Re:This is absolutely ludicrous..
on
Usenet Gag Order
·
· Score: 1
I guess we know who was sleeping when they did all that talk about the "first amendment" and "freedom of speech" during law school.
The first amendment starts with "Congress shall make no law....". It doesn't really apply to Usenet, as Usenet isn't controlled by the US government.
No matter how offensive or stupid the speech, it's not up to the government to censor it.
That's of course utter bollocks. Perhaps you should have paid more attention during law school. Ever heard of something called libel? Freedom of speech is not an argument. Please read the article again. Death threats were being made. That's a fellony, and you cannot shove that under the carpet labelling it as "freedom of speech".
The first amendment makes it illegal for the US Congress to prohibit Usenet. It doesn't grant you the right to disrupt the flow of events in any newsgroup, or to pose death threats. Your freedom ends where it hits the freedom of someone else.;-)
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.
The intention of this first amendment is to give citizens the right to critice their government. It doesn't give them the right to harass others.
There are laws what you can, and cannot do in normal life. Usenet isn't much different.
The NSA is essntial for fighting terrorism. The US is extremely vulnerable domestically and overseas. You can debate the ethics of their methods, but they are a very very necessary org.
You might be right. You might be wrong. The problem with statements like yours is that they are utterly useless without some data to back them up.
Terrorism is bad. Having organizations fighting terrorism is potentially good. I can understand that certain things such an organization does ought to be kept a secret for some time. However, there's no need to be secretative about how much terrorism you have prevented, or what your yearly budget is.
Furthermore, there is something fishy about government organisations having patents. Research leading to a new way of doing something was paid with tax money; the results should be available for everyone. (After all, that's why X and BSD are available; being developed with tax money, it couldn't be licensed (yes, I know, derivatives are))
OTOH, patents make that the description of the technique is available. That's better than not having anything at all. I can see good uses for automatic classification of speech, which have nothing to do with spying business. Street interviews, hotlines, court sessions (although the latter is already being transscribed), to name a few.
While I don't agree with every detail mentioned in the article, it could have been much worse. Given they only have limited space to explain things, they did a decent job.
They are a bit braver than I though. If I compile a new kernel, I first copy the kernel to a floppy disk, boot from the floppy disk, check if the important things still appear to work (vi, ppp, telnet, perl, mail, and news - nothing else is really important) and only then I tell lilo about the job I did.
And if using morphing to end a war saved lives, would that be a crime too?
I'm sure that if you during the next war against Saddam morph an image such that the war ends quickly with Saddam being the "winner" - with only 50,000 US soldiers killed, instead of the expected 200,000 dead Iraqis and a US victory, Uncle Sam won't be pleased with you - even if you "saved" 150,000 lives.
Remember, everyone is equal, but some are more equal than others.
Certainly... Gen. Evil Criminal sends a an encrypted message carved into a turnip to his trusted Lieutenant ordering the killing of all held prisoners of war.
Too far fetched. Serving turnips to POWs, and calling it food is a crime.
Here's a little trick that will allow you to store all your passwords in a plain text file, or a piece of paper. For the sake of the explaination, assume passwords consists of numbers (but it generalizes to any alphabet). Start with a table like below:
Pick a secret key, as long as your password(s). This is the only key you need to remember and keep a secret. Say, your secret key is "14769134". Now you have a new password, say "34987629". Encrypt this using the key on a digit by digit bases, by using both digits as an index in the table, and writing down the value. So, 1+3 -> 4, 4+4 -> 8, 7+9 -> 6, etc. Or:
Write down "48646753" on a piece of paper and stick it on your monitor.
Decryption is as follows: this goes on a digit by digit bases as well. The first digit of the key is `1', the first digit of the encrypted password is `4'. Look in the column marked `1', drop till you hit `4', then go left. This gives `3'. Etc, or:
Alternatively, find the inverse of the key ("96341976") and use the encryption algorithm to decrypt it.
You can encrypt as many passwords you want this way, all encrypted using the same key. This remarkable simple algorithm can easily done by hand; print out the conversation table and encrypted passwords, decrypt letter by letter, and type the decrypted letters in as you decrypt them.
If the passwords are picked randomly over the set of all possible passwords, and no password has been comprimised, there's no way of cracking this encryption scheme, as any possible possible password will have a unique key that decrypts the encrypted password to that possible password.
Of course, once a single password gets comprimised, the key is trivially found, and all other passwords will fall as well.
-- Abigail (*grumble* Slashdot screwed up the formatting. If only they would allow the PRE element....)
Choose some random number of consecutive PI digits starting at some random place in PI.
For UNIX style passwords, that only gives 100M different passwords [1]. It took a Perl script on my computer 89seconds to crypt 1M passwords. Extrapolating means less than 3 hours to crack your password, given your entry in/etc/passwd or/etc/shadow.
At the end of every week, repeat process.
With 168 hours in a week, and on average, less than 1.5 hours to crack your password - that means your account is insecure 99% of the time!;-)
[1] Of course, this is only true if you have a big enough file with digits of pi. If you only have 1M digits of Pi, well, then you have at most 1M passwords. Estimated cracking time: 1-2 minutes, depending on the hardware.
The good thing about Shakespeare as a source for lines is that there are thousands of them, so even if someone knows your method, it doesn't really help, and many of the lines are very easy to remember.
Given your method, it doesn't take more than half an hour to write a Perl program that takes all the works of Shakespeare and adds passwords constructed based on first letters to a crack database. "Thousands of them" doesn't really impress a modern version of crack.
Could you reasonably expect people to hold onto an iButton or a CD?
That would even be less secure than an ATM card. With an ATM card, you still need a password - the PIN. Granted, 10000 numbers isn't much, but it's still better than nothing.
Losing an iButton is worse than not being able to remember a password - not only can't you login, but someone else pretending to be you can.
Yeah, back in 1994/1995, till development stopped. It was a nice toy. Did tables before Netscape did. Had MATH and FIG. Had stylesheets in the time Netscapes biggest "feature" was the bug allowing you to flash the background, and MSIE wasn't there yet.
But it was pretty unstable. It would often lock up. However, some company seem to have taken the sources and restarted development.
Rather than grouping files by program, it groups them by function. (/etc,/usr,/var,/bin)
Yeah, and/bin is for binaries, right? Then what are/sbin,/usr/bin,/usr/sbin,/usr/local/bin,/usr/X11R6/bin,/usr/X11/bin,/usr/bin/X11 for? And why do I find binaries in/opt? Why the fsck do I find qmail binaries in/var? (Don't bother answering, I do know). Or try explaining lib dirs. See,/usr is for user programs, and/usr/X11 is for user programs related to X, so its libraries are in/usr/X11/lib, simple, isn't? What do you say? What/usr/X11/lib/X11 is for? Well, that's for X stuff of the libraries of the X stuff. And yes,/usr/X11/lib/X11/lib is for the libraries of the X stuff of the libraries of the X stuff. (And don't forget to replace one of those X11's with openwin to find it on your Solaris box).
There might be grand scheme behind the Unix filenaming system that makes sense. In the 15+ years that I've worked with Unix, I haven't found a single implementation that actually did. Or two that were comparable. And unfortunally, Linux distros are the worst of all. (Although Solaris symlinking of/bin to/usr/bin is very evil)
I've been using Linux for around 8 years now, since long before v1.0 of the kernel (in fact I think it was v.89something)
8 years ago was 1991, the same year Linus started the project. There was never a version 0.89. According to the archives of ftp.kernel.org, Linux jumped from version 0.12 of Jan 1992 to 0.95 of March 1992 (whose gzipped tarfile is less than 1% of the size of the one of 2.2.13).
Five years ago, I was doing contract programming for Linux... I first started using Linux a year or so before that.
That would be 6 years ago, 1993.
I knew goofs who were capable of getting it running back in 1993.
Does that mean that when you started with Linux, some "goof" had to get you started?
There were already halfway decent installs four years ago.
And before that as well. I've been using Linux since early 1993, and my first distribution was SLS, ftp-ed on a stack of floppy disks. A full install (including X, but no emacs) in about 130 Mb. Just over half of my "large" 225 Mb disk. But SLS wasn't anywhere near halfway decent. I switched to slackware later that same year, an even bigger pile of floppy disks.
Fast, Faster, Fastest, Stable and Standards compliant. These other things that will return Netscape back to prominence on the desktop.
That's very very funny! You do realize that Netscape gained its marketshare by shitting all over the the standards, don't you? I think the day Netscape dies should become an official day of celebration. Too bad the company didn't die 5 years ago.
Personally, I don't think anything useful could come out of a company that after 5 years still isn't able to produce a browser than can parse comments correctly.
For many "personal" accounts (Unix user accounts, root password on my personal box, mud passwords) I've used the same scheme to build a password, consisting of a group of characters from a related set, and some punctuation. It has been subject to crack attacts by several admins, numerous times, and it has never been cracked.
For admin accounts (except for some reason, I've never subjected a root account to this), and some websites, I often base passwords on lines of songs I like. For instance, the first letters of each word; if there aren't enough letters, punctuation, and/or the artists initials help. And often, instead of using the real line, I substitude one or more words.;-)
Sybase SA accounts are a lot easier. Sybase gives you up to 30 characters, so no 8 character limit. My favourite tactic there are plays on names related to the town I was born; given the fact that all Sybase servers I've worked with were behind firewalls in environments noone else was coming from the same country I was born in, that was pretty safe.
Root passwords are a different matter. Except for personal boxes, root passwords are often shared between people, so deciding on them is a different manner; you can't just use your favourite strategy.
And sometimes, you don't really care. For instance, slashdot mails your password, and your password goes in plain text to slashdot when you log in. Not that I could really care if someone used my password - slashdot is pretty close to the end when it comes to important things. For such passwords, I just keep them in a file, and cut-and-paste, although my current slashdot password has a certain rythm that makes it easy to remember.
Oh, one word of advice. Don't suggest in a (root) password things that aren't true. In a previous workplace, we had 2 sun E3000's next to each other, sharing a console using a switchbox. One weekend, I came in to chance the tape drive of one of the machines. The root password of the machine suggested it was the machine to the left. I logged in and halted the system. Then I turned the key of the left machine, and wondered why the screen didn't go blank. When my pager went of 30s later to notify me which machine was down I realized what I had done.....
this is one thing I hate about the slashdot moderation system. The knee-jerkish reactions (though not horribly written) get moderated quickly to the top(+4/5)
That's because the average person visiting slashdot doesn't have a clue. And all that requires to be a moderator is visiting slashdot often enough. It's called "peer review" - preciesely what you get if your peers don't have much of a clue... Compared to Slashdot, Usenet is an ocean of genusses....
How does this differ from, say, box scores being a representation of a baseball game? Isn't there a long-standing tradition that it is perfectly legitimate to summarize and report on events that occurred in a public place?
Universities are usually not public places. You might be able to sneak in in some lectures if the class is big, but in general you cannot attend lectures unless you're a student or have some other agreement with the university.
Furthermore, I don't think you can tape a ball game, and then show it to a large audience, making money from the commercials you throw in.
I don't know about you, but when I was in school note taking was not a process of copying verbatim the professor's words. Rather, it was a process where I listened intently to what the professor said, jotted down key words, phrases, statements, and then later on that day or evening, composed those fragments into a semi-coherent, logically structured grouping of thoughts.
I agree, what you then compose is your own work, and you probably own the copyright on it. What you are doing is journalism.
I can still imagine professors having a problem with this. We all know what bad journalism can do (how often does slashdot see a discussion triggered by bad journalism?). What if you do your best, write nice, coherent, logically structured groups of thoughts, and it's just plain wrong? Or it comes out as if the professor made a difficult and hard to understand lecture, while (s)he didn't? Suppose a professor gave a nice lecture, but there was a bad note taker, posting her notes on a website, suggesting the professor didn't know his stuff real well. Can the professor and/or university take action? Who's going to pay for that? Should professors be afraid that bad note takers in their classes give them an undeserved bad reputation?
This is somewhat analogous to the engineer who works for some company and has to sign NDAs, etc. But it's not exactly the same. The NDAs and things that the engineer has to sign apply to company secrets. But at a university, the vast majority, if not all, of what you're learning is public knowledge, not trade secrets. Thus the university doesn't have any rights to the knowledge that you possess. If you feel like sharing your knowledge, in the form of notes or anything else, that is your right.
Yeah, but you have to be careful with that. You don't want to push the universities/professors in a corner where they opt for *not* sharing *their* knowledge with the students. (Professor: uhm, why should I waste my precious time teaching those kids? All I teach them is public knowledge anyway - let them learn it themselves from a book, or one of those websites that publish notes...)
Slashdot Mirror
The first amendment starts with "Congress shall make no law....". It doesn't really apply to Usenet, as Usenet isn't controlled by the US government.
No matter how offensive or stupid the speech, it's not up to the government to censor it.
That's of course utter bollocks. Perhaps you should have paid more attention during law school. Ever heard of something called libel? Freedom of speech is not an argument. Please read the article again. Death threats were being made. That's a fellony, and you cannot shove that under the carpet labelling it as "freedom of speech".
The first amendment makes it illegal for the US Congress to prohibit Usenet. It doesn't grant you the right to disrupt the flow of events in any newsgroup, or to pose death threats. Your freedom ends where it hits the freedom of someone else. ;-)
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.
The intention of this first amendment is to give citizens the right to critice their government. It doesn't give them the right to harass others.
There are laws what you can, and cannot do in normal life. Usenet isn't much different.
-- Abigail
You might be right. You might be wrong. The problem with statements like yours is that they are utterly useless without some data to back them up.
Terrorism is bad. Having organizations fighting terrorism is potentially good. I can understand that certain things such an organization does ought to be kept a secret for some time. However, there's no need to be secretative about how much terrorism you have prevented, or what your yearly budget is.
Furthermore, there is something fishy about government organisations having patents. Research leading to a new way of doing something was paid with tax money; the results should be available for everyone. (After all, that's why X and BSD are available; being developed with tax money, it couldn't be licensed (yes, I know, derivatives are))
OTOH, patents make that the description of the technique is available. That's better than not having anything at all. I can see good uses for automatic classification of speech, which have nothing to do with spying business. Street interviews, hotlines, court sessions (although the latter is already being transscribed), to name a few.
-- Abigail
They are a bit braver than I though. If I compile a new kernel, I first copy the kernel to a floppy disk, boot from the floppy disk, check if the important things still appear to work (vi, ppp, telnet, perl, mail, and news - nothing else is really important) and only then I tell lilo about the job I did.
-- Abigail
I'm sure that if you during the next war against Saddam morph an image such that the war ends quickly with Saddam being the "winner" - with only 50,000 US soldiers killed, instead of the expected 200,000 dead Iraqis and a US victory, Uncle Sam won't be pleased with you - even if you "saved" 150,000 lives.
Remember, everyone is equal, but some are more equal than others.
-- Abigail
For which war would that be? The war against spammers?
-- Abigail
Too far fetched. Serving turnips to POWs, and calling it food is a crime.
-- Abigail
Here's a little trick that will allow you to store all your
passwords in a plain text file, or a piece of paper. For
the sake of the explaination, assume passwords consists of
numbers (but it generalizes to any alphabet). Start with a
table like below:
X|0 1 2 3 4 5 6 7 8 9
-+-------------------
0|0 1 2 3 4 5 6 7 8 9
1|1 2 3 4 5 6 7 8 9 0
2|2 3 4 5 6 7 8 9 0 1
3|3 4 5 6 7 8 9 0 1 0
4|4 5 6 7 8 9 0 1 2 3
5|5 6 7 8 9 0 1 2 3 4
6|6 7 8 9 0 1 2 3 4 5
7|7 8 9 0 1 2 3 4 5 6
8|8 9 0 1 2 3 4 5 6 7
9|9 0 1 2 3 4 5 6 7 8
Pick a secret key, as long as your password(s). This is the
only key you need to remember and keep a secret. Say, your
secret key is "14769134". Now you have a new password, say
"34987629". Encrypt this using the key on a digit by digit
bases, by using both digits as an index in the table, and
writing down the value. So, 1+3 -> 4, 4+4 -> 8, 7+9 -> 6,
etc. Or:
Password: 34987629
Key: 14769134
-------- +
Encrypted: 48646753
Write down "48646753" on a piece of paper and stick it on your
monitor.
Decryption is as follows: this goes on a digit by digit bases
as well. The first digit of the key is `1', the first digit of
the encrypted password is `4'. Look in the column marked `1',
drop till you hit `4', then go left. This gives `3'. Etc, or:
Encrypted: 48646753
Key: 14769134
-------- -
34987629
Alternatively, find the inverse of the key ("96341976") and use
the encryption algorithm to decrypt it.
You can encrypt as many passwords you want this way, all encrypted
using the same key. This remarkable simple algorithm can easily done
by hand; print out the conversation table and encrypted passwords,
decrypt letter by letter, and type the decrypted letters in as you
decrypt them.
If the passwords are picked randomly over the set of all possible
passwords, and no password has been comprimised, there's no way of
cracking this encryption scheme, as any possible possible password
will have a unique key that decrypts the encrypted password to that
possible password.
Of course, once a single password gets comprimised, the key is trivially
found, and all other passwords will fall as well.
-- Abigail
(*grumble* Slashdot screwed up the formatting. If only they would allow the PRE element....)
For UNIX style passwords, that only gives 100M different passwords [1]. It took a Perl script on my computer 89seconds to crypt 1M passwords. Extrapolating means less than 3 hours to crack your password, given your entry in /etc/passwd or /etc/shadow.
At the end of every week, repeat process.
With 168 hours in a week, and on average, less than 1.5 hours to crack your password - that means your account is insecure 99% of the time! ;-)
[1] Of course, this is only true if you have a big enough file with digits of pi. If you only have 1M digits of Pi, well, then you have at most 1M passwords. Estimated cracking time: 1-2 minutes, depending on the hardware.
UNIX style passwords are hopelessly insecure.
-- Abigail
Given your method, it doesn't take more than half an hour to write a Perl program that takes all the works of Shakespeare and adds passwords constructed based on first letters to a crack database. "Thousands of them" doesn't really impress a modern version of crack.
-- Abigail
"Leeting" passwords has been part of crack algorithms for eons, hasn't it?
-- Abigail
That would even be less secure than an ATM card. With an ATM card, you still need a password - the PIN. Granted, 10000 numbers isn't much, but it's still better than nothing.
Losing an iButton is worse than not being able to remember a password - not only can't you login, but someone else pretending to be you can.
-- Abigail
Is that way phone numbers in the US have 7 digits for the local part? Because hardly anyone can remember a phone number that includes an area code?
-- Abigail
Yeah, back in 1994/1995, till development stopped. It was a nice toy. Did tables before Netscape did. Had MATH and FIG. Had stylesheets in the time Netscapes biggest "feature" was the bug allowing you to flash the background, and MSIE wasn't there yet.
But it was pretty unstable. It would often lock up. However, some company seem to have taken the sources and restarted development.
-- Abigail
Yeah, and /bin is for binaries, right? Then what are /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/X11R6/bin, /usr/X11/bin, /usr/bin/X11 for? And why do I find binaries in /opt? Why the fsck do I find qmail binaries in /var? (Don't bother answering, I do know). Or try explaining lib dirs. See, /usr is for user programs, and /usr/X11 is for user programs related to X, so its libraries are in /usr/X11/lib, simple, isn't? What do you say? What /usr/X11/lib/X11 is for? Well, that's for X stuff of the libraries of the X stuff. And yes, /usr/X11/lib/X11/lib is for the libraries of the X stuff of the libraries of the X stuff. (And don't forget to replace one of those X11's with openwin to find it on your Solaris box).
There might be grand scheme behind the Unix filenaming system that makes sense. In the 15+ years that I've worked with Unix, I haven't found a single implementation that actually did. Or two that were comparable. And unfortunally, Linux distros are the worst of all. (Although Solaris symlinking of /bin to /usr/bin is very evil)
-- Abigail
8 years ago was 1991, the same year Linus started the project. There was never a version 0.89. According to the archives of ftp.kernel.org, Linux jumped from version 0.12 of Jan 1992 to 0.95 of March 1992 (whose gzipped tarfile is less than 1% of the size of the one of 2.2.13).
-- Abigail
I first started using Linux a year or so before that.
That would be 6 years ago, 1993.
I knew goofs who were capable of getting it running back in 1993.
Does that mean that when you started with Linux, some "goof" had to get you started?
There were already halfway decent installs four years ago.
And before that as well. I've been using Linux since early 1993, and my first distribution was SLS, ftp-ed on a stack of floppy disks. A full install (including X, but no emacs) in about 130 Mb. Just over half of my "large" 225 Mb disk. But SLS wasn't anywhere near halfway decent. I switched to slackware later that same year, an even bigger pile of floppy disks.
-- Abigail
That's very very funny! You do realize that Netscape gained its marketshare by shitting all over the the standards, don't you? I think the day Netscape dies should become an official day of celebration. Too bad the company didn't die 5 years ago.
Personally, I don't think anything useful could come out of a company that after 5 years still isn't able to produce a browser than can parse comments correctly.
-- Abigail
Does that work if you have 40 passwords to remember, some of them you haven't used for half a year?
-- Abigail
For admin accounts (except for some reason, I've never subjected a root account to this), and some websites, I often base passwords on lines of songs I like. For instance, the first letters of each word; if there aren't enough letters, punctuation, and/or the artists initials help. And often, instead of using the real line, I substitude one or more words. ;-)
Sybase SA accounts are a lot easier. Sybase gives you up to 30 characters, so no 8 character limit. My favourite tactic there are plays on names related to the town I was born; given the fact that all Sybase servers I've worked with were behind firewalls in environments noone else was coming from the same country I was born in, that was pretty safe.
Root passwords are a different matter. Except for personal boxes, root passwords are often shared between people, so deciding on them is a different manner; you can't just use your favourite strategy.
And sometimes, you don't really care. For instance, slashdot mails your password, and your password goes in plain text to slashdot when you log in. Not that I could really care if someone used my password - slashdot is pretty close to the end when it comes to important things. For such passwords, I just keep them in a file, and cut-and-paste, although my current slashdot password has a certain rythm that makes it easy to remember.
Oh, one word of advice. Don't suggest in a (root) password things that aren't true. In a previous workplace, we had 2 sun E3000's next to each other, sharing a console using a switchbox. One weekend, I came in to chance the tape drive of one of the machines. The root password of the machine suggested it was the machine to the left. I logged in and halted the system. Then I turned the key of the left machine, and wondered why the screen didn't go blank. When my pager went of 30s later to notify me which machine was down I realized what I had done.....
-- Abigail
That's because the average person visiting slashdot doesn't have a clue. And all that requires to be a moderator is visiting slashdot often enough. It's called "peer review" - preciesely what you get if your peers don't have much of a clue... Compared to Slashdot, Usenet is an ocean of genusses....
Off course, this is really off-topic.
-- Abigail
Universities are usually not public places. You might be able to sneak in in some lectures if the class is big, but in general you cannot attend lectures unless you're a student or have some other agreement with the university.
Furthermore, I don't think you can tape a ball game, and then show it to a large audience, making money from the commercials you throw in.
-- Abigail
I agree, what you then compose is your own work, and you probably own the copyright on it. What you are doing is journalism.
I can still imagine professors having a problem with this. We all know what bad journalism can do (how often does slashdot see a discussion triggered by bad journalism?). What if you do your best, write nice, coherent, logically structured groups of thoughts, and it's just plain wrong? Or it comes out as if the professor made a difficult and hard to understand lecture, while (s)he didn't? Suppose a professor gave a nice lecture, but there was a bad note taker, posting her notes on a website, suggesting the professor didn't know his stuff real well. Can the professor and/or university take action? Who's going to pay for that? Should professors be afraid that bad note takers in their classes give them an undeserved bad reputation?
-- Abigail
Yeah, but you have to be careful with that. You don't want to push the universities/professors in a corner where they opt for *not* sharing *their* knowledge with the students. (Professor: uhm, why should I waste my precious time teaching those kids? All I teach them is public knowledge anyway - let them learn it themselves from a book, or one of those websites that publish notes...)
-- Abigail
How many note-taking students do not regulary copy verbatim what a professor writes on a blackboard?
-- Abigail
The ownership isn't the point. I own all the books on my bookshelves, but that doesn't grant me to publish the text of those books on a web site.
The question is, who owns the copyright?
-- Abigail