ACLs are used to grant/restrict access to a particular resource - not just files. They are most often used for filesystem priveleges, but the model is easily extended to anything which can be viewed as an atomic resource. TCP ports, hardware devices, even more abstract entities like "network paramters" can be viewed in this way, and have ACLs attached to them
In this way, you could allow certain users read-only access to the network paramters, and others read/write access.
Linux, of course, would allow you to do all this within the filesystem, if we had ACLs. The/dev and/proc hierarchies are designed to map these sorts of resources onto the filesystem so that you can use common system calls to manage them.
<rant>
The biggest advantage of ACLs for security is that they are managed outside of the resources they govern. A resource does not get to tell the OS who can access it, rather, the access control is left up to the SA. The problem with these kernel capabilities, as described in the article, is that it is left up to the application to determine which priveleges it will have, and there seems to be no way for an administrator to deny the application access.
This whole model seems quite backward to me, and I don't think it gets around the problem of having to run untrusted code (ie, someone else's) as root, in order to do something simple like ping.
</rant>
I think I'll go look now to see who's actively working on ACLs for Linux, to see if there's anything I can do to help...
Does anyone know of a link to the text of this bill? The article is quite vague (standard mainstream media quality). I'd love to read (or at least skim) the real thing to see what it really means.
For example, it doesn't go into any detail regarding what constitutes "digitally protected material" - does this cover only materials already protected by strong crypto (not much legislation required) or anything that someone chooses to protect by any means (DMCA-style - protect your copyrighted work with ROT-13 and make un-ROT-13 illegal)? Or is there a legal definition of "protected" which says how the protection must work?
From the article:
While incidental copies of material - such as the copies made by Internet service providers during transmission of a Web page - were exempt, deliberate copies such as those in a cache set up to minimise international downloads were not, Hough said.
How does anyone define what is "deliberate"? If I set up an HTTP proxy in order to minimize traffic on an outgoing line, am I potentially in violation of Australian law? I may have deliberately set up the proxy server, but after that, I do not control what goes through it.
And what about the fact that my HTTP proxy can't even decode the material? Does this act represent an attempt to regulate the copying of the digitally-protected materials (like caching the encoded data, or copying a DVD bit-for-bit) or just the decoded, unprotected materials (distributing de-CSSed DVD content)?
Or perhaps Australian legislators don't realise the importance of caching to the health of the Internet... If every client had to talk directly to the originating server for every request, the Internet would have brought to its knees years ago under the load. Caching, mirroring, and other techniques based on making local copies of data are what keep the network running (Slashdot effect aside)
Making and supplying software for cracking protective codes will also be illegal but the law has been worded to avoid covering the computers such software could run on.
(I'm glad to see that they're not planning on making computers illegal:)
If there are any Aussies reading who are familiar with this legislation, I'd be very interested in hearing more (especially how it got this far without anyone hearing about it (for anyone, read me.))
As a compromise between users who want to stick with their old browsers and designers who don't want all of their time stuck in a quagmire of old-browser esoterica, I'd suggest that the redirection page should be a plain-text version of the content, with a footnote note that compliance with certain standards is required to view the fancy web page.
I'd love to see this advice followed, but I am certain that it won't be.
It won't be followed, because of the amount of redundant content that needs to be maintained on the plain version of a site. First off, this automatically doubles the workload of the poor site designer who now has to maintain two (or more) versions of each page (I've worked with designers who have had sites to maintain with several thousand pages of static HTML). Secondly, you're bound to see errors and inconsistencies between versions, and the plain versions will likely get neglected, making them much less useful than a crippled version of the fancy page. From a marketing standpoint, maintaining these pages for a dwindling number of people using older browsers simply won't make sense.
It would be far better, I think, to put effort into making sure that the newer technologies fail gracefully when interpreted by older browsers. This has always been a design consideration with HTML, as well as frames, javascript, and CSS. It means that if you interpret an XHTML4+CSS page in an HTML2 browser, you should at least get something you can read, even if you miss out on the cool fonts and such.
HTML was designed in order to be able to separate content (in the html file) from presentation (in the browser). As long as we stick to this separation, then older browsers will automatically generate their own plaintext versions of your pages.
The article was not suggesting that we all move to cool, new, completely incompatible-with-html technologies like flash, which would leave older browsers completely lost, but just to stick to official W3C standards, which should at least be renderable by any browser out there.
Re:This is exactly what the NSA wants you to think
on
RSA Cracked - Not
·
· Score: 1
No, triple encryption has the same problem, which is why it only gives you 112 bits from a 168 bit key. (Though you can use a 168 bit key with 112 bits of entropy
The general method for triple-encryption of any block cipher is to use two keys, A and B, and to compute the ciphertext as Enc(A,Dec(B,Enc(A,Plaintext))).
With 56-bit DES, this method uses 112 bits of key, and is resistant to the meet-in-the-middle attack used against double-DES
Now, the issue of whether to call this a single 112-bit key (AB) or a 168-bit key (ABA) with only 112 bits of entropy is really a matter of semantics. I prefer the to use the first, and to consider the number of times that a particular bit is reused in an algorithm irrelevant.
RSA's biggest fear just might be some modern day Ramajun. The big 'R' should be understandably apprehensive whenever some guy off the street
emails and says he's broken RSA - because it just could be true.
I certainly hope that, if RSA is ever broken, that that's exactly how it happens. It would be so much more satisfying to see some brilliant stroke of human insight cut through a problem which has been declared "really really hard; maybe impossible" by leading cryptographers than to see it broken by a computer through mechanical processes.
I remember being thrilled when hearing that Fermat's Last Theorem had been proven, and then quite disappointed when I then heard that it had taken so much computer assistance that it would likely take years of hand checking to be sure that it really had worked, and that even then, it was so complex that a lay mathematician wouldn't have a hope of understanding it.
That being said, I don't think that Leo de Velez is RSA's Ramanujan (yet) - His description of his method shows that he understands some of the mechanics behind the algorithm, but lacks a feel for the behaviour of numbers at the sizes used in practical public-key crypto.
On average, its 10 years ahead of the curve on everything...
Where did that figure come from? Do you know of any concrete examples? (Not sarcasm, I'm really interested)
I know that when DES was being designed, in the early 70's, they were roughly 20 years ahead of the civilian mathematics field. The differential attacks that it had been designed to withstand weren't discovered until 1990.
Makes you wonder what they've been up to since then...:|
- cicadia
Re:This is exactly what the NSA wants you to think
on
RSA Cracked - Not
·
· Score: 1
That sounds about right - and since single-DES uses a 56-bit key (which provides, I believe, a 55 bit keyspace,) you've really only added one bit onto the key. There's a fairly clever meet-in-the-middle attack on double-encrypted ciphers; I can't remember most of it right now, though -- I believe that while it ends up only taking twice as long as a brute-force attack on single encryption, it consumes an awful lot of memory.
Triple-DES does give you the full 112 bits of your key, since triple-encryption manages to avoid that problem.
You just have to wonder what recently means, 90 days?
Generally this means 45 days with CERT. They have been criticised on a few occassions for this response time, and for the fact that they refuse to go "full disclosure". Their policy is to inform the software vendor first of any discovered vulnerabilities, and allow the vendor that time to release patches before making it widely known.
That's why you can get a version of BIND from the ISC on the same day that the vulnerability was made public.
I'd like to know earlier as well, but at the same time, I'm glad this hasn't been public for 45 days while I sit and wait for a patch.
you may like to make the non-fee paying people spectators only... ie let people who pay fees
contribute to discussions and ask questions etc, but let "freeloaders" listen in only...
An interesting variation on this would be to make the freeloaders pay for the information they are receiving, but make it free for those who are willing to actively contribute to the discussion.
And no, I have no idea how to implement this in practice, nor how to enforce payment or quality.. just an idea
The "won't somebody think of the children!" folks seem to have calmed down a little and realized that "Not all violence is equal, and not all fighting is equal [...]
Who are the heroes? Is aggressive behavior being re-enforced? [sic]" Two paragraphs later, a dean emeritus (read: geezer) explains that parents aren't being
more reasonable, they're just "desensitized."
What the author seemed to miss completely in this analysis is that these parents are not the same people who were so upset about Power Rangers nearly 10 years ago. Someone who was crusading against their 8 year old kid watching violent television 10 years ago is simply not going to care now. Their kids are 18, and probably not watching the same shows anymore.
By the same token, the parents whose children are watching Pokemon today grew up ten years later, under a different set of influences, and now appear to have a different attitude toward what is acceptable children's programming.
These parents today were the people who stood back from the Power Rangers riots ten years ago, and saw how irrational it was.
The author (and many more like him) need to realise that you can't throw around a term like "parents," and expect it to apply to anyone who has ever had children, regardless of any other societal changes, and should not be so surprised when people now react differently to something like this than people used to.
I now return to my regularly scheduled moderation:)
In summary, even though Despair, Inc does have a trademark on:-(, you are basically allowed to use it until you are told to stop by Despair.
I should be able to use:-( all I want, regardless of what Despair thinks, unless I'm using it to sell posters. Or calendars, or mugs, or whatever else their trademark specifically applies to.
Of course, I wont. I prefer the somewhat terser ":(" (for which I am applying for trademark protection right now:) )
What would be your criteria, then, for deciding who should be allowed to have a broadband connection? Would it really be practical or fair to implement these criteria?
Well, first, we're gonna need some sort of moderation system, so that we can rate the worthiness of people's Internet usage... then we can set up a kind of 'karma' system for determining who should get how much bandwidth...
try getting it to support some of the newer AMD motherboards
Actually, I had occasion to install Win95 on a new AMD system last fall (my client had heard that 95 was much more stable than 98, and there was no talking her out of it.)
It turns out that Win95 has a problem with AMD chips faster than 350MHz, and will not boot. MS has released a patch; I had to underclock the motherboard to bring it below 350MHz in order to install it.
It's run fine ever since that.
<linux-comment class="obligatory">Yes, I know it would have been stable from the start with a standard Linux install; I just don't want to be administering that system forever:)</linux-comment>
no it's not resonable. You should choose a term that relatively clearly & uniquely refers to the company in question the term Linux clearly & uniquely refers to something else...
Yes, but it is lawyers who write documents such as this, and in legal language, the use of the phrase:
on behalf of purchasers of the securities of VA Linux Systems, Inc. (``Linux'' or the ``Company'')
ensures that "Linux" clearly and uniquely refers to VA Linux Systems, Inc.
It's their document, and they can define terms like this to mean whatever they want, as long as they inform you.
'When I use a word,' Humpty Dumpty said in a rather scornful tone, 'it means just what I choose it to mean - neither more nor less.' -- Lewis Carroll, Through the Looking-Glass
I. Shift the ciphertext by that length and XOR it with itself. This removes the key and leaves you with plaintext XORed with the plaintext shifted the length of the key.
This is a very simple known-plaintext attack which works well on systems which encrypt by XORing the plaintext with repeated copies of a short key. Assuming that the spec called for a short (say 64-bit) key to be assigned to the drive at the factory and used in this manner, then the decoding process would be fairly simple:
1. Store a large block of zeroes somewhere on the drive
2. Use some sort of device to read the raw ciphertext data from the hard drive (remember this is hardware encryption we're talking about here)
3. Read the key directly from the ciphertext.
However, the chances of such a small XOR key being used are slim (not zero, it's been done before)
What is much more likely is that a pseudorandom number generator is seeded with a short key to produce a much longer keystream (say 2^64 bits) with which to XOR the plaintext bits. This makes such a shifting attack all but useless (still technically possible though, if a 32-bit key was used, because of the sheer amount of encrypted data) - See Schneier 1996, ch.16 on stream ciphers for more.
Of course, all of this relies on your ability to read the ciphertext directly from the drive. Presumably, the spec would call for the drive to return only the decrypted data in response to software calls, or nothing at all if the key was incorrect.
As well, Andre's response indicates that this proposal was shelved in favour of a software solution which has the encryption performed off of the drive itself, which makes this whole discussion (-1, off-topic):)
In this case, the question becomes - Is there any way for the software to know that it is running on a CPRM drive?
I haven't yet read the specs, but I do not believe that there is any way for a CPRM drive to be detected which could not be easily spoofed by a non-CRPM drive, either in the drive electronics or in the software drivers.
After all, the whole point of the OS is to insulate the software from the details of the hardware.
The moral of the story is that unless you built your own processor, built your own hardware, built your own compiler from scratch, and read the source code and understood it completely, you're open to attack.
That, and you'd better be sure that the NSA didn't insert some subtle flaws in your Physics and Engineering textbooks, that would cause you to unintentionally design their back doors into your processor:)
To everyone here posting about the fact that this article is obviously wrong because of the huge impact that computers have had on everyone's life (even ignoring the obvious bias of the readership):
Computers were an invention of the first half of this century.
Sorry, I had to get that out.
At any rate, the basic principles of modern computer architecture, the foundations of computing science, as well as the first working computers were all products of the 1930s to 1950s (with apologies to Mr. Babbage)
Now, can we discuss the relative merits of any really new technology?
But honestly, I'm glad they got him on the forgery charge instead of all of the above charges (i.e. forging a bogus return address)
Actually, it's the forgery charge that most worries me.
Unlike forging a signature on a cheque, or an official document, there is nothing in the RFC822 headers of an email that was ever designed to act as proof of a message's origin. It was well known twenty years ago that email was not resistant to forgery, and that has been an accepted limitation of the system all along.
I would like to see to what extent this spammer went to conceal the source of his messages, and how easily they were traced (the article seems to imply that they were traced fairly easily to his apartment). If all he did was use a false return address, does this mean that incorrectly filling out my Netscape preferences is a criminal offence? (Not to mention the people who would falsify an email address in their slashdot profile:)
I'm sure there must be more than enough evidence to convict him on the other charges -- misuse of computer resources and all that -- that there is no need to set a precedent like this for plain (non-signed) email
Slashdot Mirror
ACLs are used to grant/restrict access to a particular resource - not just files. They are most often used for filesystem priveleges, but the model is easily extended to anything which can be viewed as an atomic resource. TCP ports, hardware devices, even more abstract entities like "network paramters" can be viewed in this way, and have ACLs attached to them
In this way, you could allow certain users read-only access to the network paramters, and others read/write access.
Linux, of course, would allow you to do all this within the filesystem, if we had ACLs. The /dev and /proc hierarchies are designed to map these sorts of resources onto the filesystem so that you can use common system calls to manage them.
<rant>
The biggest advantage of ACLs for security is that they are managed outside of the resources they govern. A resource does not get to tell the OS who can access it, rather, the access control is left up to the SA. The problem with these kernel capabilities, as described in the article, is that it is left up to the application to determine which priveleges it will have, and there seems to be no way for an administrator to deny the application access.
This whole model seems quite backward to me, and I don't think it gets around the problem of having to run untrusted code (ie, someone else's) as root, in order to do something simple like ping.
</rant>
I think I'll go look now to see who's actively working on ACLs for Linux, to see if there's anything I can do to help...
Does anyone know of a link to the text of this bill? The article is quite vague (standard mainstream media quality). I'd love to read (or at least skim) the real thing to see what it really means.
For example, it doesn't go into any detail regarding what constitutes "digitally protected material" - does this cover only materials already protected by strong crypto (not much legislation required) or anything that someone chooses to protect by any means (DMCA-style - protect your copyrighted work with ROT-13 and make un-ROT-13 illegal)? Or is there a legal definition of "protected" which says how the protection must work?
From the article:
How does anyone define what is "deliberate"? If I set up an HTTP proxy in order to minimize traffic on an outgoing line, am I potentially in violation of Australian law? I may have deliberately set up the proxy server, but after that, I do not control what goes through it.
And what about the fact that my HTTP proxy can't even decode the material? Does this act represent an attempt to regulate the copying of the digitally-protected materials (like caching the encoded data, or copying a DVD bit-for-bit) or just the decoded, unprotected materials (distributing de-CSSed DVD content)?
Or perhaps Australian legislators don't realise the importance of caching to the health of the Internet... If every client had to talk directly to the originating server for every request, the Internet would have brought to its knees years ago under the load. Caching, mirroring, and other techniques based on making local copies of data are what keep the network running (Slashdot effect aside)
(I'm glad to see that they're not planning on making computers illegal :)
If there are any Aussies reading who are familiar with this legislation, I'd be very interested in hearing more (especially how it got this far without anyone hearing about it (for anyone, read me.))
I'd love to see this advice followed, but I am certain that it won't be.
It won't be followed, because of the amount of redundant content that needs to be maintained on the plain version of a site. First off, this automatically doubles the workload of the poor site designer who now has to maintain two (or more) versions of each page (I've worked with designers who have had sites to maintain with several thousand pages of static HTML). Secondly, you're bound to see errors and inconsistencies between versions, and the plain versions will likely get neglected, making them much less useful than a crippled version of the fancy page. From a marketing standpoint, maintaining these pages for a dwindling number of people using older browsers simply won't make sense.
It would be far better, I think, to put effort into making sure that the newer technologies fail gracefully when interpreted by older browsers. This has always been a design consideration with HTML, as well as frames, javascript, and CSS. It means that if you interpret an XHTML4+CSS page in an HTML2 browser, you should at least get something you can read, even if you miss out on the cool fonts and such.
HTML was designed in order to be able to separate content (in the html file) from presentation (in the browser). As long as we stick to this separation, then older browsers will automatically generate their own plaintext versions of your pages.
The article was not suggesting that we all move to cool, new, completely incompatible-with-html technologies like flash, which would leave older browsers completely lost, but just to stick to official W3C standards, which should at least be renderable by any browser out there.
No, triple encryption has the same problem, which is why it only gives you 112 bits from a 168 bit key. (Though you can use a 168 bit key with 112 bits of entropy
The general method for triple-encryption of any block cipher is to use two keys, A and B, and to compute the ciphertext as Enc(A,Dec(B,Enc(A,Plaintext))).
With 56-bit DES, this method uses 112 bits of key, and is resistant to the meet-in-the-middle attack used against double-DES
Now, the issue of whether to call this a single 112-bit key (AB) or a 168-bit key (ABA) with only 112 bits of entropy is really a matter of semantics. I prefer the to use the first, and to consider the number of times that a particular bit is reused in an algorithm irrelevant.
RSA's biggest fear just might be some modern day Ramajun. The big 'R' should be understandably apprehensive whenever some guy off the street emails and says he's broken RSA - because it just could be true.
I certainly hope that, if RSA is ever broken, that that's exactly how it happens. It would be so much more satisfying to see some brilliant stroke of human insight cut through a problem which has been declared "really really hard; maybe impossible" by leading cryptographers than to see it broken by a computer through mechanical processes. I remember being thrilled when hearing that Fermat's Last Theorem had been proven, and then quite disappointed when I then heard that it had taken so much computer assistance that it would likely take years of hand checking to be sure that it really had worked, and that even then, it was so complex that a lay mathematician wouldn't have a hope of understanding it.
That being said, I don't think that Leo de Velez is RSA's Ramanujan (yet) - His description of his method shows that he understands some of the mechanics behind the algorithm, but lacks a feel for the behaviour of numbers at the sizes used in practical public-key crypto.
- cicadia
On average, its 10 years ahead of the curve on everything...
Where did that figure come from? Do you know of any concrete examples? (Not sarcasm, I'm really interested)
I know that when DES was being designed, in the early 70's, they were roughly 20 years ahead of the civilian mathematics field. The differential attacks that it had been designed to withstand weren't discovered until 1990.
Makes you wonder what they've been up to since then... :|
- cicadia
That sounds about right - and since single-DES uses a 56-bit key (which provides, I believe, a 55 bit keyspace,) you've really only added one bit onto the key. There's a fairly clever meet-in-the-middle attack on double-encrypted ciphers; I can't remember most of it right now, though -- I believe that while it ends up only taking twice as long as a brute-force attack on single encryption, it consumes an awful lot of memory.
Triple-DES does give you the full 112 bits of your key, since triple-encryption manages to avoid that problem.
- cicadia
You just have to wonder what recently means, 90 days?
Generally this means 45 days with CERT. They have been criticised on a few occassions for this response time, and for the fact that they refuse to go "full disclosure". Their policy is to inform the software vendor first of any discovered vulnerabilities, and allow the vendor that time to release patches before making it widely known.
That's why you can get a version of BIND from the ISC on the same day that the vulnerability was made public.
I'd like to know earlier as well, but at the same time, I'm glad this hasn't been public for 45 days while I sit and wait for a patch.
Check out their policy on this at http://www.cert.org/faq/vuldisclosurepolicy.html (hope that makes it throught the /. filters OK :)
- cicadia
you may like to make the non-fee paying people spectators only... ie let people who pay fees contribute to discussions and ask questions etc, but let "freeloaders" listen in only...
An interesting variation on this would be to make the freeloaders pay for the information they are receiving, but make it free for those who are willing to actively contribute to the discussion.
And no, I have no idea how to implement this in practice, nor how to enforce payment or quality.. just an idea
- cicadia
The "won't somebody think of the children!" folks seem to have calmed down a little and realized that "Not all violence is equal, and not all fighting is equal [...] Who are the heroes? Is aggressive behavior being re-enforced? [sic]" Two paragraphs later, a dean emeritus (read: geezer) explains that parents aren't being more reasonable, they're just "desensitized."
What the author seemed to miss completely in this analysis is that these parents are not the same people who were so upset about Power Rangers nearly 10 years ago. Someone who was crusading against their 8 year old kid watching violent television 10 years ago is simply not going to care now. Their kids are 18, and probably not watching the same shows anymore.
By the same token, the parents whose children are watching Pokemon today grew up ten years later, under a different set of influences, and now appear to have a different attitude toward what is acceptable children's programming.
These parents today were the people who stood back from the Power Rangers riots ten years ago, and saw how irrational it was.
The author (and many more like him) need to realise that you can't throw around a term like "parents," and expect it to apply to anyone who has ever had children, regardless of any other societal changes, and should not be so surprised when people now react differently to something like this than people used to.
I now return to my regularly scheduled moderation :)
- cicadia
In summary, even though Despair, Inc does have a trademark on :-(, you are basically allowed to use it until you are told to stop by Despair.
I should be able to use :-( all I want, regardless of what Despair thinks, unless I'm using it to sell posters. Or calendars, or mugs, or whatever else their trademark specifically applies to.
Of course, I wont. I prefer the somewhat terser ":(" (for which I am applying for trademark protection right now :) )
- cicadia
What would be your criteria, then, for deciding who should be allowed to have a broadband connection? Would it really be practical or fair to implement these criteria?
Well, first, we're gonna need some sort of moderation system, so that we can rate the worthiness of people's Internet usage... then we can set up a kind of 'karma' system for determining who should get how much bandwidth...
- cicadia
try getting it to support some of the newer AMD motherboards
Actually, I had occasion to install Win95 on a new AMD system last fall (my client had heard that 95 was much more stable than 98, and there was no talking her out of it.)
It turns out that Win95 has a problem with AMD chips faster than 350MHz, and will not boot. MS has released a patch; I had to underclock the motherboard to bring it below 350MHz in order to install it.
It's run fine ever since that.
<linux-comment class="obligatory">Yes, I know it would have been stable from the start with a standard Linux install; I just don't want to be administering that system forever :)</linux-comment>
- cicadia
It's Microsoft has NOT "Microsoft have."
I think "Microsoft have" more accurately reflects the belief in Microsoft as a collective, rather than a singular, entity.
- cicadia
no it's not resonable. You should choose a term that relatively clearly & uniquely refers to the company in question the term Linux clearly & uniquely refers to something else...
Yes, but it is lawyers who write documents such as this, and in legal language, the use of the phrase:
ensures that "Linux" clearly and uniquely refers to VA Linux Systems, Inc.
It's their document, and they can define terms like this to mean whatever they want, as long as they inform you.
'When I use a word,' Humpty Dumpty said in a rather scornful tone, 'it means just what I choose it to mean - neither more nor less.' -- Lewis Carroll, Through the Looking-Glass
- cicadia
Seriously though - how does someone attain that (eh-hem) lofty title?
Personally, I think that "Linux ATA dude" is a much more impressive title.
- cicadia
Did I just read that the cipher is a simple XOR?
This is a very simple known-plaintext attack which works well on systems which encrypt by XORing the plaintext with repeated copies of a short key. Assuming that the spec called for a short (say 64-bit) key to be assigned to the drive at the factory and used in this manner, then the decoding process would be fairly simple:
However, the chances of such a small XOR key being used are slim (not zero, it's been done before)
What is much more likely is that a pseudorandom number generator is seeded with a short key to produce a much longer keystream (say 2^64 bits) with which to XOR the plaintext bits. This makes such a shifting attack all but useless (still technically possible though, if a 32-bit key was used, because of the sheer amount of encrypted data) - See Schneier 1996, ch.16 on stream ciphers for more.
Of course, all of this relies on your ability to read the ciphertext directly from the drive. Presumably, the spec would call for the drive to return only the decrypted data in response to software calls, or nothing at all if the key was incorrect.
As well, Andre's response indicates that this proposal was shelved in favour of a software solution which has the encryption performed off of the drive itself, which makes this whole discussion (-1, off-topic) :)
- cicadia
"This software requires
32 MB RAM
Such-and-such Processor
CPRM-enabled Hard Disk"
In this case, the question becomes - Is there any way for the software to know that it is running on a CPRM drive?
I haven't yet read the specs, but I do not believe that there is any way for a CPRM drive to be detected which could not be easily spoofed by a non-CRPM drive, either in the drive electronics or in the software drivers.
After all, the whole point of the OS is to insulate the software from the details of the hardware.
- cicadia
The moral of the story is that unless you built your own processor, built your own hardware, built your own compiler from scratch, and read the source code and understood it completely, you're open to attack.
That, and you'd better be sure that the NSA didn't insert some subtle flaws in your Physics and Engineering textbooks, that would cause you to unintentionally design their back doors into your processor :)
- cicadia
I can't speak to LZW, but the RSA patent is not a very defenseable patent.
Actually, RSA is not a defensible patent because it expired in September 2000.
I'm not sure about LZW, but wasn't that patent issued back in the 70's as well?
- cicadia
To everyone here posting about the fact that this article is obviously wrong because of the huge impact that computers have had on everyone's life (even ignoring the obvious bias of the readership):
Computers were an invention of the first half of this century.
Sorry, I had to get that out.
At any rate, the basic principles of modern computer architecture, the foundations of computing science, as well as the first working computers were all products of the 1930s to 1950s (with apologies to Mr. Babbage)
Now, can we discuss the relative merits of any really new technology?
- cicadia
Actually, kernal was an alternative spelling used by Commodore from way back... Never seen it used anywhere else though
- cicadia
The general rule is not to use any Microsoft product until SP3 is released :)
I had a relevant link, but I lost it
But honestly, I'm glad they got him on the forgery charge instead of all of the above charges (i.e. forging a bogus return address)
Actually, it's the forgery charge that most worries me.
Unlike forging a signature on a cheque, or an official document, there is nothing in the RFC822 headers of an email that was ever designed to act as proof of a message's origin. It was well known twenty years ago that email was not resistant to forgery, and that has been an accepted limitation of the system all along.
I would like to see to what extent this spammer went to conceal the source of his messages, and how easily they were traced (the article seems to imply that they were traced fairly easily to his apartment). If all he did was use a false return address, does this mean that incorrectly filling out my Netscape preferences is a criminal offence? (Not to mention the people who would falsify an email address in their slashdot profile :)
I'm sure there must be more than enough evidence to convict him on the other charges -- misuse of computer resources and all that -- that there is no need to set a precedent like this for plain (non-signed) email
-- cicadia
Imagine that... an MS/Intel server down for less than 3.5 days in a year!
Yeah, I saw it too... too much studying... math skills rapidly deteriorating...
- cicadia