Yes, that supplies the technology. However the whole point of using certificates issued from a CA is to establish trust, eg. if I trust that the CA issues certificates only after establishing the identity of the entity then I can choose to trust any certificate that has been issued by that CA (what I mean by trust is up to me, but it might merely mean that if something goes wrong I can follow an audit trail back to the certified entity). Without any trust relationship the technology has very limited value.
Australia Post has a service named KeyPost where they act as the RA (Registration Authority) and provide authenticity information to CA's. I'd trust certificates issued through this scheme a whole lot more than by a friend of a friend of someone I'll never meet. Why not outsource the RA work to Australia Post? The Australian Government program that supports this is Gatekeeper.
I don't have the wireless option, but I am using my notebook right now on the couch, with a Microsoft IntelliMouse Explorer 3.0 USB right on the surface of the couch set next to me. It is so much better to use than even the best ball mouse I had previously with one of those 3M mouse pads that were so much better than normal pads. I know that Microsoft also have a Bluetooth optical mouse, so I'd bet that a Bluetooth keyboard with such a mouse would be the best option.
Information from the OpenSSL core team and the oss institute is that the source is being certified and the certification has been issued for the hashes of the relevant source files, thereby meaning that compilation of unmodified source results in a certified build.
Calm down buddy. He's hardly an idiot for being concerned about downloading a trojan. With all of the virus/trojan/worm activity these days I'd say he's being reasonably cautious, and good on him because if he's one less person to get infected then there's one less machine that can be used to attack the rest of us. While it may be true that the reputation of a website may not indicate that binaries on it are infected, it is still likely that any infected binaries out there would be on a less reputable website.
As for the original question: I have no experience with building or even using gimp, but if the project supports building on Windows then just download it and give it a try. The intructions are probably quite easy to follow.
So explain to me why using purely random data is a bad idea for seeding a PRNG.
As far as making something harder is concerned, isn't this the whole point about security, both physical and digital? If a door lock is harder to pick, is it not more secure than one that is easier to pick? If a password is harder to guess, is it not more secure than a password that is easier to guess? So then why is a PRNG whose sequence is harder to guess not more secure than a PRNG whose sequence is easier to guess?
Yes, it is the same thing. If you don't know the starting point of the sequence and all you see is a stream of pseudo-random data then the best you can do is to find that sequence somewhere in the stream. However with typical PRNGs having extremely large cycle lengths, to do a search would require a massive amount of resources. This is the whole point, it makes it harder -- the same premise behind asymmetric crypto such as RSA. If I know your starting value, and I know the algorithm (good chance that it's one of several well known PRNGs) then I know your stream of pseudo-random numbers.
Again going back to the digits of pi. If I choose to start at the 36,344,636,842,575th digit of pi, which lets say for arguments sake is the start of the stream 5, 2, 6, 3, and you see this 5, 2, 6, 3 go across the network then you will have no choice but to do a brute force search through all digits of pi up to at least the one that I started from. You may well find millions of copies of the same sequence along the way. How do you know which it is? On the other hand, if you knew that to pick a starting point I took the current time, added in the process id (a 16-bit number), etc, etc, then you can work out a much smaller subset of positions to commence your search from.
Why do you think that OpenSSL can be configured to use daemons like prngd and egd to initialise it's PRNG? It's because the PRNG is typically considered secure enough (yes, it's not pure, but short of putting a quantum number generator in your PC it's the best that we can do) but it is critical to initialise the generator with high valued entropy. Read that Gutmann paper that I mentioned.
...as the ACCC were waiting for the results of the lawsuits in the US before making any judgement
This is the whole point. It hasn't been proven that they own any IP in Linux. Novell have stated that SCO didn't even aquire ownership of what they claim to own. A respectable company would prove such things before pursuing users. Respectable, SCO is not.
No, you're missing the point. BTW, thanks for the Einstein complement.
PRNGs cycle, and there are things you can do get around that, such as restarting them every so often or mixing in more entropy, but it is the initial entropy used to seed that is important.
PRNGs being deterministic means that it's very, very important that you start the sequence from a random point each time; an unguessable point in the sequence. Using pure random data to seed a PRNG will make it's use more secure.
Think of the digits of pi as being a pure random source. If I can guess at which digit you are going to start reading then it really makes no difference what the actual digits are. Conversely given a poorer random source but with no idea where in the cycle you will start reading it is much harder for me to guess the sequence.
See the paper written by Peter Gutmann for further details on this subject. It is required reading for anyone working with PRNGs for use in security applications.
In order to make the random numbers useable for security, they need to offer a service via an encrypted channel with a published certificate so that applications can ensure that no man-in-the-middle is occuring. You'd still want to mix in some entropy of your own gathering, but this would be a good way to prime prngd or egd. Of course there is still the question of trust of the source. If a few independent services like this sprung up around the world a secure source of entropy would be the combination of the output of several.
If the software you want is so trivial to create that it would be given away as freeware then why not write it yourself (and give it away as freeware)?
Lets start an OS written entirely in Logo. Drawing buttons and such will be easy enough, but it's the scheduler that is going to take some creativity. All user apps will also be written in Logo and it will be possible to virtualise the entire OS inside a user app. Extra care must be taken to ensure process don't write over the top of each other.
Wouldn't surprise me if it's Apple or Microsoft. If it is there's a good chance that the Linux version will be dropped.
It really pissed me off that Apple bought out Emagic and dropped the Windows version of Logic Audio that I've been using and have invested heavily in for years.
Microsoft did a similar thing with SourceSafe when they purchased it from One Tree Software years ago and then dropped all but the Windows version. I believe they may have Unix clients available these days but I've swtiched to CVS anyway.
Not that I'm criticising these guys for doing what makes the most business sense for them, but it does end up burning current users.
Get a grip people. Microsoft have had this 64-Bit version in the works for a while (of course; but I've also read about it on their website over the last month). What, you think that Intel announce a change in plans and Bill persuades the coders at Microsoft to stay up all night producing a 64-Bit version of XP. If only it were really that easy. Give me a minute and I'll produce a 128-Bit version of the internet... There, done!?
The crazy thing about patents is that you can patent the same old ideas in new domains. Solitaire might have existed before computers, but it's still a valid patent when applied to a version for a computer. Likewise, if the patent is for solitaire on desktop computers then there is room for someone else to get a patent for solitaire for handheld computers. This is how the same old business processes that people have used for years are patentable when applied to the internet.
Now, in this case, it would be interesting to see when the patent was applied for. Can the original poster provide the patent number?
Hardly the same thing. What I'm getting at is that the level of treatment should match the seriousness of the disorder. If dulling an everyday headache required a psychoactive substance then you probably should just learn to live with the headaches. While I'm not discounting that there are people out there with a level of ADHD that makes their life very difficult I do believe that the ADHD tag is being slapped on any 3 year old who acts up and doesn't appear to have been cut with the ANSI/ISO cookie cutter that we all are measured against. For these kids the ADHD is probably no more than a mild disturbance (perhaps for their parents more than them) and dosing them with psychoactives every day will have untold influence on their future lives. Sure, making a blanket statement like "don't give it to kids" may be a bit extreme, but I'm trying to counter what seems to be a growing attitude of "just put the kid on Ritalin".
Ritalin is speed, don't give it to kids. I realise why it works for this "disorder" but that's no reason to use it. I'm 32 now but have every reason to believe that I suffered from ADHD when I was a kid, and I think I still do to a certain extent, but I got through it without drugs. Actually, I didn't get through anything, this is just me, I have an overactive mind that means I sometimes jump from one thing to another very quickly.
Why should I pay for software to run on my domain too? The reason being is that these things are coming from different vendors. When you buy a certificate it isn't the certificate file that is of real value, it's the procedures and policies that the CA runs their business on. They can check your drivers license, or social security number, or use even tougher measures for determining if you really are who you say you are. A certificate's values comes from who signs it, not who it is issued to. It turns out that most of us are willing to trust a massive accountable multinational company to vouch for other people than we would a small domain reseller.
This is somewhat simplified, but code like:
if (strcmp(tag, "surname") == 0)
;// handle surname
else if (strcmp(tag, "firstname") == 0)
;// handle firstname is obviously a whole lot slower than code like:
if (tagByte == TAG_SURNAME)
;// handle surname
else if (tagByte == TAG_FIRSTNAME)
;// handle firstname
The problem with XML is that it is a general-purpose textual encoding, and as with most textual encodings it requires more bytes than a dedicated binary encoding does. The result is that it requires many more cycles to process.
If speed it of prime importance then don't use XML.
ASN.1 with it's various encodings (BER/DER/PER), as used by PKI standards to encode things like keys and X.509 certificates (to name a very small fraction of what it is used for) can be very compact. It takes quite a bit more effort to understand, but it does result in efficient encodings of data. This is one of the reasons why ASN.1 has been an international standard for many years and is used for protocols in mobile phone networks.
Slashdot Mirror
Yes, that supplies the technology. However the whole point of using certificates issued from a CA is to establish trust, eg. if I trust that the CA issues certificates only after establishing the identity of the entity then I can choose to trust any certificate that has been issued by that CA (what I mean by trust is up to me, but it might merely mean that if something goes wrong I can follow an audit trail back to the certified entity). Without any trust relationship the technology has very limited value.
Australia Post has a service named KeyPost where they act as the RA (Registration Authority) and provide authenticity information to CA's. I'd trust certificates issued through this scheme a whole lot more than by a friend of a friend of someone I'll never meet. Why not outsource the RA work to Australia Post? The Australian Government program that supports this is Gatekeeper.
I don't have the wireless option, but I am using my notebook right now on the couch, with a Microsoft IntelliMouse Explorer 3.0 USB right on the surface of the couch set next to me. It is so much better to use than even the best ball mouse I had previously with one of those 3M mouse pads that were so much better than normal pads. I know that Microsoft also have a Bluetooth optical mouse, so I'd bet that a Bluetooth keyboard with such a mouse would be the best option.
Information from the OpenSSL core team and the oss institute is that the source is being certified and the certification has been issued for the hashes of the relevant source files, thereby meaning that compilation of unmodified source results in a certified build.
The Ludites would be very pleased.
Earlier Slashdot story: Technology Spontaneously Combusts In Sicily
Calm down buddy. He's hardly an idiot for being concerned about downloading a trojan. With all of the virus/trojan/worm activity these days I'd say he's being reasonably cautious, and good on him because if he's one less person to get infected then there's one less machine that can be used to attack the rest of us. While it may be true that the reputation of a website may not indicate that binaries on it are infected, it is still likely that any infected binaries out there would be on a less reputable website.
As for the original question: I have no experience with building or even using gimp, but if the project supports building on Windows then just download it and give it a try. The intructions are probably quite easy to follow.
So explain to me why using purely random data is a bad idea for seeding a PRNG.
As far as making something harder is concerned, isn't this the whole point about security, both physical and digital? If a door lock is harder to pick, is it not more secure than one that is easier to pick? If a password is harder to guess, is it not more secure than a password that is easier to guess? So then why is a PRNG whose sequence is harder to guess not more secure than a PRNG whose sequence is easier to guess?
Yes, it is the same thing. If you don't know the starting point of the sequence and all you see is a stream of pseudo-random data then the best you can do is to find that sequence somewhere in the stream. However with typical PRNGs having extremely large cycle lengths, to do a search would require a massive amount of resources. This is the whole point, it makes it harder -- the same premise behind asymmetric crypto such as RSA. If I know your starting value, and I know the algorithm (good chance that it's one of several well known PRNGs) then I know your stream of pseudo-random numbers.
Again going back to the digits of pi. If I choose to start at the 36,344,636,842,575th digit of pi, which lets say for arguments sake is the start of the stream 5, 2, 6, 3, and you see this 5, 2, 6, 3 go across the network then you will have no choice but to do a brute force search through all digits of pi up to at least the one that I started from. You may well find millions of copies of the same sequence along the way. How do you know which it is? On the other hand, if you knew that to pick a starting point I took the current time, added in the process id (a 16-bit number), etc, etc, then you can work out a much smaller subset of positions to commence your search from.
Why do you think that OpenSSL can be configured to use daemons like prngd and egd to initialise it's PRNG? It's because the PRNG is typically considered secure enough (yes, it's not pure, but short of putting a quantum number generator in your PC it's the best that we can do) but it is critical to initialise the generator with high valued entropy. Read that Gutmann paper that I mentioned.
This is the whole point. It hasn't been proven that they own any IP in Linux. Novell have stated that SCO didn't even aquire ownership of what they claim to own. A respectable company would prove such things before pursuing users. Respectable, SCO is not.
No, you're missing the point. BTW, thanks for the Einstein complement.
PRNGs cycle, and there are things you can do get around that, such as restarting them every so often or mixing in more entropy, but it is the initial entropy used to seed that is important.
PRNGs being deterministic means that it's very, very important that you start the sequence from a random point each time; an unguessable point in the sequence. Using pure random data to seed a PRNG will make it's use more secure.
Think of the digits of pi as being a pure random source. If I can guess at which digit you are going to start reading then it really makes no difference what the actual digits are. Conversely given a poorer random source but with no idea where in the cycle you will start reading it is much harder for me to guess the sequence.
See the paper written by Peter Gutmann for further details on this subject. It is required reading for anyone working with PRNGs for use in security applications.
In order to make the random numbers useable for security, they need to offer a service via an encrypted channel with a published certificate so that applications can ensure that no man-in-the-middle is occuring. You'd still want to mix in some entropy of your own gathering, but this would be a good way to prime prngd or egd. Of course there is still the question of trust of the source. If a few independent services like this sprung up around the world a secure source of entropy would be the combination of the output of several.
If the software you want is so trivial to create that it would be given away as freeware then why not write it yourself (and give it away as freeware)?
Lets start an OS written entirely in Logo. Drawing buttons and such will be easy enough, but it's the scheduler that is going to take some creativity. All user apps will also be written in Logo and it will be possible to virtualise the entire OS inside a user app. Extra care must be taken to ensure process don't write over the top of each other.
Wouldn't surprise me if it's Apple or Microsoft. If it is there's a good chance that the Linux version will be dropped.
It really pissed me off that Apple bought out Emagic and dropped the Windows version of Logic Audio that I've been using and have invested heavily in for years.
Microsoft did a similar thing with SourceSafe when they purchased it from One Tree Software years ago and then dropped all but the Windows version. I believe they may have Unix clients available these days but I've swtiched to CVS anyway.
Not that I'm criticising these guys for doing what makes the most business sense for them, but it does end up burning current users.
Get a grip people. Microsoft have had this 64-Bit version in the works for a while (of course; but I've also read about it on their website over the last month). What, you think that Intel announce a change in plans and Bill persuades the coders at Microsoft to stay up all night producing a 64-Bit version of XP. If only it were really that easy. Give me a minute and I'll produce a 128-Bit version of the internet... There, done!?
The blog has the patent numbers and dates. 1996 being the earliest means prior art existed.
The crazy thing about patents is that you can patent the same old ideas in new domains. Solitaire might have existed before computers, but it's still a valid patent when applied to a version for a computer. Likewise, if the patent is for solitaire on desktop computers then there is room for someone else to get a patent for solitaire for handheld computers. This is how the same old business processes that people have used for years are patentable when applied to the internet.
Now, in this case, it would be interesting to see when the patent was applied for. Can the original poster provide the patent number?
That's just dumb. Now SCO is going to have "evidence" that Open Source advocates are virus writters.
Hardly the same thing. What I'm getting at is that the level of treatment should match the seriousness of the disorder. If dulling an everyday headache required a psychoactive substance then you probably should just learn to live with the headaches. While I'm not discounting that there are people out there with a level of ADHD that makes their life very difficult I do believe that the ADHD tag is being slapped on any 3 year old who acts up and doesn't appear to have been cut with the ANSI/ISO cookie cutter that we all are measured against. For these kids the ADHD is probably no more than a mild disturbance (perhaps for their parents more than them) and dosing them with psychoactives every day will have untold influence on their future lives. Sure, making a blanket statement like "don't give it to kids" may be a bit extreme, but I'm trying to counter what seems to be a growing attitude of "just put the kid on Ritalin".
You mean without?:
Billions of people survived just fine without Ritalin, and I personally see no use for it in any situation.
Ritalin is speed, don't give it to kids. I realise why it works for this "disorder" but that's no reason to use it. I'm 32 now but have every reason to believe that I suffered from ADHD when I was a kid, and I think I still do to a certain extent, but I got through it without drugs. Actually, I didn't get through anything, this is just me, I have an overactive mind that means I sometimes jump from one thing to another very quickly.
I'm told that inhaling the dust from it can cause cancer.
Why should I pay for software to run on my domain too? The reason being is that these things are coming from different vendors. When you buy a certificate it isn't the certificate file that is of real value, it's the procedures and policies that the CA runs their business on. They can check your drivers license, or social security number, or use even tougher measures for determining if you really are who you say you are. A certificate's values comes from who signs it, not who it is issued to. It turns out that most of us are willing to trust a massive accountable multinational company to vouch for other people than we would a small domain reseller.
This is somewhat simplified, but code like: // handle surname // handle firstname // handle surname // handle firstname
if (strcmp(tag, "surname") == 0)
;
else if (strcmp(tag, "firstname") == 0)
;
is obviously a whole lot slower than code like:
if (tagByte == TAG_SURNAME)
;
else if (tagByte == TAG_FIRSTNAME)
;
The problem with XML is that it is a general-purpose textual encoding, and as with most textual encodings it requires more bytes than a dedicated binary encoding does. The result is that it requires many more cycles to process.
If speed it of prime importance then don't use XML.
ASN.1 with it's various encodings (BER/DER/PER), as used by PKI standards to encode things like keys and X.509 certificates (to name a very small fraction of what it is used for) can be very compact. It takes quite a bit more effort to understand, but it does result in efficient encodings of data. This is one of the reasons why ASN.1 has been an international standard for many years and is used for protocols in mobile phone networks.
Ah, so I can. Thanks, and appologies for flying off the handle.