The google archive is still moderately incomplete. I got this link from 3s7bm2$il6@inet-nntp-gw-1.us.oracle.com (it was reposted in alt.humor.best-of-usenet).
I'm going to crawl my personal usenet archives and see how much of it is missing from GooJa.
From: gascan@dcst16.pt (Bill Gascoyne)
Newsgroups: talk.origins
Subject: The dangers of extrapolation (was Re: Speed of Light
A cautionary thought on the dangers of extrapolation.
It is reported that in 1977 there were 37 Elvis impersonators in the world.
In 1993 there were 48,000. At this rate, by the year 2010 one out of every
three people in the world will be an Elvis impersonator.
First of all, let me say that I really appreciate the rigor of your response. The better responses I receive, the more I'm motivated to bring my own level of knowledge up to that of my peers. So, to be blunt, thanks for helping me think:-)
I have a few thoughts on the matter, now that I understand the presumptions behind Bell's Inequality(mainly, that the entire set of hidden variable theories would have to output non-QM results), but I'm going to sit down with my ex-roommate(degree in Physics from Purdue; couple years in optics at Intel) and work things out correctly first. Anything less would be SNAKO(Situation Normal, All Kooked Out):-)
I can't believe I forgot to mention this. Even with Hollywood's obsession with Asian guys as fighters, they still managed to cast a f*cking white guy for the next big hyperreferential spoof movie of the year, Kung Pow.
Granted, they found Dave Barry's evil twin, and the movie looks utterly hilarious(meaning l33t hax0r wannabe Katzbashers will set their flamethrowers on 'troll flambe con carne' come January 18th), but for f*ck's sake is the concept of some actor kicking ass *and* making people laugh so disturbingly alien that the casting director couldn't imagine an Asian guy doing both at the same time?
WTF: Carrot Top is an international star while Margaret Cho gets her ass booted off the air in her first season for doing that *truly* American McArt form, "People are f*cking retarded, that's the situation." Oh well. She's free to mock whatever she likes in clubs around the country now, while Carrot Top whores himself out to 1-800-Collect(the place where stars nicely say 'I can no longer afford to pay ten cents a minute, but if this doesn't pan out, I'll be earning $2.99 a minute').
I suppose there's some justice in the world after all.
--Dan, who is flashing back to "There is no justice, there is just us."
Lets see, Romeo Must Die, Vanishing Son 1-5, and *deep breath* "Rumbling Sky Dragon Tiger Meeting".
Nope, no fighting there:-)
Seriously. The only reason Russell had a chance at Takedown(a truly horrendous movie, on all accounts) is that 1) It was based on a true story and 2) "Tsutomu Shimomura" flames Japanese like Julie Andrews singing "The hills are alive...with the sound of laughter if we cast Ryan Phillipe in the role of some guy guy named Tsutomu."
Mind you, they still managed to cast a Chinese guy. I imagine this is similar to casting Sean Connery as Jeff Foxworthy. Worse, actually, for reasons you won't find in certain textbooks.
Honestly. When "model minority" means "even the men are only appreciated for what they can do with their bodies", something's f*cked.
As for the book itself, of course he sounds like a pompous ass, he thought his own life was interesting enough to write a book about. (Psst. Metajoke here.) What, he's gonna write a movie to make himself look BAD(er, I mean intentionally)? Infosec guys -- computer guys in general, for that matter -- know a tremendous amount about incredibly obscure things. Quite a few of them get egos about themselves. Hell, if I was a slightly better coder, I'd probably be a prick too:-)
(And if I wasn't in such a hellaciously nasty mood lately, I wouldn't even be posting on Slashdot today. But who's counting.)
Not that I particularly have a problem with smoking, but the combination of:
1) Doing a drug that gives more misery when you're off of it than it does pleasure when you're on it,
2) Thinking of money in terms of how much of that drug it buys you,
and
3) Mocking someone else for being a dumbass
There was one other pretty decent set of metajokes in there -- note the reference to asians:
1) The only asian "character" was a white guy.
2) The asian male actors didn't speak but did know kung fu.
3) The asian female actresses were bitchy but subordinate(indeed, could only speak in unison) behind the white head cheerleader.
Mind you, I'm just some white guy. But I have noticed there aren't actually, um, any asian male stars in Hollywood. Like, at all.
Unless they fight.
By contrast, there *has* to be a Token Black Guy, and he *has* to be obvious. Bonus points if he's got an African name.
For a crude movie, this was some elegant subtlety.
Granted, the movie was about twice as long as it should have been, and simply ran out of things to make fun of. And, yes, they beat the dead horse that became Cruel Intentions into anthrax-worthy particles of meatjuice.
That being said, I have to respect movies that have some decently obscure and enjoyable subtexts. For example:
1) The Title. Not Another Teen Movie. The joke is, it *is* another teen movie...so, "Not ANOTHER Teen Movie!?!", instead of "NOT Another Teen Movie." Possibly unintentional, but given the ending(worth gritting through, just to hear the last words from the last speaker) I doubt it.
*SPOILER ALERT*
2) Amanda. So they mocked the bejesus out of Jennifer Love Hewitt's role in Can't Hardly Wait. Sure, fish in a barrel. But giving Lacey Chabert, who costarred with her on Party of Five and probably had to choke on Hewitt's silicone-enhanced shadow for years on end, the opportunity to lay waste to her former colleague...heh. Impressive.
Incidentally, am I the only one who is tired of "I used to like Katz, but now, with this horrific review of such-and-such, I have to change my mind"? STFU. Quit cloning Indy Rock Pete; Katz at least can choose to like or dislike whatever the hell he feels without consulting IMDB to make sure that he's rating Remember the Goddamn Titans higher than a silly hyperreferential uber-spoof of a flick.
And that's more than I can say about at least one of you.:-)
Your respect is much appreciated. I'm maintaining a healthy amount of doubt in my own ideas, so I do appreciate a bit of respect in them from those who know quite a bit more of the nuts and bolts than I.
I see the hidden variables(or spatial PRNG seeds, or whatever) as being useful in the sort of way chemistry operates: Useless for individual predictions, but critical for larger scale operations and cleaning up some unparsimonious nastiness(like asymptotic data transmission rates; see my other reply to this thread).
Quantum Intrusion Detection actually bugs me more than entanglement. I actually believe two particles can be made related over some distance(my quibble is that their entropy itself was made related, thus obviating the need for a message to be sent between them). Proving a negative -- that it's conceptually impossible to duplicate some data stream -- is alot tougher, and I sense dangerous levels of overconfidence on the matter.
Physics is not a field that's particularly compatible with realities of security research. Schneier's analogy of planting a ten foot steel pole in the ground and expecting the enemy to drive right into it isn't something that lends itself well to a realm where entire classes of theory aren't developed because the math is too obscure to work with. "As long as you're concerned about the notes, you can't create music." And as long as you're struggling to get there in the first place, it's impossible to really understand what might go wrong. Airliners were a mature technology long before they were an obsessively safe one.
I really think we don't know enough about the nature of quantum reality to be making absolute statements of uncrackability. But then, it's easy for me to claim ignorance; I just know the security side, not the physics.
That's going to change, someday. Hopefully I won't go kooky because of it. (Now *there's* a statement that could seem tremendously ironic in a few years!)
Cryptography can be a much wider field of inquiry if you let it be. It's actually equal parts psychology and mathematics, for instance.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
The duplication of quantum indeterminancies suggests quite strongly to me that they're not so indeterminate after all. I'm speculating that there's a psuedoentropic function on the quantum scale.
If nothing else, an algorithmic function universally deployed either in space or matter wouldn't *need* to be transmitted, thus matching the asymptotic FTL speeds that seem to be required. How long does it take to transmit nothing at all?
I'm pretty much resigned to the fact that this is going to suck up about six to eighteen months of my life someday, in which I'll actually have read and completely grokked Einstein's spooky action paper.
Until then, the only reason I give these thoughts any credence is because they're my own.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
I have no desire to keep on kooking.:-) That I am utterly convinced of something I cannot adequately argue is driving me *hard* to learn the necessary physics to address the topic reasonably.
But I'll do a braindump, if only to see your reaction. Warning: Unbridled speculation based off a single plausible postulate follows.
It's an interesting corrolary from crypto research that you can never be entirely sure a data source is truly entropic, as opposed to the output of even an adequately designed pseudo-random number generator. (Take a look at RC4 -- something that takes that little code to implement could certainly exist as a style of equation for atomic and subatomic scale apparently entropic output.)
Knowing that one of the least understood but most significant errors in cryptography would be utterly unknown in any other field of research lends some credence to my thinking that at least some supposedly entropic processes are really pseudoentropic. It's not that I think physics people are "morons", like one person mailed me. By the contrary, they're some of the brightest people around. I just think they're underestimating the degree to which psuedoentropy, defined as a stream of "provably random" data derived from a single seed value, can mask actual entropy. GIGO, and all that.
That being said, that I'm only slightly familiar with the apparently disproved "hidden numbers" theory that believes it directly addresses this line of thought has given me a great deal of humility. My hope is that the argument against hidden numbers tends to focus on easily detectable randomizers and is overapplied to higher level processes.
Both Quantum Intrusion Detection and Quantum Entanglement, of course, make quite a bit of sense with a PRNG in place. Of course two particles can get entangled; if both can be forged with the same seed, they'll vary with exactly matched entropy. (We use this exact property when we use RC4 as an encryption system: By XORing against matched entropy, a sender can transmit to a receiver using what is indistinguishable from pure noise to anyone without the seed value.) But what would the "seed" be? Surely not position and velocity, even if it is tempting to discretize by Planck Length. I nominate direction, defined as degree of relative dimensional translation, but then I don't have much of a place to nominate anything:-)
Whatever the seed value might be, once two particles match in any way, any subsequent measurements of both relative to eachother would tend to be uncomfortably related, even if analyzing each bitstream directly would evidence perfect entropy. And that's what we find from what little I know about the entanglement experiments. (Why yes, I'm throwing doubt on my own words to prevent other people from kooking out on my own gnawing musings.)
As for Quantum Intrusion Detection, a correction that makes perfect sense, the presumption is that it's impossible to duplicate the seed values that give rise to the sender/receiver relationships. But entanglement is all about duplication of seed values, as for that matter is photon transmission through a non-vacuum. You can't hide the fact that states are related by simply saying that entanglement implies "states may change". Spins aren't just changing; they're changing in a manner predictable to one another. If that's possible, it's difficult to out-of-hand conclude that a supposedly intrusion-proof photon couldn't itself be split, and have its entangled partner measured upon the original having its state set. You could claim the newly split pair couldn't possibly have the same seed value -- but that's more of a technological challenge than anything else. Especially if direction is a seed value, four ninety-degree bounces would equalize direction.
There's other stuff on my mind(most notably, some annoyance with the anthropomorphized concept of "observation" and "measurement" that could be abused to presume that the "observation" of dinosaur bones sent a signal sixty-five million years previous to establish the birth and death of dinosaurs in general and that specimen in particular), but I think I'll stop playing public kook for now.:-)
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Physics kooks annoy me. They do. The Alexander Abians, the Time Cube guys, all of em have always bugged me. They've always had the feel of someone who feels themselves too smart to actually do the research to understand something.
So the fact that I hold tremendous doubt in something the physics gurus all take for granted *really* bugs me.
But, I'm telling you. Sooner or later the guys pushing quantum entanglement(*nervous twitch* spatial PRNG *nervous twitch*) will meet up with the guys working on quantum encryption, have some kind of matter/anti-matter postulate collision, and I'll have this big goofy smile on my face.
I'm telling ya, neither work particularly well by themselves, but in the context of the other, both Quantum Crypto(states can't be copied) and Quantum Entanglement(states can be copied, at FTL no less) are completely borked. It's the only kook conviction I haven't been able to shake, and you'll have to email me personally if you want to suffer through my full kook reasoning on it(you can probably guess what it is). But I'm telling ya: Next few years, possibilities are getting shuffled.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
The first link pointed directly at the news article and the second directly at the author's home. Excuse me for doing a bit of research to foster discussion on the topic.
Webcurity? Sounds like one dot-com too many. Among other problems, "curity" feels more like it belongs to *obscurity* than *security*. Besides the famous line separating the two, nobody wants an obscure website:-)
Security-related phrases in the english language are usually combinations of initial syllables. Information Security gets compressed down to InfoSec, "Defense Condition" to DefCon, and "Strategic Forecasting" to StratFor, for example.
WebSec...well, sounds like it'd be a phrase for the specific branch of Infosec dealing with external access to internal data through a tightly controlled interface. Certainly feasible, though you start hitting problems when protocols other than HTTP start getting used. (Is it a website if you don't get it over HTTP/HTTPS?)
Of course, with everything imaginable getting piped over HTTP(as opposed to SSH *grins*), maybe WebSec is appropriate...
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
SSH has done quite a bit of work to support +2GB files. As always, the following will and always has worked:
cat file | ssh user@host "cat > file"
More recent builds of SCP will also support +2GB, so:
scp file user@host:/path
or
scp file user@host:/path/file
will both work.
In fact, probably the best way for syncing two directories is rsync. Rsync's major weakness is that it's *tremendously* slow for large numbers of files, and I believe it has to read every byte of a large file before it can incrementally transfer it(so you're looking at 2GB+ of reading before transfering). The following will do rsync over ssh:
For incremental log transfers, I actually had a system built that would ssh into the remote side, determine the filesize of the remote file, and then tail from the total file size minus the size of the remote file. It was a bit messy, but it was incredibly reliable. Did have problems when the remote logs got cycled, but it wasn't too ugly to detect that remote filesize was smaller than localfilesize. Just a shell script, after all.
SFTP should, as far as I know, handle 2GB+ without a hitch.
Both SCP and SSH of course have compression support in the -C tag; alternatively you can pipe SSH through gzip.
Email me for further info; there's some SSH docs onto my home page as well. Good luck:-)
"But...but...it's the client pool...you're not supposed to be attacking the client pool...whine whine...bitch bitch...goddamn fuckers that was a good hack...whine whine..."
I did some serious penance for bringing a WinXP beta laptop to hack against Ghettohackers. Lets just say *my* Caesar's Challenge involved swimming on the bathroom floor and puking off of balconies the night before my big talk.
Ghettohackers quite brutally owned my laptop. One of 'em started chatting with me, asked if he could check his email...though I watched the screen, it's always polite to look away when someone types in their password.
Except when that password is
notepad c:\flag.txt
ghi
Now, at the time I damn near killed someone over that...but I realized pretty quickly it was a damn slick hack. Ask, and ye shall receive. Even from me.
Well, yes, it's quite true that PGP had disappointing sales. The company had a nasty tendancy of attempting to bundle about four other products with PGP and *refusing* to negotiate with any company, no matter how large, about perhaps a more reasonable package.
It's funny that I have this exact story from so many different sources that nobody can say I'm compromising internal information. Go ask your friendly IT Purchasing agent about any adventures they had trying to get a site license for PGP. This was mandate from upper management: Either all the stripes make some cash, or none at all.
NAI consistently chose the latter. Now, as for all the conspiracy theories...never attribute to malice...
Forgive the mild indescretion of self-linking, but I was speaking of this very occurance a couple months back. The title makes quite a bit more sense if you read the link:-)
A number of writers here have stated that Eminent Domain should never be applied to the benefit of individual corporate providers; while I'd normally be inclined to agree, I note there is a strong compulsory licensing program (administered through BMI and ASCAP) that effectively gives radio stations the freedom to play whatever music they like on the air, as long as they hold to certain restrictions(no more of a certain band in an hour, they may only play "official releases"[grr], etc.)
Mass outlets of content should be more free and open, not less free and tightly controlled. As elements of culture become progressively more productized and trademarked(even our stadiums are monetized, at the cost of the legitimacy of our homes), I do believe it's clear that, at least conceptually, there is some dispersal of rights and "ownerships" over that cultural artifact.
Now, what's interesting is the question of whether an artist has the right to prevent their work from becoming such an artifact in the first place. Far from an insignificant argument--it's one thing for "The Red Shoe Diaries" to be compulsory licensed and sold online; it's another for the average person's diary to be downloaded from their computer and sold online! One conclusion you could reach might be that, once the product was commercialized by its author, *but not before*, it was fair game for automatic distribution. Such creates a fluid and "free" market without arduous restrictions on the flow of money.
This does seem to imply that buyers of a good have rights and expectations over that good, even before sale. One could imagine access within a convenient marketplace to be among them.
I'm getting immensely tired of this inability of the tech industry to remember back more than a few short years.
Encyclopedia Britannica was actually one of the first major general purpose information sites on the web, and most assuredly charged for access.
(I know this because they had a free access program that used unique email addresses to limit repeat signups--but since I had a static DNS that redirected *all* usernames to my address, I could repeatedly sign up for free weeks of service.)
False analogy. A good analogy would be if I hired you to clean the dog shit off my yard, and you instead dumped a truckload of dog shit on it. If you did that, you'd pay and pay and pay.
He was hired to install software. He didn't remove vast chunks of software, which would be the analogous argument. He also didn't attack the security of the systems he was using("removing the lock from the door") or attempt to view other people's information("pulled the mail from the mailbox") He did too much -- he installed extra code that wasn't actually desired.
A better example is that he was hired to clean up the dog shit, and he decided to clean up the cat shit too.
He did extra work within the constraints of his legitimate access and his job. It's that simple.
Not for security it doesn't. Security is a matter of knowing where every program on the machine came from, and knowing that no uncertified programs have even been run on the machine. It is solely a matter of trust, a matter of having a known chain of control. That trust is easy to throw away and expensive to regain.
The trust never existed.
Let me repeat that, with emphasis:
The trust that you describe, with full chain of evidence and absolute knowledge as to the source of every last byte on every last system, did not exist in this environment.
You cannot accuse somebody of losing for you what you didn't actually have!
The fact that not only did he not lose this trust, but he isn't even being accused of attempting to gain more trust than he was legitimately entitled to(via *actual* hacking) does alot to make me extraordinarily annoyed with this case.
I've seen at least one rumor that these were lab machines. Security begins with the physical, and with the vast number of people using these machines, it's literally impossible for them to have been considered anywhere even remotely within the same galactic vicinity as a "trusted base".
Security is having confidence that every bit on the hardware comes from a known, approved source. You lose that when you install an untrusted program, and the only way to regain it is to delete everything and start from scratch.
Except he isn't accused of attempting to backdoor the systems. He isn't accused of attempting to hack them at all.
He's accused of running undesired software.
That's a major difference. This isn't a situation where an untrusted user got trusted access. This isn't even realistically a case where a trusted user gave untrusted users access(in the sense of others being able to do anything they wanted using the computational power of the university). A trusted user did something that others disapproved of. As long as there's no belief that he hacked the machines as well as used them for undesired tasks, simply killing the tasks is sufficient.
He wasn't even running a password cracker.
A better analogy would be if you hired a mechanic to change the oil in your street-legal drag racing car with a $30,000 racing engine, telling him to only use Mobil synthetic oil, and he used olive oil instead.
Yes, the moment I see an exact catalog of specifically what McOwen was supposed to install, and in what order, I will agree that he had no discretion to install any more or any less.
I do not expect such a list to be forthcoming.
OTOH, if you installed S@H on a live banking server 'just because', they'd beat you to death with CAT5, even if you have admin privileges.
Again, university environment, not big multibillion dollar conglomerate with a stock price to keep up. Downtime is not disaster for *any* system in most universities.
By contrast, more than a few companies have hot spare buildings. You heard that right: If, one day, the office should cease to exist, everyone may go to another.
Slashdot Mirror
The google archive is still moderately incomplete. I got this link from 3s7bm2$il6@inet-nntp-gw-1.us.oracle.com (it was reposted in alt.humor.best-of-usenet).
I'm going to crawl my personal usenet archives and see how much of it is missing from GooJa.
--Dan
From: gascan@dcst16.pt (Bill Gascoyne)
Newsgroups: talk.origins
Subject: The dangers of extrapolation (was Re: Speed of Light
A cautionary thought on the dangers of extrapolation.
It is reported that in 1977 there were 37 Elvis impersonators in the world.
In 1993 there were 48,000. At this rate, by the year 2010 one out of every
three people in the world will be an Elvis impersonator.
:-)
First of all, let me say that I really appreciate the rigor of your response. The better responses I receive, the more I'm motivated to bring my own level of knowledge up to that of my peers. So, to be blunt, thanks for helping me think :-)
:-)
:-)
I have a few thoughts on the matter, now that I understand the presumptions behind Bell's Inequality(mainly, that the entire set of hidden variable theories would have to output non-QM results), but I'm going to sit down with my ex-roommate(degree in Physics from Purdue; couple years in optics at Intel) and work things out correctly first. Anything less would be SNAKO(Situation Normal, All Kooked Out)
Too many parentheticals
--Dan
I can't believe I forgot to mention this. Even with Hollywood's obsession with Asian guys as fighters, they still managed to cast a f*cking white guy for the next big hyperreferential spoof movie of the year, Kung Pow.
Granted, they found Dave Barry's evil twin, and the movie looks utterly hilarious(meaning l33t hax0r wannabe Katzbashers will set their flamethrowers on 'troll flambe con carne' come January 18th), but for f*ck's sake is the concept of some actor kicking ass *and* making people laugh so disturbingly alien that the casting director couldn't imagine an Asian guy doing both at the same time?
WTF: Carrot Top is an international star while Margaret Cho gets her ass booted off the air in her first season for doing that *truly* American McArt form, "People are f*cking retarded, that's the situation." Oh well. She's free to mock whatever she likes in clubs around the country now, while Carrot Top whores himself out to 1-800-Collect(the place where stars nicely say 'I can no longer afford to pay ten cents a minute, but if this doesn't pan out, I'll be earning $2.99 a minute').
I suppose there's some justice in the world after all.
--Dan, who is flashing back to "There is no justice, there is just us."
Yeah, just checked Russell's filmography.
:-)
:-)
Lets see, Romeo Must Die, Vanishing Son 1-5, and *deep breath* "Rumbling Sky Dragon Tiger Meeting".
Nope, no fighting there
Seriously. The only reason Russell had a chance at Takedown(a truly horrendous movie, on all accounts) is that 1) It was based on a true story and 2) "Tsutomu Shimomura" flames Japanese like Julie Andrews singing "The hills are alive...with the sound of laughter if we cast Ryan Phillipe in the role of some guy guy named Tsutomu."
Mind you, they still managed to cast a Chinese guy. I imagine this is similar to casting Sean Connery as Jeff Foxworthy. Worse, actually, for reasons you won't find in certain textbooks.
Honestly. When "model minority" means "even the men are only appreciated for what they can do with their bodies", something's f*cked.
As for the book itself, of course he sounds like a pompous ass, he thought his own life was interesting enough to write a book about. (Psst. Metajoke here.) What, he's gonna write a movie to make himself look BAD(er, I mean intentionally)? Infosec guys -- computer guys in general, for that matter -- know a tremendous amount about incredibly obscure things. Quite a few of them get egos about themselves. Hell, if I was a slightly better coder, I'd probably be a prick too
(And if I wasn't in such a hellaciously nasty mood lately, I wouldn't even be posting on Slashdot today. But who's counting.)
--Dan
Not that I particularly have a problem with smoking, but the combination of:
:-)
1) Doing a drug that gives more misery when you're off of it than it does pleasure when you're on it,
2) Thinking of money in terms of how much of that drug it buys you,
and
3) Mocking someone else for being a dumbass
...is a hell of a combination
--Dan
There was one other pretty decent set of metajokes in there -- note the reference to asians:
1) The only asian "character" was a white guy.
2) The asian male actors didn't speak but did know kung fu.
3) The asian female actresses were bitchy but subordinate(indeed, could only speak in unison) behind the white head cheerleader.
Mind you, I'm just some white guy. But I have noticed there aren't actually, um, any asian male stars in Hollywood. Like, at all.
Unless they fight.
By contrast, there *has* to be a Token Black Guy, and he *has* to be obvious. Bonus points if he's got an African name.
For a crude movie, this was some elegant subtlety.
--Dan
Granted, the movie was about twice as long as it should have been, and simply ran out of things to make fun of. And, yes, they beat the dead horse that became Cruel Intentions into anthrax-worthy particles of meatjuice.
That being said, I have to respect movies that have some decently obscure and enjoyable subtexts. For example:
1) The Title. Not Another Teen Movie. The joke is, it *is* another teen movie...so, "Not ANOTHER Teen Movie!?!", instead of "NOT Another Teen Movie." Possibly unintentional, but given the ending(worth gritting through, just to hear the last words from the last speaker) I doubt it.
*SPOILER ALERT*
2) Amanda. So they mocked the bejesus out of Jennifer Love Hewitt's role in Can't Hardly Wait. Sure, fish in a barrel. But giving Lacey Chabert, who costarred with her on Party of Five and probably had to choke on Hewitt's silicone-enhanced shadow for years on end, the opportunity to lay waste to her former colleague...heh. Impressive.
Incidentally, am I the only one who is tired of "I used to like Katz, but now, with this horrific review of such-and-such, I have to change my mind"? STFU. Quit cloning Indy Rock Pete; Katz at least can choose to like or dislike whatever the hell he feels without consulting IMDB to make sure that he's rating Remember the Goddamn Titans higher than a silly hyperreferential uber-spoof of a flick.
And that's more than I can say about at least one of you. :-)
--Dan
Jerf:
Your respect is much appreciated. I'm maintaining a healthy amount of doubt in my own ideas, so I do appreciate a bit of respect in them from those who know quite a bit more of the nuts and bolts than I.
I see the hidden variables(or spatial PRNG seeds, or whatever) as being useful in the sort of way chemistry operates: Useless for individual predictions, but critical for larger scale operations and cleaning up some unparsimonious nastiness(like asymptotic data transmission rates; see my other reply to this thread).
Quantum Intrusion Detection actually bugs me more than entanglement. I actually believe two particles can be made related over some distance(my quibble is that their entropy itself was made related, thus obviating the need for a message to be sent between them). Proving a negative -- that it's conceptually impossible to duplicate some data stream -- is alot tougher, and I sense dangerous levels of overconfidence on the matter.
Physics is not a field that's particularly compatible with realities of security research. Schneier's analogy of planting a ten foot steel pole in the ground and expecting the enemy to drive right into it isn't something that lends itself well to a realm where entire classes of theory aren't developed because the math is too obscure to work with. "As long as you're concerned about the notes, you can't create music." And as long as you're struggling to get there in the first place, it's impossible to really understand what might go wrong. Airliners were a mature technology long before they were an obsessively safe one.
I really think we don't know enough about the nature of quantum reality to be making absolute statements of uncrackability. But then, it's easy for me to claim ignorance; I just know the security side, not the physics.
That's going to change, someday. Hopefully I won't go kooky because of it. (Now *there's* a statement that could seem tremendously ironic in a few years!)
Cryptography can be a much wider field of inquiry if you let it be. It's actually equal parts psychology and mathematics, for instance.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
The duplication of quantum indeterminancies suggests quite strongly to me that they're not so indeterminate after all. I'm speculating that there's a psuedoentropic function on the quantum scale.
If nothing else, an algorithmic function universally deployed either in space or matter wouldn't *need* to be transmitted, thus matching the asymptotic FTL speeds that seem to be required. How long does it take to transmit nothing at all?
I'm pretty much resigned to the fact that this is going to suck up about six to eighteen months of my life someday, in which I'll actually have read and completely grokked Einstein's spooky action paper.
Until then, the only reason I give these thoughts any credence is because they're my own.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
I have no desire to keep on kooking. :-) That I am utterly convinced of something I cannot adequately argue is driving me *hard* to learn the necessary physics to address the topic reasonably.
:-)
:-)
But I'll do a braindump, if only to see your reaction. Warning: Unbridled speculation based off a single plausible postulate follows.
It's an interesting corrolary from crypto research that you can never be entirely sure a data source is truly entropic, as opposed to the output of even an adequately designed pseudo-random number generator. (Take a look at RC4 -- something that takes that little code to implement could certainly exist as a style of equation for atomic and subatomic scale apparently entropic output.)
Knowing that one of the least understood but most significant errors in cryptography would be utterly unknown in any other field of research lends some credence to my thinking that at least some supposedly entropic processes are really pseudoentropic. It's not that I think physics people are "morons", like one person mailed me. By the contrary, they're some of the brightest people around. I just think they're underestimating the degree to which psuedoentropy, defined as a stream of "provably random" data derived from a single seed value, can mask actual entropy. GIGO, and all that.
That being said, that I'm only slightly familiar with the apparently disproved "hidden numbers" theory that believes it directly addresses this line of thought has given me a great deal of humility. My hope is that the argument against hidden numbers tends to focus on easily detectable randomizers and is overapplied to higher level processes.
Both Quantum Intrusion Detection and Quantum Entanglement, of course, make quite a bit of sense with a PRNG in place. Of course two particles can get entangled; if both can be forged with the same seed, they'll vary with exactly matched entropy. (We use this exact property when we use RC4 as an encryption system: By XORing against matched entropy, a sender can transmit to a receiver using what is indistinguishable from pure noise to anyone without the seed value.) But what would the "seed" be? Surely not position and velocity, even if it is tempting to discretize by Planck Length. I nominate direction, defined as degree of relative dimensional translation, but then I don't have much of a place to nominate anything
Whatever the seed value might be, once two particles match in any way, any subsequent measurements of both relative to eachother would tend to be uncomfortably related, even if analyzing each bitstream directly would evidence perfect entropy. And that's what we find from what little I know about the entanglement experiments. (Why yes, I'm throwing doubt on my own words to prevent other people from kooking out on my own gnawing musings.)
As for Quantum Intrusion Detection, a correction that makes perfect sense, the presumption is that it's impossible to duplicate the seed values that give rise to the sender/receiver relationships. But entanglement is all about duplication of seed values, as for that matter is photon transmission through a non-vacuum. You can't hide the fact that states are related by simply saying that entanglement implies "states may change". Spins aren't just changing; they're changing in a manner predictable to one another. If that's possible, it's difficult to out-of-hand conclude that a supposedly intrusion-proof photon couldn't itself be split, and have its entangled partner measured upon the original having its state set. You could claim the newly split pair couldn't possibly have the same seed value -- but that's more of a technological challenge than anything else. Especially if direction is a seed value, four ninety-degree bounces would equalize direction.
There's other stuff on my mind(most notably, some annoyance with the anthropomorphized concept of "observation" and "measurement" that could be abused to presume that the "observation" of dinosaur bones sent a signal sixty-five million years previous to establish the birth and death of dinosaurs in general and that specimen in particular), but I think I'll stop playing public kook for now.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Physics kooks annoy me. They do. The Alexander Abians, the Time Cube guys, all of em have always bugged me. They've always had the feel of someone who feels themselves too smart to actually do the research to understand something.
So the fact that I hold tremendous doubt in something the physics gurus all take for granted *really* bugs me.
But, I'm telling you. Sooner or later the guys pushing quantum entanglement(*nervous twitch* spatial PRNG *nervous twitch*) will meet up with the guys working on quantum encryption, have some kind of matter/anti-matter postulate collision, and I'll have this big goofy smile on my face.
I'm telling ya, neither work particularly well by themselves, but in the context of the other, both Quantum Crypto(states can't be copied) and Quantum Entanglement(states can be copied, at FTL no less) are completely borked. It's the only kook conviction I haven't been able to shake, and you'll have to email me personally if you want to suffer through my full kook reasoning on it(you can probably guess what it is). But I'm telling ya: Next few years, possibilities are getting shuffled.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
(Yes, this is the third time I've tried to post this. Damn Slashfilters :-)
Accusations of ego surfing will be ignored. It's always interesting to see where you came from...
--Dan
I'm gone from the archive. Like I was never there.
... I can't find any evidence of my existence on google.
effugas@best.com, dankamin@cisco.com, Dan Kaminsky
It's actually somewhat disorienting, like looking at your fingertips and seeing a smooth clear reflection staring back at you...
--Dan
The first link pointed directly at the news article and the second directly at the author's home. Excuse me for doing a bit of research to foster discussion on the topic.
--Dan
Webcurity? Sounds like one dot-com too many. Among other problems, "curity" feels more like it belongs to *obscurity* than *security*. Besides the famous line separating the two, nobody wants an obscure website :-)
Security-related phrases in the english language are usually combinations of initial syllables. Information Security gets compressed down to InfoSec, "Defense Condition" to DefCon, and "Strategic Forecasting" to StratFor, for example.
WebSec...well, sounds like it'd be a phrase for the specific branch of Infosec dealing with external access to internal data through a tightly controlled interface. Certainly feasible, though you start hitting problems when protocols other than HTTP start getting used. (Is it a website if you don't get it over HTTP/HTTPS?)
Of course, with everything imaginable getting piped over HTTP(as opposed to SSH *grins*), maybe WebSec is appropriate...
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
SSH has done quite a bit of work to support +2GB files. As always, the following will and always has worked:
:-)
cat file | ssh user@host "cat > file"
More recent builds of SCP will also support +2GB, so:
scp file user@host:/path
or
scp file user@host:/path/file
will both work.
In fact, probably the best way for syncing two directories is rsync. Rsync's major weakness is that it's *tremendously* slow for large numbers of files, and I believe it has to read every byte of a large file before it can incrementally transfer it(so you're looking at 2GB+ of reading before transfering). The following will do rsync over ssh:
rsync -e ssh file user@host:/path/file
rsync -e ssh -r path user@host:/path
For incremental log transfers, I actually had a system built that would ssh into the remote side, determine the filesize of the remote file, and then tail from the total file size minus the size of the remote file. It was a bit messy, but it was incredibly reliable. Did have problems when the remote logs got cycled, but it wasn't too ugly to detect that remote filesize was smaller than localfilesize. Just a shell script, after all.
SFTP should, as far as I know, handle 2GB+ without a hitch.
Both SCP and SSH of course have compression support in the -C tag; alternatively you can pipe SSH through gzip.
Email me for further info; there's some SSH docs onto my home page as well. Good luck
--Dan
www.doxpara.com
They dropped a flag in my root directory, thus "rooting" me and getting massive points.
Q: How do you hack someone's desktop?
A: Ask someone to let you check your mail.
--Dan
*laughs*
"But...but...it's the client pool...you're not supposed to be attacking the client pool...whine whine...bitch bitch...goddamn fuckers that was a good hack...whine whine..."
I did some serious penance for bringing a WinXP beta laptop to hack against Ghettohackers. Lets just say *my* Caesar's Challenge involved swimming on the bathroom floor and puking off of balconies the night before my big talk.
Man, that night was fun.
--Dan
Ghettohackers quite brutally owned my laptop. One of 'em started chatting with me, asked if he could check his email...though I watched the screen, it's always polite to look away when someone types in their password.
Except when that password is
notepad c:\flag.txt
ghi
Now, at the time I damn near killed someone over that...but I realized pretty quickly it was a damn slick hack. Ask, and ye shall receive. Even from me.
--Dan
*laughs*
Well, yes, it's quite true that PGP had disappointing sales. The company had a nasty tendancy of attempting to bundle about four other products with PGP and *refusing* to negotiate with any company, no matter how large, about perhaps a more reasonable package.
It's funny that I have this exact story from so many different sources that nobody can say I'm compromising internal information. Go ask your friendly IT Purchasing agent about any adventures they had trying to get a site license for PGP. This was mandate from upper management: Either all the stripes make some cash, or none at all.
NAI consistently chose the latter. Now, as for all the conspiracy theories...never attribute to malice...
--Dan
www.doxpara.com
Forgive the mild indescretion of self-linking, but I was speaking of this very occurance a couple months back. The title makes quite a bit more sense if you read the link :-)
l
http://www.doxpara.com/read.php/music/trinity.htm
A number of writers here have stated that Eminent Domain should never be applied to the benefit of individual corporate providers; while I'd normally be inclined to agree, I note there is a strong compulsory licensing program (administered through BMI and ASCAP) that effectively gives radio stations the freedom to play whatever music they like on the air, as long as they hold to certain restrictions(no more of a certain band in an hour, they may only play "official releases"[grr], etc.)
Mass outlets of content should be more free and open, not less free and tightly controlled. As elements of culture become progressively more productized and trademarked(even our stadiums are monetized, at the cost of the legitimacy of our homes), I do believe it's clear that, at least conceptually, there is some dispersal of rights and "ownerships" over that cultural artifact.
Now, what's interesting is the question of whether an artist has the right to prevent their work from becoming such an artifact in the first place. Far from an insignificant argument--it's one thing for "The Red Shoe Diaries" to be compulsory licensed and sold online; it's another for the average person's diary to be downloaded from their computer and sold online! One conclusion you could reach might be that, once the product was commercialized by its author, *but not before*, it was fair game for automatic distribution. Such creates a fluid and "free" market without arduous restrictions on the flow of money.
This does seem to imply that buyers of a good have rights and expectations over that good, even before sale. One could imagine access within a convenient marketplace to be among them.
*scurries off to think this through further*
Yours Truly,
Dan Kaminsky, CISSP
http://www.doxpara.com
I'm getting immensely tired of this inability of the tech industry to remember back more than a few short years.
Encyclopedia Britannica was actually one of the first major general purpose information sites on the web, and most assuredly charged for access.
(I know this because they had a free access program that used unique email addresses to limit repeat signups--but since I had a static DNS that redirected *all* usernames to my address, I could repeatedly sign up for free weeks of service.)
Find your own significance in this.
--Dan
www.doxpara.com
False analogy. A good analogy would be if I hired you to clean the dog shit off my yard, and you instead dumped a truckload of dog shit on it. If you did that, you'd pay and pay and pay.
He was hired to install software. He didn't remove vast chunks of software, which would be the analogous argument. He also didn't attack the security of the systems he was using("removing the lock from the door") or attempt to view other people's information("pulled the mail from the mailbox") He did too much -- he installed extra code that wasn't actually desired.
A better example is that he was hired to clean up the dog shit, and he decided to clean up the cat shit too.
He did extra work within the constraints of his legitimate access and his job. It's that simple.
Not for security it doesn't. Security is a matter of knowing where every program on the machine came from, and knowing that no uncertified programs have even been run on the machine. It is solely a matter of trust, a matter of having a known chain of control. That trust is easy to throw away and expensive to regain.
The trust never existed.
Let me repeat that, with emphasis:
The trust that you describe, with full chain of evidence and absolute knowledge as to the source of every last byte on every last system, did not exist in this environment.
You cannot accuse somebody of losing for you what you didn't actually have!
The fact that not only did he not lose this trust, but he isn't even being accused of attempting to gain more trust than he was legitimately entitled to(via *actual* hacking) does alot to make me extraordinarily annoyed with this case.
I've seen at least one rumor that these were lab machines. Security begins with the physical, and with the vast number of people using these machines, it's literally impossible for them to have been considered anywhere even remotely within the same galactic vicinity as a "trusted base".
Yours Truly,
Dan Kaminsky, CISSP
Security is having confidence that every bit on the hardware comes from a known, approved source. You lose that when you install an untrusted program, and the only way to regain it is to delete everything and start from scratch.
Except he isn't accused of attempting to backdoor the systems. He isn't accused of attempting to hack them at all.
He's accused of running undesired software.
That's a major difference. This isn't a situation where an untrusted user got trusted access. This isn't even realistically a case where a trusted user gave untrusted users access(in the sense of others being able to do anything they wanted using the computational power of the university). A trusted user did something that others disapproved of. As long as there's no belief that he hacked the machines as well as used them for undesired tasks, simply killing the tasks is sufficient.
He wasn't even running a password cracker.
A better analogy would be if you hired a mechanic to change the oil in your street-legal drag racing car with a $30,000 racing engine, telling him to only use Mobil synthetic oil, and he used olive oil instead.
Yes, the moment I see an exact catalog of specifically what McOwen was supposed to install, and in what order, I will agree that he had no discretion to install any more or any less.
I do not expect such a list to be forthcoming.
OTOH, if you installed S@H on a live banking server 'just because', they'd beat you to death with CAT5, even if you have admin privileges.
Again, university environment, not big multibillion dollar conglomerate with a stock price to keep up. Downtime is not disaster for *any* system in most universities.
By contrast, more than a few companies have hot spare buildings. You heard that right: If, one day, the office should cease to exist, everyone may go to another.
--Dan