IPv6, if the address space of IPv4 is within IPv6, then
all the router needs to do is translate the IPv4 packet into IPv6 and back again, because
translation is 1:1.
This way everyone has a migration path to IPv6.
-paul
> Well, it's restored. I keep forgetting I can literally contact ANY lan host from remotely, using its v6 address
that's a bug not a feature.
-paul
> Seriously, just because no one on your block uses IPv6, does not mean that businesses,
> universities, government agencies, and telecos are not using IPv6 in large deployments
bullshit.
NO ONE is the slightest bit interested in IPv6 at the moment, except for extremely rare niche
deployments LIKE universities.
YOU need to go speak to a real owner of a real ISP and ask them why they are not
interested in IPv6. You won't get an answer - you'll just get a laugh.
-paul
> The transition plan is solid, and works very well in practice ... What's lacking is the ISP motivation,
Moron, the very definition of a "solid plan" is that ISPs would have "motivation".
Yes, this is what "geeks" (in the most derogatory propeller-head sense of the word) always say:
1. It is technically sound.
2. There are no bugs.
3. My users do not seem to like it.
4. Ergo - there is something wrong with my users.
With people-like-YOU it is always someone-ELSE that has the problem.
Let me slap you in face and point out a flaw in your logic: If everything is as perfect as you say,
WHY don't people want to migrate?
5. Ergo - the thing that is wrong with my users is that a religious outside force is sabotaging my perfect plan.
6. Ergo - it is not my fault.
7. Ergo - I can take full credit for a perfectly conceived plan even though I have failed to produce anything useful.
-paul
Dan Bernstein has chimed in on this before:
http://cr.yp.to/djbdns/ipv6mess.html
He is basically dead right.
The people who came up with IPv6 seemed to be too ivory tower: they forgot about
the reality on the ground. Few ISPs are even thinking about IPv6.
-paul
Dude, this is a REAL problem not some piece of theory you can stir in your brain and decide if its "true" or not:
Look, there are several major Linux distributions all with weird release names, and
there is categorically no resource on the Internet that lists all the release names, what
OS they correspond with and what release number.
At least with FreeBSD it calls itself "FreeBSD X.Y" so you know -
a) which distribution it is (i.e. you know its not OpenBSD NetBSD BSDi or some Linux-based thing)
b) which version of the distribution it is.
Any person using Linux over a long period in time who is NOT interested in the operating system per se gets totally confused and annoyed because all these release names are just one big blur.
-paul
Linux distributions LOVE to come up with catchy names for their releases.
But sit down at a random machine and try work out WHAT release of Debian (or Fedora or whatever) you are actually sitting in front of and you can pull your hair out.
How is anyone supposed to remember that "Debian <insert-dumb-release-name-here>" is MORE recent that "Debian <insert-other-dumb-release-name>" ????
I suppose you are going to tell me to check /etc/issue
Oh THAT'S user friendly.
And what if /etc/issue has been emptied "for security reasons".
I can hear the support call already: "Er... Sir, if you can't work out what version of Linux you are running we recommend that you re-install, and also check the Wikipedia entry for Debian. .... Yes that's D-E-B-I-A-N"
I know as a maintainer that at one point "Sarge" was the most important word in your life, but for the USER (that's the person that is actually going to be using the OS you are working on), he doesn't know "Sarge" from "Etch" from "Horcrux".
AND HE DOESN'T CARE EITHER.
-paul