Instead of going after some silly computer cracker, why aren't they using this Patriot act to find out who
outed Valerie Plame as a CIA agent, in retaliation for her husband criticizing Bush about lying in his SOTU address about uranium from Niger and starting a war?
Funny how they're treating the suspects in that case with kid gloves, even though quite a few journos know exactly who the leakers are.
Richard was part of the POSIX committee and did a nontrivial amount of technical work on the POSIX standard, though he wasn't one of the main forces. He also fixed a lot of problems in the draft ANSI C standards, by implementing GCC (which would become the first ANSI C compiler) and discovering that various stuff specified in the drafts was unworkable. The emails between him and the committee from that period are amusing, and he later (iirc) joined the committee.
There's some MIT AI lab memo describing the lisp machine file system. Crashproof just means it writes out the metadata in the right order so the FS on the disk is always in a consistent state. That way you don't have to fsck on restart if the system crashes. The cost is a few more disk operations on file activity.
Only US flights (including international flights entering or leaving the US) were grounded. And the US was still doing some flying (military and government flights, including the one that took Osama Bin Laden's relatives back to Saudi Arabia). But yeah, US commercial traffic is a big chunk of total worldwide air traffic.
I remember an old 16-bit FORTH implementation whose symbol table only used the first and last letter of each symbol, lowering storage and computation requirements on those tiny machines. So FOOBAR and FEATHER would be the same variable. Somehow it worked out ok though, at least for small programs, which was the only kind you could fit in memory anyway.
Those port blockages (except for maybe 25) are workarounds for ridiculous MSFT security bugs. The proposal is that ISP's install blocks to work around the bugs. Shouldn't MSFT clean up its own mess?
I've never been asked for my home address or DOB when buying a plane ticket. If the purchase is on someone else's credit card (e.g. it's for work), my address isn't connected with the ticket at all. On boarding, they look at my ID but they don't currently write down any of the data. Are they going to start doing that, and need online realtime access to some terror database? That will make the existing boarding hassles so much worse.
There was a guy named Jim Bell who wanted to set up betting parlors similar to Poindexter's. You could make anonymous bets like "I love , and I bet $1 million that he'll still be in office in 3 months". Of course that amounts to ordering a hit on that politician, since it invites someone to (anonymously) bet against you, rub out the politician, and collect the $1M in untraceable digital cash.
Bell is now in jail, supposedly for stalking an IRS agent, but the trial was something of a cause celebre for cypherpunks.
Type "Jim Bell" and "Assassination Politics" into Google for more details. Muldrake was the first I know to point out the similarity between Bell's scheme and Poindexter's terror casino.
User input works by the voter putting a smart card into the machine and making selections. A non-cheating voter is supposed to use a smart card provided by the election officials, but a cheating voter can bring her own maliciously programmed card. The security paper described how such a card could be programmed. That is a serious vulnerability.
I think they should run a "Black Hat voting" election at DefCon. They would announce in advance that they're going to use Diebold machines to elect the Evil Overlord of the Cracker Universe, with voters encouraged to try to cheat the machines, and the election would be run with the same so-called safeguards as a real election. I bet the results would make Diebold's "rebuttal" look pretty silly.
Yes, that's what I mean. I'm speaking from the point of view of someone using the CLIENT. Server admins do change keys every now and then, for whatever reasons they have. It's pretty typical, if you screw around with a server configuration to end up generating new keys. At the client end I just see a bunch of hex numbers and have no idea whether they're legit or not.
The solution is to use a certificate system with carefully maintained CA roots. For that matter, just run telnet over SSL, or stunnel if you want port forwarding. That stuff existed and worked fine long before SSH came onto the scene. I just don't understand why SSH got to be so popular.
The registrar I use (jumpdomain.com) has a clever hack for despamming WHOIS contact email. Basically they change your published contact address once a week. The published address i automatically generated, looks like gibberish, and forwards to your real address. If someone wants to contact you by looking up your address by WHOIS and writing to you, it works fine. But if they add the address to a mailing list, it stops working in a week. That has eliminated almost all my WHOIS spam. Good scheme.
It's always seemed to me like the height of irresponsibility that SSH makes no attempt at server authentication except for displaying those hex numbers that no one has a convenient way to check and that change every so often anyway. The CA system used in web browsers isn't perfect and lends itself to a bunch of corporate rip-off certificate selling schemes (Verisign etc). but it at least makes this kind of wide-scale MITM attack (i.e. against lots of different hosts simultaneously) a lot more difficult.
SSH should be modified to present X509 certificates and to check them against a list of known CA's just like browers do. Until that happens, its lack of authentication should be considered a gaping security hole.
What programmers writing the class library liked the new license? In particular, were they volunteers, or getting paid to write it?
My own attitude towards these questions is I'm a relative GPL zealot when it comes to code that I write for free on my own time. I don't see why I should develop products for proprietary software companies without getting paid. However, if I am getting paid, then I'm not so fussy about the license. I suspect a lot of other programmers feel the same way at some level, though they may not be explicit about it.
So if it was paid programmers who liked the license switch, it's easier to understand, even if it means the project will attract fewer volunteers. If it was volunteers who wanted to switch, that just seems kind of self-defeating.
I hope project leaders thinking of choosing non-GPL licenses consider these issues. Some projects of course need volunteers more than others do.
Schlafly filed in Eldred vs Ashcroft
on
Schlafly on Copyright
·
· Score: 3, Informative
Schlafly isn't new to the copyright issue. Her "Eagle Forum" filed a pretty good
amicus brief (pdf)
supporting Eric Eldred in Eldred vs. Ashcroft. Check it out.
I don't see any fud in that message. Is it possible to a Tivo without registering it or connecting it to a phone line? I mean, can you go to the store, buy a Tivo with cash, and take it home and start using it without ever "activating" it? You can do that with a VCR, so if you can't do it with a Tivo, then Tivo hasn't caught up.
San Jose Mercury story: hundreds of mailboxes removed from San Francisco bay area, due to low usage, garbage thrown in mailboxes, fear of more anthrax attacks, etc. etc. I can't help worrying about all anonymous means of communication shutting down.
The closest thing anyone has found to weaknesses in RC4 are "distinguishing attacks". If you have a gigabyte or so of RC4 output, you can statistically show that it's not actual random data (you can distinguish RC4 from a true random number source).
However, that's a long way from being able to break the algorithm.
The ciphers used before WW2 were in general pretty weak. We could deploy better ones now, just because we understand the subject better.
The Codebreakers, by David Kahn, is the standard reference on historical ciphers, btw.
That's the first place to look if you want to know how those old systems worked.
Characters in spy novels always want to do this
on
Encryption by Hand?
·
· Score: 2
With computers everywhere these days, pen and
paper ciphers are mostly just an intellectual
challenge. Still, the subject comes up on sci.crypt
regularly. It figures into Neal Stephenson's Cryptonomicon if that's of any interest.
For example, almost all SSL web browsing is secured
by RC4-256 encryption and there are no known breaks
for that. You could do RC4-256 with pen and paper
(well, pencil and paper and eraser) pretty straightforwardly, though RC4-100 might be easier (and possibly less secure, though again there are no known useful breaks).
Bruce Schneier's Solitaire algorithm (the one that uses a deck of cards) also has no known breaks, though it turns out to not have all the properties that the designer had hoped for.
Slashdot Mirror
RMS founded the GNU project, and the FSF was formed afterwards to handle organizational aspects of doing the GNU project.
Funny how they're treating the suspects in that case with kid gloves, even though quite a few journos know exactly who the leakers are.
Richard was part of the POSIX committee and did a nontrivial amount of technical work on the POSIX standard, though he wasn't one of the main forces. He also fixed a lot of problems in the draft ANSI C standards, by implementing GCC (which would become the first ANSI C compiler) and discovering that various stuff specified in the drafts was unworkable. The emails between him and the committee from that period are amusing, and he later (iirc) joined the committee.
There's some MIT AI lab memo describing the lisp machine file system. Crashproof just means it writes out the metadata in the right order so the FS on the disk is always in a consistent state. That way you don't have to fsck on restart if the system crashes. The cost is a few more disk operations on file activity.
Or more likely, was it done without bothering to ask him, or maybe even over his opposition?
I refuse to buy any DRM-impaired e-books, so I hope that an open-format version becomes available sometime.
Only US flights (including international flights entering or leaving the US) were grounded. And the US was still doing some flying (military and government flights, including the one that took Osama Bin Laden's relatives back to Saudi Arabia). But yeah, US commercial traffic is a big chunk of total worldwide air traffic.
Try one of this guy's boards.
I remember an old 16-bit FORTH implementation whose symbol table only used the first and last letter of each symbol, lowering storage and computation requirements on those tiny machines. So FOOBAR and FEATHER would be the same variable. Somehow it worked out ok though, at least for small programs, which was the only kind you could fit in memory anyway.
Those port blockages (except for maybe 25) are workarounds for ridiculous MSFT security bugs. The proposal is that ISP's install blocks to work around the bugs. Shouldn't MSFT clean up its own mess?
Any idea when this crap is supposed to start?
Bell is now in jail, supposedly for stalking an IRS agent, but the trial was something of a cause celebre for cypherpunks.
Type "Jim Bell" and "Assassination Politics" into Google for more details. Muldrake was the first I know to point out the similarity between Bell's scheme and Poindexter's terror casino.
User input works by the voter putting a smart card into the machine and making selections. A non-cheating voter is supposed to use a smart card provided by the election officials, but a cheating voter can bring her own maliciously programmed card. The security paper described how such a card could be programmed. That is a serious vulnerability. I think they should run a "Black Hat voting" election at DefCon. They would announce in advance that they're going to use Diebold machines to elect the Evil Overlord of the Cracker Universe, with voters encouraged to try to cheat the machines, and the election would be run with the same so-called safeguards as a real election. I bet the results would make Diebold's "rebuttal" look pretty silly.
The solution is to use a certificate system with carefully maintained CA roots. For that matter, just run telnet over SSL, or stunnel if you want port forwarding. That stuff existed and worked fine long before SSH came onto the scene. I just don't understand why SSH got to be so popular.
Use telnet over SSL (a/k/a telnets) instead of ssh. What confuses me is why ssh became such a standard, when telnets already existed.
The registrar I use (jumpdomain.com) has a clever hack for despamming WHOIS contact email. Basically they change your published contact address once a week. The published address i automatically generated, looks like gibberish, and forwards to your real address. If someone wants to contact you by looking up your address by WHOIS and writing to you, it works fine. But if they add the address to a mailing list, it stops working in a week. That has eliminated almost all my WHOIS spam. Good scheme.
SSH should be modified to present X509 certificates and to check them against a list of known CA's just like browers do. Until that happens, its lack of authentication should be considered a gaping security hole.
My own attitude towards these questions is I'm a relative GPL zealot when it comes to code that I write for free on my own time. I don't see why I should develop products for proprietary software companies without getting paid. However, if I am getting paid, then I'm not so fussy about the license. I suspect a lot of other programmers feel the same way at some level, though they may not be explicit about it.
So if it was paid programmers who liked the license switch, it's easier to understand, even if it means the project will attract fewer volunteers. If it was volunteers who wanted to switch, that just seems kind of self-defeating.
I hope project leaders thinking of choosing non-GPL licenses consider these issues. Some projects of course need volunteers more than others do.
Schlafly isn't new to the copyright issue. Her "Eagle Forum" filed a pretty good amicus brief (pdf) supporting Eric Eldred in Eldred vs. Ashcroft. Check it out.
I don't see any fud in that message. Is it possible to a Tivo without registering it or connecting it to a phone line? I mean, can you go to the store, buy a Tivo with cash, and take it home and start using it without ever "activating" it? You can do that with a VCR, so if you can't do it with a Tivo, then Tivo hasn't caught up.
It gives another way to read lit files.
San Jose Mercury story: hundreds of mailboxes removed from San Francisco bay area, due to low usage, garbage thrown in mailboxes, fear of more anthrax attacks, etc. etc. I can't help worrying about all anonymous means of communication shutting down.
The closest thing anyone has found to weaknesses in RC4 are "distinguishing attacks". If you have a gigabyte or so of RC4 output, you can statistically show that it's not actual random data (you can distinguish RC4 from a true random number source). However, that's a long way from being able to break the algorithm.
The Codebreakers, by David Kahn, is the standard reference on historical ciphers, btw. That's the first place to look if you want to know how those old systems worked.
With computers everywhere these days, pen and paper ciphers are mostly just an intellectual challenge. Still, the subject comes up on sci.crypt regularly. It figures into Neal Stephenson's Cryptonomicon if that's of any interest.
Bruce Schneier's Solitaire algorithm (the one that uses a deck of cards) also has no known breaks, though it turns out to not have all the properties that the designer had hoped for.