The biggest drawback to me of non-electronic books is that they aren't searchable, either within the book or over a library of books. For example, I'm reading along and hit a character name that was mentioned once some eight chapters ago - I want to do a quick search to where he was first introduced. Same thing when reading an acronym-heavy article. Searching over multiple books would be nice in a series, or for remembering which story had a particular character, or to do normal research.
Someday, with the improvement of "electronic paper", I expect to be able to have a book with pages and all that you can turn, but that you can, with the touch of a stylus, change to be a different book. One thing I'd like to see with such a book is that you could write in it and have the markings be there the next time you load that same book (but also be easily wiped out).
Still, there's something satisfying about having a real book, that isn't subject to a stupid software flaw that might wipe it out, or a tiny scratch, or EMP. Takes a fire or a flood to destroy it, and even then it can often be rescued.
Same thing with CDs and DVDs, they're more fragile than books, but better than tape, and less ephemeral than a backup on a hard drive, and actually under your control rather than being at the mercy of someone else if you have to download it each time you want to watch or listen to it.
Just a side note, but that would execute a lot faster if you just piped the list of names through to xargs and let it run cat, rather than run cat once for each file:
Dear webmaster, your website is broken. The link to see my letter of acceptance isn't there, I have to manually type the URL to get to it. Please fix this as soon as possible, I'm sure there are many other people who are waiting to see if they got accepted who haven't found this way around the flaw on that page. Thank you!
Am I hacking into my credit card web site when I enter a number into a field that is normally empty in order to bypass a logic error in their javascript validation code that wouldn't let me select a particular option? They refuse to fix it as they claim it is a problem with Safari, not with their code.
But, legally, the rest of the patent carries no weight.
Not true. If the rest of the patent can alter the meaning of the claims, then of course that "carries weight". It might be more accurate to say that the rest of the patent has to be filtered through the claims. The claims are the primary description of what the invention is, and what will infringe, but the rest of the patent is still important. Of course, the rest of the patent is absolutely useless without the claims.
A patent could be invalidated if the "preferred embodiment" given in the description doesn't actually teach what the invention is, for example, or some parts of the description could end up limiting how broadly a particular claim can be interpreted.
You may have 3 patents, but I've helped invalidate 2 patents...
I'd think that any computer with a CD-recorder that could rip and record audio tracks and had an audio-input (e.g. microphone jack) and audio-output (sound card and headphone jack) would be prior art for virtually all of these claims. A few others (e.g. "balanced and unbalanced" connectors) are obvious (plenty of prior art for ANY audio equipment to have both, for example, so adding them to a computer being used as a piece of audio equipment would not be novel), even if you can't find a direct example (but I'd bet you could even find that, plenty of people were using computers in professional recording studios early on - as soon as you connect up a good quality audio board to the sound input and output jack of the computer, you've probably wiped everything else out). The claim regarding DVD would also be blown away on obviousness - there's plenty of literature showing that a DVD is the same thing as a CD as far as data storage is concerned.
This patent shows a common pattern with a lot of bogus patents - set up a strawman problem, then claim your "invention" solves the invented problem. For example, this invention "solves" the problem of having to use expensive CDs used by "ordinary" CD recorders, allowing you to use the less expensive data CDs that are readily available for computers - ignoring that the "music" recordable CDs aren't a technical issue, but a legal/political issue.
look at the claims, not the poorly worded abstract, then read the description of the invention to try to figure out what the claims actually mean. The abstract is useless for figuring out what might be infringing, and in many cases is useless for even figuring out what the invention MIGHT be. In this case, they do describe the "software" being protected as possibly being a media file.
Except that the rest of the patent helps determine what the claims actually mean. In this case, however, the descriptive part makes it clear that "software" includes media files. They use the term "computer codes" to refer to what most of us would call "software programs".
The real meat of this patent seems to be the idea of using information that the authorized user wouldn't want to get out as the way to authorize "software" to be used - so, if the only way to decrypt a music file is to decrypt a key by using your iTMS account and password, you're not likely to pass that around to your friends.
However, the way the claims are worded is astonishingly horrible, and it isn't clear to me that the way Apple authorizes music files in the iPod or iTunes would be infringing anyway. It seems to me even less likely that porn sites using credit cards to authorize access to the site ("free" or not) would infringe, nor would eBay requiring a credit card to set up an account (which is not true, anyway).
No, I'm not a lawyer, but I've been following software patent issues for over 15 years.
Yeah, I saw that, and its a good example of why the use of "obvious" in the way patent lawyers use it is a problem. It may be totally obvious (in the common sense) that if you put in a windshield that can change the level of light that goes through it, that you'd want to make sure that it doesn't go too dark when you're actually driving (although it might go all the way opaque after you shut off the car, say to keep the car cooler in the hot sun). Even if you didn't, the very first time you try to convince a safety inspector to let you install the windshield, they'd ask "and how do you make sure it doesn't go too dark when you're driving?" to which you answer "how about an interlock that keeps it from going too dark when the car isn't in park?"
However, with this patent in place, what you'll actually have to find is someplace that said, before the priority date of the patent, oh, something like "adjustable windshields shouldn't be too dark to drive while driving", which combined with "when not driving, it is safe to adjust things to a state that would be unsafe while driving", and "for the purpose of determining if a car is being driven so that safety equipment can be properly configured, check to see if the car is in park" and "don't allow adjustable things to be in an unsafe-for-driving state while driving". Then it is "patently obvious" that you don't allow the windshield to go totally dark on you when the car is in gear. If you can't find something like that (and that first statement is going to be tough to find, given that no one is using such adjustable windshields yet), then it is not "obvious". Obviously!
You could probably get a patent through that built upon this patent by including a light sensor to determine how dark to let the windshield get while driving (except I just invented it). Hey, I just created prior art!
Totally missing the point. This wasn't an ISP blocking VOIP, it was a phone company blocking another phone company's calls, because the other phone company happens to be a VOIP carrier. The FCC does have the right to require all phone companies to carry all traffic from all other companies, otherwise any of the large phone companies could put all the smaller ones out of business. The phone network doesn't work if each individual company gets to decide which calls to carry.
Similarly, there SHOULD be regulations on an ISP to prevent this type of thing. AOL shouldn't be able to, for example, block access to Google because they signed a deal with Microsoft to use their search engine, or block e-mail from or to anyone using Earthlink in an attempt to drive them out of business. A small ISP with local competition couldn't get away with something like that, they'd simply go out of business, but in an area where you have only one choice of ISP for cable Internet access, the consumer needs protection from bully-boy policies.
Look at it from the other side. "The Internet" shouldn't allow an ISP to connect to it unless they agree to carry all traffic, with any exceptions very carefully spelled out (denial-of-service, SPAM blocking, etc). Why should an ISP have the right to not carry traffic, yet gain the benefits of connecting to the Internet? If they want to set up their own private network, they can do what they want, as long as they allow either all or nothing to "The Internet" itself.
We, the customers, actually have paid for that research and development many times over. The phone companies are getting their fair share for carrying internet traffic on their phone lines, and they get their fair share for carrying the voice traffic at the local end of a VOIP call. They may not like it that they don't get as huge a profit as they're used to, but if they'd just stop whining and crying, they should be able to compete just fine. After all, the big telephone companies have the majority of the available bandwidth around the country. They don't have to worry about competition from satellites. It's not like a small startup company can easily just start laying down cable all over the country and somehow be able to have lower costs than the existing telephone companies while doing so. Ok, so they have a lot of money invested in using those communications lines as switched circuits, with all the switching gear all set up. If VOIP is really that much of a threat, they should just start offering it themselves, for example as a long-distance option while still using your regular landline.
Port 587, listed as "submission" in my/etc/services file. Every ISP should enable the MSA port on their mail server and encourage everyone to use it. The protocol is almost identical to SMTP, except that it requires you to authenticate. They should also enable encryption on that port. SMTP-after-POP is a horrible kludge.
Attempting to hit someone IS assault. Threatening to hit someone is assault. Actually hitting them is battery. Attempted battery (assault) is a crime. I'm not sure what attempted assault would be (I tried to call you on the phone to threaten you, but the line was busy?).
So if someone is walking around downtown with a shotgun, saying "I'm seriously thinking of shooting someone, do you think I should shoot you?" to everyone he meets - the cops should just sit back and wait until he DOES shoot someone? I mean, there's no crime there, all he's doing is asking people questions, right?
Even better, just have it start making some sound (a siren, alarm clock ringing, telephone ringing, whatever). On Mac OSX (maybe just in 10.3, not sure if you can do it in earlier versions), there's a "say" command which uses text-to-speech - just put it in a loop: say "Help me, I'm lost" every 10 seconds or so.
Right, when using the TCP option, it doesn't use the corrected time, but when using the ICMP timestamp request, it does. So NTP helps with one of the methods (or just blocking that request would take care of it as well). One mistake several people are making (not you) is that NTP adjusts to the skew of the clock - once it has been running for long enough to get an accurate estimate of how far off your clock is, it doesn't need to "synch up" all the time, as the corrected clock will be very close to accurate all by itself, with only minor drifting.
Other than simply blocking the TS option in TCP packets (so both sides think that the other side doesn't support it, even if requested), or using NTP (and making the timestamp use the corrected clock), another technique would be to have a per-socket skew - use a biased distribution (so the real value doesn't come out if you average enough different sessions) and offset the reported timestamp so you have a slightly fast or slow running clock. Keep the same distribution bias until reboot, then choose another one (on the assumption that the underlying clock will be reset, new skew corrections figured out, etc). The adjusted timestamp value should NOT be affected by the system clock being changed or corrected - you want all of the sessions to appear to be independent. Use the raw hardware clock, adjusted by a fixed (per-socket) skew - with new skews/offsets being biased off of an NTP-mediated base skew/offset (so you're generating an offset from a hardware clock with progressively less skew). This also would help with the attack method detecting virtual hosts.
Where this would appear to be more of a problem is taking the technique further. Measuring the granularity of timestamp jumps, response times to requests, down to the nanosecond range, would ignore any attempt to skew the results. You'd need to have the underlying clocks (real-time and processor) adjustable, and use a strong-random drift to it - and even then, with enough samples you could still measure the granularity of the drift. If you use a non-digital method, you'll end up with a fingerprint of the analog portion. The only defense is to decrease the granularity you can control things so low that it becomes very difficult to measure accurately (requires an unrealistic number of samples). Adding extra intentional jitter at every level you can helps, though.
Perhaps in the future you could make it easier to determine what you are quoting and where your own comments are. See, for example, the <blockquote> tag, or use the <i> tag to offset what you're quoting.
When you say that patents are better because you can engineer around them predictably, but with copyrights you never know where you stand: you can't engineer around a patent when it is as broad as many of the "bad software patents" that have been brought up. Maybe this is just because the PTO is issuing patents that are broader than they should be, but that's the reality we have right now. Some of the patents are about at the level of a patent that protects "the process of compressing information being sent over a communications channel" - you can not patent around that - ANY form of compression would be covered by such a patent. The RSA patent was basically held to cover ALL public-key encryption, even when it wasn't the prime-number algorithm they actually implemented. Many improvements to it were kept from being used for 20 years until the patent expired.
With copyrights, on the other hand, all you have to do is write your own software and you aren't guilty of copyright infringement. You can't accidentally infringe copyright (George Harrison not withstanding). Even if you come up with something that is "too close" to someone else's code, if it can be shown that you implemented it independently without having access to the allegedly infringed-upon code, then it isn't copyright violation. With patents, you'll never know, with copyright you're pretty damned sure.
SRP would do this (although normally with SRP you don't want the host to ever have your password, for an initial contact this could work - then you change your password securely to something else that the host doesn't know). With SRP, if the host can validate your password, that validates the host as well. Since the real host doesn't get any information about the password when you authenticate, neither does a hostile system that hijacks the authentication.
Sorry, you're wrong. A struct or union variable is not the equivalent of it's address. An array variable is equivalent to a pointer to the first element of the array, but a struct is the whole thing. In fact, when you want an array to act as the whole thing, normally you do it by embedding it in a struct! About the only thing that cares that an array variable is different from a pointer-to-element value is the sizeof operator.
Passing a struct as an argument passes the value of the struct (by copying it), not the address. You have to explicitly take the address if you want to pass the address. Referencing the fields of a structure is done differently depending on whether the variable is a pointer to a structure or a structure itself (-> vs just a.). You can assign a struct variable to another struct variable (makes a copy, just as in the function call). Trying to assign a struct variable to a pointer-to-struct variable gives an error. Trying to compare two structs with == or != gives an error.
I've always wished C HAD made a struct variable equivalent to the address of the struct, and eliminated the -> operator entirely. Use *var to reference the entire struct for copying. The struct variable would be compatible with the struct, and also with the first field of the struct. For one thing, this would make changing a variable from being a struct to being a pointer to a struct be painless. Oh well, I guess it just might be a little late for this to be changed. Time to invent a new language which is exactly the same as C, except different.
Back on topic, what people seem to be missing is that this isn't a patent on the operation of an IsNot like operation. It is a patent on adding an IsNot binary operator to the BASIC language. The patent even defines it in terms of the Is operator, and how this is a convenience to the programmer, a way of writing it more concisely and with more clarity of meaning ("A IsNot B" instead of "Not (A Is B)"). So finding prior art in Java or C or anywhere else isn't relevant, just BASIC, and then only if it is a binary operator (so no IsNot(A, B) functions or macros). Much more likely to get this patent on "obviousness" than "prior art".
I'm surprised Microsoft isn't trying to patent the process of translating a BASIC program that uses IsNot into one that doesn't use it (translating "A IsNot B" into "Not (A Is B)"), thus preventing anyone from translating such a program, whether by hand or not. Once you use IsNot in a program, that program couldn't be translated to another vendor's BASIC for 20 years. And Microsoft calls the GPL viral!
Why would the "additional labor costs" make it not cost effective? You hire one person to put together boxes - let's say that costs you around $100,000 per year. That one person should be able to put together, test and image at least 4 boxes a day, or 1000 a year give or take. Granted, if you need 1000 all at once, you can't do it this way, but with a company with 3000 PCs, replacing 1000/year seems about typical. If you can save more than $100 per system buying components (and at 1000/year, you can get some level of volume discount from suppliers, even if not the same level that Dell would)., you'll be saving money overall AND you won't be surprised by what you get when Dell changes components because they could save 20 cents. If you need fewer than that, then the person splits their time between putting together boxes and providing tech support.
No, actually I don't think they are cool, hi-tech and I want to use them to impress my friends.
I said they can be useful in certain situations. You then gave examples where they are being used, but that didn't match what I was describing. Unless you think that people shouldn't use biometrics when they are appropriate because it will make people think they can use them in other situations where they aren't appropriate, then I'm not sure why you brought up grocery stores, etc.
"who cares" is in response to a situation where the security in question, even if it is weak, is stronger than the other security already in existence.
You keep harping on fingerprints and how easy they are to fake - so what? Use something else that isn't as easy to fake, or at least not easy to fake without calling a lot of attention to yourself. Also, I do agree that you shouldn't use biometrics as an identifier - swipe a card, then use your thumbprint to authenticate - certainly more secure than swiping a card and signing with no signature verification. Include a photo log, and it becomes too risky for someone to go buy groceries after stealing your card and faking your thumbprint. Security is about making it not worth the risk, not about making it perfect.
Immigration/customs, entry to high security building with a guard looking on. As I said, needs (competent) human oversight, which none of your examples show.
Of course, even in cases where the biometrics can be bypassed, you have to look at the convenience vs. the security - and compare the cost of breaking that security against the damage that will be done if it is broken, as well as the cost of other ways of getting in. If, say, your PC can be easily booted up and your unencrypted data copied off without worrying about the fancy biometric security device, then the difficulty of spoofing that device is irrelevant. It's useful for keeping Junior from using your system, while allowing you to unlock your screen without having to type in a password. Big deal.
For a locker at a public place: no one is going to go through the expense of faking fingerprints, or facial heat patterns, or retinal prints, or whatever, just to get my bag of clothes and a couple books, probably not even my $2000 computer is worth the effort if the biometrics are any good (even without human oversight). Don't store your corporate data that's worth several million to a competitor, though. Don't do that even if they're using locker keys instead of biometrics.
Grocery store checkout - who cares? Easier to just steal the credit card info directly? Home entry? Probably easier to just break a window.
You're right that if there's good security throughout, an unsupervised biometrics device as the only security you need to break would be a mistake if you're guarding something of sufficient value. Have multiple levels, combined with tokens and passwords - require the password first, then the token, then the biometrics (from easy to most difficult to change), and set off alarms when authentication fails.
Slashdot Mirror
I think this boobie is one of the more natural looking ones found by that search!
The biggest drawback to me of non-electronic books is that they aren't searchable, either within the book or over a library of books. For example, I'm reading along and hit a character name that was mentioned once some eight chapters ago - I want to do a quick search to where he was first introduced. Same thing when reading an acronym-heavy article. Searching over multiple books would be nice in a series, or for remembering which story had a particular character, or to do normal research.
Someday, with the improvement of "electronic paper", I expect to be able to have a book with pages and all that you can turn, but that you can, with the touch of a stylus, change to be a different book. One thing I'd like to see with such a book is that you could write in it and have the markings be there the next time you load that same book (but also be easily wiped out).
Still, there's something satisfying about having a real book, that isn't subject to a stupid software flaw that might wipe it out, or a tiny scratch, or EMP. Takes a fire or a flood to destroy it, and even then it can often be rescued.
Same thing with CDs and DVDs, they're more fragile than books, but better than tape, and less ephemeral than a backup on a hard drive, and actually under your control rather than being at the mercy of someone else if you have to download it each time you want to watch or listen to it.
Just a side note, but that would execute a lot faster if you just piped the list of names through to xargs and let it run cat, rather than run cat once for each file:
Dear webmaster, your website is broken. The link to see my letter of acceptance isn't there, I have to manually type the URL to get to it. Please fix this as soon as possible, I'm sure there are many other people who are waiting to see if they got accepted who haven't found this way around the flaw on that page. Thank you!
Am I hacking into my credit card web site when I enter a number into a field that is normally empty in order to bypass a logic error in their javascript validation code that wouldn't let me select a particular option? They refuse to fix it as they claim it is a problem with Safari, not with their code.
A patent could be invalidated if the "preferred embodiment" given in the description doesn't actually teach what the invention is, for example, or some parts of the description could end up limiting how broadly a particular claim can be interpreted.
You may have 3 patents, but I've helped invalidate 2 patents...
I'd think that any computer with a CD-recorder that could rip and record audio tracks and had an audio-input (e.g. microphone jack) and audio-output (sound card and headphone jack) would be prior art for virtually all of these claims. A few others (e.g. "balanced and unbalanced" connectors) are obvious (plenty of prior art for ANY audio equipment to have both, for example, so adding them to a computer being used as a piece of audio equipment would not be novel), even if you can't find a direct example (but I'd bet you could even find that, plenty of people were using computers in professional recording studios early on - as soon as you connect up a good quality audio board to the sound input and output jack of the computer, you've probably wiped everything else out). The claim regarding DVD would also be blown away on obviousness - there's plenty of literature showing that a DVD is the same thing as a CD as far as data storage is concerned.
This patent shows a common pattern with a lot of bogus patents - set up a strawman problem, then claim your "invention" solves the invented problem. For example, this invention "solves" the problem of having to use expensive CDs used by "ordinary" CD recorders, allowing you to use the less expensive data CDs that are readily available for computers - ignoring that the "music" recordable CDs aren't a technical issue, but a legal/political issue.
look at the claims, not the poorly worded abstract, then read the description of the invention to try to figure out what the claims actually mean. The abstract is useless for figuring out what might be infringing, and in many cases is useless for even figuring out what the invention MIGHT be. In this case, they do describe the "software" being protected as possibly being a media file.
Except that the rest of the patent helps determine what the claims actually mean. In this case, however, the descriptive part makes it clear that "software" includes media files. They use the term "computer codes" to refer to what most of us would call "software programs".
The real meat of this patent seems to be the idea of using information that the authorized user wouldn't want to get out as the way to authorize "software" to be used - so, if the only way to decrypt a music file is to decrypt a key by using your iTMS account and password, you're not likely to pass that around to your friends.
However, the way the claims are worded is astonishingly horrible, and it isn't clear to me that the way Apple authorizes music files in the iPod or iTunes would be infringing anyway. It seems to me even less likely that porn sites using credit cards to authorize access to the site ("free" or not) would infringe, nor would eBay requiring a credit card to set up an account (which is not true, anyway).
No, I'm not a lawyer, but I've been following software patent issues for over 15 years.
Yeah, I saw that, and its a good example of why the use of "obvious" in the way patent lawyers use it is a problem. It may be totally obvious (in the common sense) that if you put in a windshield that can change the level of light that goes through it, that you'd want to make sure that it doesn't go too dark when you're actually driving (although it might go all the way opaque after you shut off the car, say to keep the car cooler in the hot sun). Even if you didn't, the very first time you try to convince a safety inspector to let you install the windshield, they'd ask "and how do you make sure it doesn't go too dark when you're driving?" to which you answer "how about an interlock that keeps it from going too dark when the car isn't in park?"
However, with this patent in place, what you'll actually have to find is someplace that said, before the priority date of the patent, oh, something like "adjustable windshields shouldn't be too dark to drive while driving", which combined with "when not driving, it is safe to adjust things to a state that would be unsafe while driving", and "for the purpose of determining if a car is being driven so that safety equipment can be properly configured, check to see if the car is in park" and "don't allow adjustable things to be in an unsafe-for-driving state while driving". Then it is "patently obvious" that you don't allow the windshield to go totally dark on you when the car is in gear. If you can't find something like that (and that first statement is going to be tough to find, given that no one is using such adjustable windshields yet), then it is not "obvious". Obviously!
You could probably get a patent through that built upon this patent by including a light sensor to determine how dark to let the windshield get while driving (except I just invented it). Hey, I just created prior art!
Totally missing the point. This wasn't an ISP blocking VOIP, it was a phone company blocking another phone company's calls, because the other phone company happens to be a VOIP carrier. The FCC does have the right to require all phone companies to carry all traffic from all other companies, otherwise any of the large phone companies could put all the smaller ones out of business. The phone network doesn't work if each individual company gets to decide which calls to carry.
Similarly, there SHOULD be regulations on an ISP to prevent this type of thing. AOL shouldn't be able to, for example, block access to Google because they signed a deal with Microsoft to use their search engine, or block e-mail from or to anyone using Earthlink in an attempt to drive them out of business. A small ISP with local competition couldn't get away with something like that, they'd simply go out of business, but in an area where you have only one choice of ISP for cable Internet access, the consumer needs protection from bully-boy policies.
Look at it from the other side. "The Internet" shouldn't allow an ISP to connect to it unless they agree to carry all traffic, with any exceptions very carefully spelled out (denial-of-service, SPAM blocking, etc). Why should an ISP have the right to not carry traffic, yet gain the benefits of connecting to the Internet? If they want to set up their own private network, they can do what they want, as long as they allow either all or nothing to "The Internet" itself.
We, the customers, actually have paid for that research and development many times over. The phone companies are getting their fair share for carrying internet traffic on their phone lines, and they get their fair share for carrying the voice traffic at the local end of a VOIP call. They may not like it that they don't get as huge a profit as they're used to, but if they'd just stop whining and crying, they should be able to compete just fine. After all, the big telephone companies have the majority of the available bandwidth around the country. They don't have to worry about competition from satellites. It's not like a small startup company can easily just start laying down cable all over the country and somehow be able to have lower costs than the existing telephone companies while doing so. Ok, so they have a lot of money invested in using those communications lines as switched circuits, with all the switching gear all set up. If VOIP is really that much of a threat, they should just start offering it themselves, for example as a long-distance option while still using your regular landline.
Port 587, listed as "submission" in my /etc/services file. Every ISP should enable the MSA port on their mail server and encourage everyone to use it. The protocol is almost identical to SMTP, except that it requires you to authenticate. They should also enable encryption on that port. SMTP-after-POP is a horrible kludge.
Attempting to hit someone IS assault. Threatening to hit someone is assault. Actually hitting them is battery. Attempted battery (assault) is a crime. I'm not sure what attempted assault would be (I tried to call you on the phone to threaten you, but the line was busy?).
So if someone is walking around downtown with a shotgun, saying "I'm seriously thinking of shooting someone, do you think I should shoot you?" to everyone he meets - the cops should just sit back and wait until he DOES shoot someone? I mean, there's no crime there, all he's doing is asking people questions, right?
Even better, just have it start making some sound (a siren, alarm clock ringing, telephone ringing, whatever). On Mac OSX (maybe just in 10.3, not sure if you can do it in earlier versions), there's a "say" command which uses text-to-speech - just put it in a loop: say "Help me, I'm lost" every 10 seconds or so.
Right, when using the TCP option, it doesn't use the corrected time, but when using the ICMP timestamp request, it does. So NTP helps with one of the methods (or just blocking that request would take care of it as well). One mistake several people are making (not you) is that NTP adjusts to the skew of the clock - once it has been running for long enough to get an accurate estimate of how far off your clock is, it doesn't need to "synch up" all the time, as the corrected clock will be very close to accurate all by itself, with only minor drifting.
Other than simply blocking the TS option in TCP packets (so both sides think that the other side doesn't support it, even if requested), or using NTP (and making the timestamp use the corrected clock), another technique would be to have a per-socket skew - use a biased distribution (so the real value doesn't come out if you average enough different sessions) and offset the reported timestamp so you have a slightly fast or slow running clock. Keep the same distribution bias until reboot, then choose another one (on the assumption that the underlying clock will be reset, new skew corrections figured out, etc). The adjusted timestamp value should NOT be affected by the system clock being changed or corrected - you want all of the sessions to appear to be independent. Use the raw hardware clock, adjusted by a fixed (per-socket) skew - with new skews/offsets being biased off of an NTP-mediated base skew/offset (so you're generating an offset from a hardware clock with progressively less skew). This also would help with the attack method detecting virtual hosts.
Where this would appear to be more of a problem is taking the technique further. Measuring the granularity of timestamp jumps, response times to requests, down to the nanosecond range, would ignore any attempt to skew the results. You'd need to have the underlying clocks (real-time and processor) adjustable, and use a strong-random drift to it - and even then, with enough samples you could still measure the granularity of the drift. If you use a non-digital method, you'll end up with a fingerprint of the analog portion. The only defense is to decrease the granularity you can control things so low that it becomes very difficult to measure accurately (requires an unrealistic number of samples). Adding extra intentional jitter at every level you can helps, though.
Perhaps in the future you could make it easier to determine what you are quoting and where your own comments are. See, for example, the <blockquote> tag, or use the <i> tag to offset what you're quoting.
When you say that patents are better because you can engineer around them predictably, but with copyrights you never know where you stand: you can't engineer around a patent when it is as broad as many of the "bad software patents" that have been brought up. Maybe this is just because the PTO is issuing patents that are broader than they should be, but that's the reality we have right now. Some of the patents are about at the level of a patent that protects "the process of compressing information being sent over a communications channel" - you can not patent around that - ANY form of compression would be covered by such a patent. The RSA patent was basically held to cover ALL public-key encryption, even when it wasn't the prime-number algorithm they actually implemented. Many improvements to it were kept from being used for 20 years until the patent expired.
With copyrights, on the other hand, all you have to do is write your own software and you aren't guilty of copyright infringement. You can't accidentally infringe copyright (George Harrison not withstanding). Even if you come up with something that is "too close" to someone else's code, if it can be shown that you implemented it independently without having access to the allegedly infringed-upon code, then it isn't copyright violation. With patents, you'll never know, with copyright you're pretty damned sure.
SRP would do this (although normally with SRP you don't want the host to ever have your password, for an initial contact this could work - then you change your password securely to something else that the host doesn't know). With SRP, if the host can validate your password, that validates the host as well. Since the real host doesn't get any information about the password when you authenticate, neither does a hostile system that hijacks the authentication.
Sorry, you're wrong. A struct or union variable is not the equivalent of it's address. An array variable is equivalent to a pointer to the first element of the array, but a struct is the whole thing. In fact, when you want an array to act as the whole thing, normally you do it by embedding it in a struct! About the only thing that cares that an array variable is different from a pointer-to-element value is the sizeof operator.
Passing a struct as an argument passes the value of the struct (by copying it), not the address. You have to explicitly take the address if you want to pass the address. Referencing the fields of a structure is done differently depending on whether the variable is a pointer to a structure or a structure itself (-> vs just a .). You can assign a struct variable to another struct variable (makes a copy, just as in the function call). Trying to assign a struct variable to a pointer-to-struct variable gives an error. Trying to compare two structs with == or != gives an error.
I've always wished C HAD made a struct variable equivalent to the address of the struct, and eliminated the -> operator entirely. Use *var to reference the entire struct for copying. The struct variable would be compatible with the struct, and also with the first field of the struct. For one thing, this would make changing a variable from being a struct to being a pointer to a struct be painless. Oh well, I guess it just might be a little late for this to be changed. Time to invent a new language which is exactly the same as C, except different.
Back on topic, what people seem to be missing is that this isn't a patent on the operation of an IsNot like operation. It is a patent on adding an IsNot binary operator to the BASIC language. The patent even defines it in terms of the Is operator, and how this is a convenience to the programmer, a way of writing it more concisely and with more clarity of meaning ("A IsNot B" instead of "Not (A Is B)"). So finding prior art in Java or C or anywhere else isn't relevant, just BASIC, and then only if it is a binary operator (so no IsNot(A, B) functions or macros). Much more likely to get this patent on "obviousness" than "prior art".
I'm surprised Microsoft isn't trying to patent the process of translating a BASIC program that uses IsNot into one that doesn't use it (translating "A IsNot B" into "Not (A Is B)"), thus preventing anyone from translating such a program, whether by hand or not. Once you use IsNot in a program, that program couldn't be translated to another vendor's BASIC for 20 years. And Microsoft calls the GPL viral!
Why would the "additional labor costs" make it not cost effective? You hire one person to put together boxes - let's say that costs you around $100,000 per year. That one person should be able to put together, test and image at least 4 boxes a day, or 1000 a year give or take. Granted, if you need 1000 all at once, you can't do it this way, but with a company with 3000 PCs, replacing 1000/year seems about typical. If you can save more than $100 per system buying components (and at 1000/year, you can get some level of volume discount from suppliers, even if not the same level that Dell would)., you'll be saving money overall AND you won't be surprised by what you get when Dell changes components because they could save 20 cents. If you need fewer than that, then the person splits their time between putting together boxes and providing tech support.
No, actually I don't think they are cool, hi-tech and I want to use them to impress my friends.
I said they can be useful in certain situations. You then gave examples where they are being used, but that didn't match what I was describing. Unless you think that people shouldn't use biometrics when they are appropriate because it will make people think they can use them in other situations where they aren't appropriate, then I'm not sure why you brought up grocery stores, etc.
"who cares" is in response to a situation where the security in question, even if it is weak, is stronger than the other security already in existence.
You keep harping on fingerprints and how easy they are to fake - so what? Use something else that isn't as easy to fake, or at least not easy to fake without calling a lot of attention to yourself. Also, I do agree that you shouldn't use biometrics as an identifier - swipe a card, then use your thumbprint to authenticate - certainly more secure than swiping a card and signing with no signature verification. Include a photo log, and it becomes too risky for someone to go buy groceries after stealing your card and faking your thumbprint. Security is about making it not worth the risk, not about making it perfect.
Immigration/customs, entry to high security building with a guard looking on. As I said, needs (competent) human oversight, which none of your examples show.
Of course, even in cases where the biometrics can be bypassed, you have to look at the convenience vs. the security - and compare the cost of breaking that security against the damage that will be done if it is broken, as well as the cost of other ways of getting in. If, say, your PC can be easily booted up and your unencrypted data copied off without worrying about the fancy biometric security device, then the difficulty of spoofing that device is irrelevant. It's useful for keeping Junior from using your system, while allowing you to unlock your screen without having to type in a password. Big deal.
For a locker at a public place: no one is going to go through the expense of faking fingerprints, or facial heat patterns, or retinal prints, or whatever, just to get my bag of clothes and a couple books, probably not even my $2000 computer is worth the effort if the biometrics are any good (even without human oversight). Don't store your corporate data that's worth several million to a competitor, though. Don't do that even if they're using locker keys instead of biometrics.
Grocery store checkout - who cares? Easier to just steal the credit card info directly? Home entry? Probably easier to just break a window.
You're right that if there's good security throughout, an unsupervised biometrics device as the only security you need to break would be a mistake if you're guarding something of sufficient value. Have multiple levels, combined with tokens and passwords - require the password first, then the token, then the biometrics (from easy to most difficult to change), and set off alarms when authentication fails.