>Are you saying that the copyright holder has no >rights??? Stealing cable is theft. The cable >company owns the rights to distribute the signal >and charge for it. The MPAA (or equivalent >agency) owns the rights to distribute many >movies and/or songs. We can claim to have rights >while denying them theirs.
Cable is a continual service. I pay this month, I get to turn on the TV this month.
Purchased videos are not a continual service. They're mine. They don't change over time, they don't get anything new from the manufacturer showing up on my doorstep in two months...they're mine. Can I make a copy and sell it? Nope. Can I make no copy and sell *my* original? Yup. No different from a book--I can't copy my property and give it to anyone else, but I sure as hell can give my property away.
The MPAA got their payment when I bought the movie. From that point until when I sell or disavow ownership of that payment, the movie is mine.
Denying this perceived reality is meaningless. If the law says something else, people will ignore it until they get arrested for doing something that they could never imagine as being wrong.
> If you help or facilitate the breaking of > copyright protection, you have violated the DCMA.
This ain't nothing new, actually. Copier manufacturers, cable stealers, etc. have been getting this for years. But cable is an ongoing service; DVD's are a product you buy. The idea that you're only allowed to use a product you buy in ways that the manufacturer has deemed profitable to them--and that you're not allowed to give the manufacturer the finger--yeah, that's new.
[Damnit. Two really bitter Slashdot posts in a row. This doesn't bode well.]
You know, the more I think about this, the more I'm beginning to realize this is really the argument we need to start making.
There are lots of complicated arguments I could make, but I think I'd rather just leave it at--
If I bought it, it's mine. If I want to sell it, it's mine to sell. If I want break it into little tiny pieces, if I want to put it in the microwave, if I want to worship it as a proclaimation that God himself is going to touch down in a UFO on Main Street at 2:48PM, damnit, I don't need whoever sold it to me's permission to believe in whatever the heck I want to in their product!
See, that's the nice thing about capitalism. There's no central planner to say that you have to sit here, or go there, or be nice. There's no excessive transmission of executable context, to speak in geek terms. You pay the cash, you get the product.
Without passing judgement on the rightness or wrongness of communism, there's some delicious irony in that while Open Sourcers are supposedly the biggest backers of communism, we're the ones screaming our brains out over software freedom while the biggest companies in the world lick their chops on the concept of being The Central Planner.
After all, what are these newfangled "circumvention-resistent" devices but a yoke against which our core freedoms as consumers are jerked away? Imagine, for a moment, that Master(a fine purveyor of padlocks) was powerful enough to extract a licensing fee from any makers of lockers, safes, and doors. Imagine you needed to prove, *to the lock*, that the object it was being placed on was licensed before you'd get your key.
Lemme tell you what'd happen, real quick: People would figure out how to bust the key--which they bought, when they bought that lock--out, so they could go about their business of doing whatever they damn well pleased with *their* *property*.
The only reason these laws are getting passed is because people seem to think this is limited to just tech stuff.
We're talking about *basic* *freedoms*, here. We're talking about *the right to private property*. When I buy a master lock, I buy the lock, and I buy the key.
When I buy a DVD, I buy the lock, and I buy the key. They're right there on the disc. Sure, they're made difficult to get to, but I've got 80 head screwdrivers for the reasons of custom screw designs *BUILT* to make it difficult for me to get to things. But ya know what?
If I wanna break my car, it's my car to break. If I wanna throw my DVDs in the Microwave, it's my aluminum to fry. If I wanna use the keys on that disc for something The Manufacturer Just Wouldn't Approve of, damnit, it's my disc, they sold it to me, they took my money, they can go away. If I steal the keys off of some DVD I haven't bought, then I'm a thief. If I use the keys on some DVD I bought...
THOSE. WERE. MY. KEYS.
I'm going to sleep. Maybe when I wake up this nightmare of idiocy will be over.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
[WARNING: The contents of this post are slightly of topic, until you consider A) This is a subject regarding excessive CPU power that nonetheless consistently gets overrun and B) This site has been overrun and I can't comment on the actual contents of it.]
[WARNING 2: This is one of the more bitter posts I've made to Slashdot. You've been warned.]
And so it was so ordered, after legions upon legions of sites fell to That Which Was The Slashdot Horde:
If the content of the web page is not dependent on the identity of the user, then the content of the web page MUST not be generated specifically for that user.
Yes, that's an IETF must, damnit:-)
This isn't a complicated concept, folks. If each user gets a very different page(think search engine), then you dynamically generate the new content live. If each user only gets a slightly different page...well, gee, dynamically generate that slight difference, but leave static everything else.
If you're dependent on the user, change the page for each user. If you're dependent on some local index of news, then change the page each time the local index of news changes. If you're dependent on an angel coming down and teaching you to code the goddamn meaning of life in Perl, *THEN CHANGE THE PAGE WHEN SOME GLOWING HALOED CREATURE WALTZES IN YOUR STUDIO*, but for *CRYING OUT LOUD* don't regenerate your page every time I try to read some godforsaken article!
It's simple stuff like this that make me feel like I have a moral obligation to be a Comp Sci major. Grrrr.
One other point...ya wanna talk overcommitment? The Linux kernel lists are going nuts about the reasonably rare situations that can arise when the OS allows processes to overcommit memory, on the probabalistic assumption that not all processes will actually use the memory they request. What to do when the memory actually commited actually becomes used? Should the OS die, so that the processes may live? What processes does the OS kill to keep itself alive? There's alot of argument about how to deal with overcommitment on the OS level, and I'll leave that fight to the experts.
But lemme tell ya, just view the Slashdot Victim of the Day to find web pages that deal with overcommitment. Since these sites aren't too likely to change their entire codebases all that soon, may I suggest that expressing Database Errors *might* not be the most graceful method of expressing degradation of resources?
In other words, faced with the choice of fewer ad impressions and less readers vs. temporarily switching to a cached copy of the page which is 99.9% accurate, might it not be nice to have built as a core element of Apache's modperl something along the lines of, "Run this script to generate this page UNLESS we're getting hammered; in that case, use mod_rewrite to change the URL to a static equivalent of our now thoroughly overloaded page"?
Ahhhh. I might actually be able to view pages about Gigahertz SMP:-)
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
P.S. Irony #1235235: It's taking me forever to finally get this comment posted:-)
Heh. It's been a while, but I remember going to my counselor in 8th grade and saying just that. He told me not to let it bother me. Thank god I got that message, it made it all better. </i>
If your school fails you, go to your school board. But we don't want someone 3000 miles away saying "We've been getting a number of calls about this kid, better toss him down the garbage disposal just to be safe."
On the one hand, you've got anonymous measurement tools beyond count: Slashdot's AC's, Employer info sites, that Teacher site that's getting sued for Libel...
And it's our god given right to use those, right?
Then on the other, you have W.A.V.E. . Similar anonymous measurement, *EXACT* same potentials for abuse(unpopular people get slammed unfairly for fair actions, etc.) The technology itself--anonymous evaluations--remains consistent. So what's different?
Lets see. The former consists of individuals commenting on members of a larger institution. The latter consists of larger institutions retrieving commentary from their individual members <i>regarding</i> their individual members.
Still, this doesn't establish that there's anything wrong with W.A.V.E. I generally want the institutions I'm a member of to protect me from other members--particularly schools. There's an irrational "tattle tales are bad" chant that ignores the fact that Geeks Like Me would be toast without the ability to go to a counselor or a dean of students and say, "That kid over there is beating me senseless on a daily basis. That sucks!"
Yes! Tattle! If someone's making your life miserable, <i>you can do something about it</i>! Schools have and need infrastructure to deal with this.
And that's when things start to fall apart for the W.A.V.E. program. There's something truly perverse about what it has people report...it's not those students who <i>cause</i> the most misery who get busted; it's those students who everyone looks at and says, "Man, that kid is such a loser and everyone hates him. Shit, he's gonna take a gun and shoot up this place!"
In other words, W.A.V.E. has implicit in its design a scheme that doesn't prevent harassment, rather it provides a means of tagging and identifying the harassed. This wouldn't be an awful thing, if it wasn't so presumptuous and backwards--we need to do something about this poor kids who get kicked around every day...not to deal with the violence of them getting kicked around, mind you! "That's normal, you see. Kids establish a pecking order, you can't fight that." No, this isn't about stopping the kicking, it's about essentially providing a means of recognizing when a kid's been kicked so low that they might start fighting back. It's to recognize when kids are brought to the point where they have nowhere to go but up.
How scary, that after months of enduring torment, your institution itself gets into the act, worrying that something must be wrong with you if the popular kids don't like you.
And thus, where the <i>real</i> fear of this system is coming from: It's not the anonymous reporting--we like anonymity, look at all the people who make a career out of bashing Katz on a regular basis. (Incidentally, I was impressed by this story--this is probably some of Katz's beter writing.) It's not even the knowledge of the institution that there are kids who are getting kicked around.
It's that the institution isn't the school.
It's the idea that, someday, some accountant will send your dean of students a "scientific report" saying you're just too likely to react dangerously to all the abuse he's been allowing under his nose. There's a tendancy to use science to absolve personal responsibility in institutional management, and if The Numbers Say You'll Kill Someone, it just doesn't hurt administrators all that much to "send the child to a special school" "just to be on the safe side."
Nobody wants to be held responsible when some kid shoots up the school, and *THEY KNEW* something was going to happen--after all, that kid had a 83.2 on the Gonna Shoot Up The School scale--why wasn't he kicked out, they'll ask?
Don't laugh. If 82% of America can blame a f*cking network of computers for a schooltime massacre, *phear* what they could do to the actual administrators.
This is essentially outsourced psychological risk assessment. Instead of people within a school dealing with the problem and actually handling things from the inside--where things are visible--schools become a sort of "black box", with little candy treats being waved around to elicit data about its inner operations from unknown members inside.
When the data comes in from an outside agency, with a scientific chart o' student issues, held within a database protected by not a relevant data protection code in the country(ooh! Wanna sell Prozac? W.A.V.E. licensing divisions, how many depressed kids would you like to sell to today?)...it stops being an issue of whether tattling is right or wrong, and starts becoming a question of just how much cynicism are we willing to accept in our school infrastructure.
Calling this program WAVE, after that after school special, is so amazingly unfortunate for this program that it defies description.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
The device is unprofitable for a hundred bucks. Duh. So don't sell it for a hundred bucks.
Sell it for five hundred bucks, and toss in a $400 rebate if we agree to sign up for a year or two. It's what the rest of the industry does, and you guys just made me realize that it's not only the most annoying ad campaign ever to us tech guys, but it *really is* a smart way to get computers in people's hands.
It's that simple. Go in store rebate with signup, and let the geeks make ya rich.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Ohhhh, I've been waiting for some geniuses to make this mistake publically.
Anyone install CuteFTP lately? Or any of a couple hundred other applications that Aureate Inc. paid companies to install their advertising software within?
Now, many people have debunked the rather virulent myth that Aureate was paying off these hundreds of shareware developers so that they could spy on people's computers.
However, it'd be rather hard to debunk one simple fact: Hundreds of software developers put their good name on code that not only wasn't open to the world to search for security concerns...
It wasn't even open to them.
You can't just can't pay a Linux developer to include code in their software that nobody else can see, let alone that they can't. But hundreds of software developers merrily included Aureate's package, sight unseen, and hoped it didn't do anything bad.
Perhaps Aureate indeed does expose the final end customers to certain forms of privacy violation(most directly, users don't generally expect that anyone on the outside world knows what software they're running). But that's not nearly as significant as some of the charges against Aureate--that they were searching through registries, rifling through hard drives looking for data.
But the developers who put their name on the package didn't know for sure that the code didn't do that. The users who trusted those developers--the users whose systems were at the greatest risk--they too had no ability to audit that code for safety analysis.
And, for all of Aureate's desperate attempts to defend itself, not even they can ever be absolutely sure that their code is intrinsically free of all buffer overflows, of all forged replies, of a preconstructed false advertisement that, when retrieved, overflows the GIF decompression code to allow the host system to be compromised...in the Open Source world, we find these problems quickly and send the authors fixes.
Aureate has no such help, and no such luck.
But, they'll just keep payin' 'em off...proving every day just why Open Source is more trustable.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
> Please explain how a market (NASDAQ) can > continually smash into now record highs (up 2% > today alone) and can be in a bear market. I > haven't noticed a lack of confidence in any > American market.
This was the other reason I didn't use the Bear term--it's not particularly "bear" in the Long Term timeline, at least not yet. However, from Caldera's perspective, the Dow had picked up some unprecedented levels of investor interest(wasn't there like a 9% jump in value of "unloved" stocks?), their entire market had *totally* missed the boat on that major stock jump, and their stock, with its (undeserved) bland image, standardly broken PE ratio, and underperforming competitors, sure didn't look like it was time to release.
So...they added in a delay, and raised the stakes for the possible reasons I outlined earlier.
I originally said bear market, but I figured that was a little bit too much industry jargon for one day.
In case you haven't noticed, confidence in an entire stock market(NASDAQ) is fluttering as people realize just how "amazing" all those companies on the Dow are, you know, with price-to-earning ratios that don't exceed the number of years this country has been in existence.
My apologies if I've caused you any distress.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Best I can tell, there are two major reasons behind Caldera's move(beyond "they're afraid that NASDAQ is puking right now"):
1) Reverse psychology. Stocks have their prices raised in response to heavy demand. An interesting way to turn the tide on low investor demand is to *act* like there's high investor demand. Some portion of investors would believe that a company being convinced that their stock is going to be heavily demanded means their stock actually *is* going to be heavily demanded. And, gee, if investors think that a stock *is* demanded, suddenly it *is*.
2) Cash distribution, particularly if the market isn't thought to be amenable to second offerings. Caldera may not want to sell any more of its soul to venture capitalists. In order to do that, it has to make as much money--as a company--selling its shares to the market. Now, you do multiple releases when you think that your stock sale at time B is going to net more cash than a stock sale at time A. If you don't think the market will keep your stock so highly valued, or if you think you'll never "escape the gravity" of your present market position without an extensive war chest with which to market and develop with, you sell your shares off on the market once at as high a price as you can muster. Raising your IPO price, so you don't have to directly sell any more of the company to the venture capitalists, gives your company a much larger war chest, is moderately neutral to existing owners(although the lack of an initial runup to the higher price may harm momentum; see PALM), and is most painful to those lucky enough to have the right to purchase stock at the IPO price(since the delta from IPO to sale price is necessarily shrunken).
At least that's how I see it.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Surprisingly common form of steganography, really. There is *absolutely* no obfuscation actually hidden in the data itself--it's literally plaintext encoded as simple entries in the DNA sequence. The security comes from the fact that its surrounded by a significant amount of difficult to search(without knowledge of the correct primers) of non-secret information.
Essentially, you're talking about a symmetric "location" secret protecting unencrypted content within a significant amount of data.
Such techniques are actually used quite commonly as countermeasures against legally mandated discovery procedings--a large corporation(Microsoft or Tobacco companies in particular) is sued for its memo records; tens of thousands of boxes of unrelated material are delivered to the suing party on the presumption that they will hide the one "smoking gun" memo that will seriously damage the corporation.
In the inevitable arms race that follows, the entire mass of data gets OCR'd and searched for critical keywords. That solves the legal issues, but without an efficient "OCR" method that can quickly sequence a chromosome into its underlying data, this student's steganographic method is extraordinarily effective.
However, should such a technology be created, the size of the "keyspace" becomes drastically shortened: Apparently, the entire human genome will fit into six hundred megabytes--this is quite a bit of data, but it's not "trillions and trillions" of possibilities. A simple statistical analysis tool will reveal *any* non-natural data, as nCipher revealed when they showed that a cryptographic private key will stick out even within 2GB of fluff data--it's *TOO* random.
What'd really blow me away is if Viviana was able to follow up this fascinating research with an implementation of Public Key Steganography. There was a paper referenced on Counterpane that talked about this; essentially it hides data in such a manner that the ensteganographer(and thus, anyone other than the recipient of the hidden message) cannot determine the exact location of their own message. The way I'd imagine it working, you'd mutate a virus such that it delivered a given message to a location dependant upon not the data being delivered but some publically available key. That key would essentially be a one way hash of bioreceptors that the virus should attach itself to, and you'd essentially have a restriction that the virus would not infect any cell that did not possess those specific bioreceptors. An attacker would need to sequence not only the global DNA sequence for changes but each possible type of cell that could have been modified to contain the secret, whereas the message reader would know exactly what types of cells to search--viola, your asymmetric primitive. Maybe you'd only find a link to the appropriate primer, or possibly your entire message, but you'd have your public key steganography implemented with biological methods.
Funky.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
I *just* discovered IPSec's rather bloody implementation history. I think I'm just gonna Res Ipsa Loquitar here...trust me. If you ever wondered whether RFC's had any drama in their birth, well...
If time is purely subjective, then time is by definition what I think it is, and thus I am right. Are you telling me that I do not know what I think that time is?
I would rather function in an environment where the vast majority of incompetently assigned patents are never enforced upon an otherwise free market, rather than suffer a vast number of patents that never should have been validated in the first place be actually enforced.
A three to five year limit on software patents is ludicrous. The problem is not the timespan--the problem is the standard. One Slashdot poster mentions Unisys's patent on a basic linked list. Memepool posted the patent on (and I'm not kidding) using a laser to entertain a cat. Amazon's patent abuses are well documented.
The American software industry cannot be made to live in fear of an agency which has repeatedly argued its own infallibility in assigning patents in the face of widespread evidence to the contrary. The simple fact is that the market, not the courts should decide what providers prosper and what providers fail. Establishing monopolies out of the sheer act of provision is antithetical to everything we've learned about writing quality software, encouraging quality business, or even running a quality society.
The time allotment on a software patent is nothing more than a red herring. If somebody points a gun at me, and threatens to shoot me in the head, I am not going to try to negotiate for a less vital organ to be shot, or perhaps that the bullet could be of a lesser caliber. I'm going to fight, or I'm going to run, but I'm *not* going to stand there and agree that it's OK for me to get shot.
Accepting software patents, no matter how obvious they may be, for "not that long of a time" simply means that the jackpot for the patent claimjumpers has a quicker payoff.
This is the wrong direction to move in. Period. Remember, the status quo is that, for the most part, software patents do not exist. They are only defensively registered. Preventing the need for such a hidden tax is critical.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Windows 2000 either supports Kerberos authentication or it doesn't.
Kerberos is a well defined standard. If they misimplemented it in such a way that their product will not interoperate with existing Kerberos domains, then they didn't implement Kerberos.
If Microsoft chooses to lie to their customers, no amount of IP whining is going to help--oh, unless this UCITA thing happens to pass...oh.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
I spent a good six hours (twelve total, but half of it was spent driving the full weight of my head into my keyboard) today trying to make C2Net's Stronghold and Allaire's JRun play nice together.
On the plus side, I am much more familiar with Apache now, even 1.3.x versions that mysteriously cost more money but don't have autoconf and won't do Dynamic Shared Objects right.
On the minus side, I was already screwed for time and this didn't help.
So, for the first time in my life, a grin came to my face as I saw a site thrashed by the Slashdot hordes:
SRP essentially combines the concept of "Hashed Password" and "Secret Key" into one small, low entropy object: The stored password.
"Dictionary attack" difficulties aside, it's not hard to imagine an intruder running a pre-computation attack against a password file. *However*, the password file *can be* much more secure--crypt() is far less secure than SHA-1, though SHA-1 isn't drastically better than the MD5 passwords deployed on most Linux boxen.
It is moderately unclear through the documentation how the "public verifier" gets distributed; more emphasis should be placed on this. The public verifier, distributed via OOB mechanisms, is *the only* way to get around "first contact" problems. Now, the public verifier can be shared, extended, chained, and so on, but at some point there has to be a Out Of Band(OOB) contact.
Of course, the problem with chains is Entropy Erosion and Failure Amplification--your original entropy never increases, but your risk of compromise *does*.
Another brought up a good point--SSH ideally requires compromise of both a private key(what you have) *and* passphrase(what you know) to experience a critical failure; SRP only requires one. One nice thing is that SRP can mandate that a user have a passphrase; I don't believe SSH has a truly secure method(not client based) to make sure that they don't.
More later, if anyone's still alive in this thread. (Gotta go.)
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Re:Network Topologies and sniffers
on
SSH v. SRP
·
· Score: 2
Switched networks are (at present) irrelevant to a determined attacker--I send out a gratuitious ARP identifying myself as the MAC to send all your IP traffic to, everyone sends me your traffic, which I then A) Read and B) Send along to you with a forged MAC address.
Really nasty when you do this to the gateway.
Defeating this requires security mechanisms which are rarely deployed at the switch level.
See the dsniff toolkit for example code.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
I'd rather watch a camcorder'd version taped off a television, dragged through mud, and dubbed thrice by Bob The Clowny Boy.
MP3 is the real thing. Streaming video is just...awful. I mean, there are people out there not impressed with DVD, and I see where they're coming from(could we please have a mathematical algorithm that pays a little more attention to the human visual system than YUV?), but it's nothing like streaming video.
*LOL* If anything, streaming video will *increase* the market for Hong Kong movies that don't suck in encoding quality...so the pirates get to sell more content.
Greaaaaaat....
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
First, let me take this opportunity to thank you for offering the Slashdot community this chance to interview you. It is highly appreciated!
As I'm sure you're well aware, computer security has risen to the forefront of risks involved with online business(even beyond "nonexistent paying customers"!). From the external risks of network protocol weaknesses to the internal failure of insufficient buffer overflow prevention mechanisms, the number of "weakest links" available to fall against a determined attacker can be quite staggering.
In fact, an attacker is often not necessary to make code fall flat on its face--as many computer users can attest to, software written under several software paradigms falls apart in the face of extended but ultimately normal usage.
My question for you is, as a well respected language designer and programmer, what can we as a community do to deal with these sibling demons of instability and insecurity? Should we adopt languages such as Ada, which place breathtaking amounts of protections into the compile-time phase? Do we move towards the model of simplicity advocated by Schneier, well aware of the exponential increase in unpredictable interactions? Should we worry about the prevalence of interpreted languages as a vector for in-band attacks? What should we be doing that we aren't?
In short, Bjarne...Where To, Fearless Leader?
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
1) Compatibility with existing 2.4ghz networks(i.e. 802.11): Apparently, Bluetooth nukes Wireless LANs(source: MicroTimes, about 3 months ago). So, Rob and Jeff are sitting around at a convention, when suddenly their Zoom Air wireless link dies. Rob looks up. "Who's the moron with a bluetooth device?!?"
2) The Resurrecting Duckling. Great paper; look around online and check it out. Talks about security issues with wireless networking. Among other things, you're now *infinitely* more susceptible to somebody "nearby"(think airport) hacking your wireless device--how are ya gonna find 'em, even if you're alerted? 10m, up to 100m with extenders...you're talking about looking for a miniscule wireless extender into a well hidden wired network. Good luck...and lets not forget that with wireless devices, draining the battery is an astonishingly effective DoS attack.
3) Trustable functionality. 10m isn't enough for cordless phones, and I don't think it'll be enough for cordless computing. Has there been any research into the human factors involved with a wireless device that can't leave the room? If you can't trust something to work, you don't use it.
4) Broken encryption. There's no way in hell that Bluetooth has serious encryption built into it, but you can be assured that developers will design their own protocols to assume that the hardware encryption layer will take care of all secrecy concerns. At least with 802.11, you *know* when you're shining out your password publically!
It's sad. I want something like Bluetooth...but the fact that it may kill existing wireless nets--thus, a rogue visitor could kill the LAN!--could possibly make it a tragic non-starter.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
P.S. That being said, I desperately want to get my hands on some Bluetooth devices...
"AOL grants to you a non-exclusive, limited license to use the Software, pursuant to the terms hereof, to connect to the Service only, and you may not modify, reverse-engineer, decompile, or disassemble the Software."
"The laws of the Commonwealth of Virginia, excluding its conflicts-of-law rules, govern the Agreement and your registration, and you expressly agree that exclusive jurisdiction for any claim or dispute arising from the use of the Service or Software resides in the courts of the Commonwealth of Virginia."
Rob wrote that UCITA is supported by, and I quote, "Virginia's own "star" online business, AOL."
Thanks, Rob! I can't believe I didn't find out about this 'till now!
According to the AOL Instant Messenger page, "45 Million People Can't Be Wrong." Looks to me like 45 Million People Are About To Be Wronged, and AOL is *lying* to their legislators to do it.
Yep, you heard me. Lying. How much you wanna bet those lobbyists that AOL is paying all sorts of money to are mentioning any of the "pork"(the term isn't really applicable; pork refers to extra stuff slagged on, not the true intention of the bill masked in Happy E-Commerce Friendly Language) that this bill will implement?
Lemme tell you something. The moment that the company that's about to buy Time Warner, A.K.A. one of the biggest media conglomerates in the world, exposes a significant portion of the populaiton of this country to tremendous, unnegotiated, and unconscionable breach of contract liability, and doesn't mention this to the legislators they've communicated with, AOL's got a huge local problem.
Because lemme tell you something else: If UCITA passes in Virginia, I'm donating cash money to any party that promises to get it repealed. Remember Taxation without Representation? Pass a law without even going so far as to analyze the national implications of such a drastic overhaul of basic commerce law(which, incidentally, traces back long before the birth of this country), and this California geek is gonna Represent.
It's simple, really: If Virginia is going to expose me to tremendous risk from any Virginian software I use, I'm going to boycott Virginian software. And I'm gonna start with AOL, because they're doing their damndest to get this passed.
After all, why should I trust a company that's trying to make it illegal for me to complain about their service?
You best not say how many times AOL net service broke down on you; that's a prohibited unauthorized benchmark. You talk, you walk--to another ISP because your AOL has just been terminated...better hope you can get DSL, by the way, because the AOL Road Runner cable modem service you depend upon is being terminating. They'll be sending you a bill, by the way, for that early termination of your service. Incidentally, don't expect to find anyone else able to give you cable modem service--isn't that convenient, AOL has all their lobbyists working on UCITA, and just took everyone away from that "Open Access" push. So, if you can't get DSL, better enjoy going back to 56K. Complain about service, will ya?
You better not talk to anyone about privacy, or even look into it for that matter. If you start accessing a bunch of sports sites just to determine whether AOL is selling your browsing interests to outside companies to spam you...guess what, you're making an unauthorized attempt to reverse engineer propietary backend routing code, and your service is terminated and you're getting sued for breach of contract. I wonder what will cost more...your lawyers, or your flight to Virginia...
But don't worry, you have nothing to worry about in terms of security, because they've already chilled any speech or research that might cause you to be scared that your AOL Instant Messenger might pose a risk to your home, your work, or your data. "Accidental buffer overflows that let anyone on the Internet take over your computer" hidden within AOL's software will be unheard of, because the force of Virginia's Expressly Agreed To Laws will make it Expressly Illegal to exercise electronic self-defense by making sure there's no time bomb ticking within your computer or the computers of millions of others.
Heh, at least the next time Yahoo gets taken down, you can get the warm and fuzzy feeling that your box might have had something to do with it, but you don't have the right to find out.
Any Self-Defense is just another one of those stupid little Magna Carta era common law things we can throw away. You know, kind of like "The product you're being sold should do what it says it does.", which UCITA also removes. It's the Thousands, folks. Who needs those crufty consumer protection truth in advertising lemon law product liability rules anyway?
Boy, I'd really be worried about this UCITA thing if it didn't expose so many very large non-computer related corporations to so much financial risk, like the fact that they won't be able to get untainted evidence about which products to buy or even to pull their data out of a remotely disabled database(disabled, of course, because one of their employees breached dared breach the company's contract with the software supplier by stating that the present software solution was costing too much money for way too little speed)[ http://slashdot.org/comments.pl?sid=00/02/14/22212 03&cid=201 ]. It's a good thing that companies throughout the country will be contributing to the campaign funds of opposition legislators throughout the country, because that's the mandate of their shareholders [ http://slashdot.org/comments.pl?sid=00/02/14/22212 03&cid=192 ].
For once, companies are screwed just as much as the average citizen is going to be. [ http://slashdot.org/yro/00/02/01/211222.shtml#36 ] So really, I have no reason to be concerned.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Slashdot Mirror
>Are you saying that the copyright holder has no
>rights??? Stealing cable is theft. The cable
>company owns the rights to distribute the signal
>and charge for it. The MPAA (or equivalent
>agency) owns the rights to distribute many
>movies and/or songs. We can claim to have rights
>while denying them theirs.
Cable is a continual service. I pay this month, I get to turn on the TV this month.
Purchased videos are not a continual service. They're mine. They don't change over time, they don't get anything new from the manufacturer showing up on my doorstep in two months...they're mine. Can I make a copy and sell it? Nope. Can I make no copy and sell *my* original? Yup. No different from a book--I can't copy my property and give it to anyone else, but I sure as hell can give my property away.
The MPAA got their payment when I bought the movie. From that point until when I sell or disavow ownership of that payment, the movie is mine.
Denying this perceived reality is meaningless. If the law says something else, people will ignore it until they get arrested for doing something that they could never imagine as being wrong.
--Dan
> If you help or facilitate the breaking of
> copyright protection, you have violated the DCMA.
This ain't nothing new, actually. Copier manufacturers, cable stealers, etc. have been getting this for years. But cable is an ongoing service; DVD's are a product you buy. The idea that you're only allowed to use a product you buy in ways that the manufacturer has deemed profitable to them--and that you're not allowed to give the manufacturer the finger--yeah, that's new.
--Dan
[Damnit. Two really bitter Slashdot posts in a row. This doesn't bode well.]
You know, the more I think about this, the more I'm beginning to realize this is really the argument we need to start making.
There are lots of complicated arguments I could make, but I think I'd rather just leave it at--
If I bought it, it's mine. If I want to sell it, it's mine to sell. If I want break it into little tiny pieces, if I want to put it in the microwave, if I want to worship it as a proclaimation that God himself is going to touch down in a UFO on Main Street at 2:48PM, damnit, I don't need whoever sold it to me's permission to believe in whatever the heck I want to in their product!
See, that's the nice thing about capitalism. There's no central planner to say that you have to sit here, or go there, or be nice. There's no excessive transmission of executable context, to speak in geek terms. You pay the cash, you get the product.
Without passing judgement on the rightness or wrongness of communism, there's some delicious irony in that while Open Sourcers are supposedly the biggest backers of communism, we're the ones screaming our brains out over software freedom while the biggest companies in the world lick their chops on the concept of being The Central Planner.
After all, what are these newfangled "circumvention-resistent" devices but a yoke against which our core freedoms as consumers are jerked away? Imagine, for a moment, that Master(a fine purveyor of padlocks) was powerful enough to extract a licensing fee from any makers of lockers, safes, and doors. Imagine you needed to prove, *to the lock*, that the object it was being placed on was licensed before you'd get your key.
Lemme tell you what'd happen, real quick: People would figure out how to bust the key--which they bought, when they bought that lock--out, so they could go about their business of doing whatever they damn well pleased with *their* *property*.
The only reason these laws are getting passed is because people seem to think this is limited to just tech stuff.
We're talking about *basic* *freedoms*, here. We're talking about *the right to private property*. When I buy a master lock, I buy the lock, and I buy the key.
When I buy a DVD, I buy the lock, and I buy the key. They're right there on the disc. Sure, they're made difficult to get to, but I've got 80 head screwdrivers for the reasons of custom screw designs *BUILT* to make it difficult for me to get to things. But ya know what?
If I wanna break my car, it's my car to break. If I wanna throw my DVDs in the Microwave, it's my aluminum to fry. If I wanna use the keys on that disc for something The Manufacturer Just Wouldn't Approve of, damnit, it's my disc, they sold it to me, they took my money, they can go away. If I steal the keys off of some DVD I haven't bought, then I'm a thief. If I use the keys on some DVD I bought...
THOSE.
WERE.
MY.
KEYS.
I'm going to sleep. Maybe when I wake up this nightmare of idiocy will be over.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
[WARNING: The contents of this post are slightly of topic, until you consider A) This is a subject regarding excessive CPU power that nonetheless consistently gets overrun and B) This site has been overrun and I can't comment on the actual contents of it.]
:-)
:-)
:-)
[WARNING 2: This is one of the more bitter posts I've made to Slashdot. You've been warned.]
And so it was so ordered, after legions upon legions of sites fell to That Which Was The Slashdot Horde:
If the content of the web page is not dependent on the identity of the user, then the content of the web page MUST not be generated specifically for that user.
Yes, that's an IETF must, damnit
This isn't a complicated concept, folks. If each user gets a very different page(think search engine), then you dynamically generate the new content live. If each user only gets a slightly different page...well, gee, dynamically generate that slight difference, but leave static everything else.
If you're dependent on the user, change the page for each user. If you're dependent on some local index of news, then change the page each time the local index of news changes. If you're dependent on an angel coming down and teaching you to code the goddamn meaning of life in Perl, *THEN CHANGE THE PAGE WHEN SOME GLOWING HALOED CREATURE WALTZES IN YOUR STUDIO*, but for *CRYING OUT LOUD* don't regenerate your page every time I try to read some godforsaken article!
It's simple stuff like this that make me feel like I have a moral obligation to be a Comp Sci major. Grrrr.
One other point...ya wanna talk overcommitment? The Linux kernel lists are going nuts about the reasonably rare situations that can arise when the OS allows processes to overcommit memory, on the probabalistic assumption that not all processes will actually use the memory they request. What to do when the memory actually commited actually becomes used? Should the OS die, so that the processes may live? What processes does the OS kill to keep itself alive? There's alot of argument about how to deal with overcommitment on the OS level, and I'll leave that fight to the experts.
But lemme tell ya, just view the Slashdot Victim of the Day to find web pages that deal with overcommitment. Since these sites aren't too likely to change their entire codebases all that soon, may I suggest that expressing Database Errors *might* not be the most graceful method of expressing degradation of resources?
In other words, faced with the choice of fewer ad impressions and less readers vs. temporarily switching to a cached copy of the page which is 99.9% accurate, might it not be nice to have built as a core element of Apache's modperl something along the lines of, "Run this script to generate this page UNLESS we're getting hammered; in that case, use mod_rewrite to change the URL to a static equivalent of our now thoroughly overloaded page"?
Ahhhh. I might actually be able to view pages about Gigahertz SMP
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
P.S. Irony #1235235: It's taking me forever to finally get this comment posted
Heh. It's been a while, but I remember going to my counselor in 8th grade and saying just that. He told me not to let it bother me.
Thank god I got that message, it made it all better. </i>
If your school fails you, go to your school board. But we don't want someone 3000 miles away saying "We've been getting a number of calls about this kid, better toss him down the garbage disposal just to be safe."
--Dan
On the one hand, you've got anonymous measurement tools beyond count: Slashdot's AC's, Employer info sites, that Teacher site that's getting sued for Libel...
And it's our god given right to use those, right?
Then on the other, you have W.A.V.E. . Similar anonymous measurement, *EXACT* same potentials for abuse(unpopular people get slammed unfairly for fair actions, etc.) The technology itself--anonymous evaluations--remains consistent. So what's different?
Lets see. The former consists of individuals commenting on members of a larger institution. The latter consists of larger institutions retrieving commentary from their individual members <i>regarding</i> their individual members.
Still, this doesn't establish that there's anything wrong with W.A.V.E. I generally want the institutions I'm a member of to protect me from other members--particularly schools. There's an irrational "tattle tales are bad" chant that ignores the fact that Geeks Like Me would be toast without the ability to go to a counselor or a dean of students and say, "That kid over there is beating me senseless on a daily basis. That sucks!"
Yes! Tattle! If someone's making your life miserable, <i>you can do something about it</i>! Schools have and need infrastructure to deal with this.
And that's when things start to fall apart for the W.A.V.E. program. There's something truly perverse about what it has people report...it's not those students who <i>cause</i> the most misery who get busted; it's those students who everyone looks at and says, "Man, that kid is such a loser and everyone hates him. Shit, he's gonna take a gun and shoot up this place!"
In other words, W.A.V.E. has implicit in its design a scheme that doesn't prevent harassment, rather it provides a means of tagging and identifying the harassed. This wouldn't be an awful thing, if it wasn't so presumptuous and backwards--we need to do something about this poor kids who get kicked around every day...not to deal with the violence of them getting kicked around, mind you! "That's normal, you see. Kids establish a pecking order, you can't fight that." No, this isn't about stopping the kicking, it's about essentially providing a means of recognizing when a kid's been kicked so low that they might start fighting back. It's to recognize when kids are brought to the point where they have nowhere to go but up.
How scary, that after months of enduring torment, your institution itself gets into the act, worrying that something must be wrong with you if the popular kids don't like you.
And thus, where the <i>real</i> fear of this system is coming from: It's not the anonymous reporting--we like anonymity, look at all the people who make a career out of bashing Katz on a regular basis. (Incidentally, I was impressed by this story--this is probably some of Katz's beter writing.) It's not even the knowledge of the institution that there are kids who are getting kicked around.
It's that the institution isn't the school.
It's the idea that, someday, some accountant will send your dean of students a "scientific report" saying you're just too likely to react dangerously to all the abuse he's been allowing under his nose. There's a tendancy to use science to absolve personal responsibility in institutional management, and if The Numbers Say You'll Kill Someone, it just doesn't hurt administrators all that much to "send the child to a special school" "just to be on the safe side."
Nobody wants to be held responsible when some kid shoots up the school, and *THEY KNEW* something was going to happen--after all, that kid had a 83.2 on the Gonna Shoot Up The School scale--why wasn't he kicked out, they'll ask?
Don't laugh. If 82% of America can blame a f*cking network of computers for a schooltime massacre, *phear* what they could do to the actual administrators.
This is essentially outsourced psychological risk assessment. Instead of people within a school dealing with the problem and actually handling things from the inside--where things are visible--schools become a sort of "black box", with little candy treats being waved around to elicit data about its inner operations from unknown members inside.
When the data comes in from an outside agency, with a scientific chart o' student issues, held within a database protected by not a relevant data protection code in the country(ooh! Wanna sell Prozac? W.A.V.E. licensing divisions, how many depressed kids would you like to sell to today?)...it stops being an issue of whether tattling is right or wrong, and starts becoming a question of just how much cynicism are we willing to accept in our school infrastructure.
Calling this program WAVE, after that after school special, is so amazingly unfortunate for this program that it defies description.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Please.
The device is unprofitable for a hundred bucks. Duh. So don't sell it for a hundred bucks.
Sell it for five hundred bucks, and toss in a $400 rebate if we agree to sign up for a year or two. It's what the rest of the industry does, and you guys just made me realize that it's not only the most annoying ad campaign ever to us tech guys, but it *really is* a smart way to get computers in people's hands.
It's that simple. Go in store rebate with signup, and let the geeks make ya rich.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
"Oh shit. There goes the planet."
Ohhhh, I've been waiting for some geniuses to make this mistake publically.
Anyone install CuteFTP lately? Or any of a couple hundred other applications that Aureate Inc. paid companies to install their advertising software within?
Now, many people have debunked the rather virulent myth that Aureate was paying off these hundreds of shareware developers so that they could spy on people's computers.
However, it'd be rather hard to debunk one simple fact: Hundreds of software developers put their good name on code that not only wasn't open to the world to search for security concerns...
It wasn't even open to them.
You can't just can't pay a Linux developer to include code in their software that nobody else can see, let alone that they can't. But hundreds of software developers merrily included Aureate's package, sight unseen, and hoped it didn't do anything bad.
Perhaps Aureate indeed does expose the final end customers to certain forms of privacy violation(most directly, users don't generally expect that anyone on the outside world knows what software they're running). But that's not nearly as significant as some of the charges against Aureate--that they were searching through registries, rifling through hard drives looking for data.
But the developers who put their name on the package didn't know for sure that the code didn't do that. The users who trusted those developers--the users whose systems were at the greatest risk--they too had no ability to audit that code for safety analysis.
And, for all of Aureate's desperate attempts to defend itself, not even they can ever be absolutely sure that their code is intrinsically free of all buffer overflows, of all forged replies, of a preconstructed false advertisement that, when retrieved, overflows the GIF decompression code to allow the host system to be compromised...in the Open Source world, we find these problems quickly and send the authors fixes.
Aureate has no such help, and no such luck.
But, they'll just keep payin' 'em off...proving every day just why Open Source is more trustable.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
> Please explain how a market (NASDAQ) can
> continually smash into now record highs (up 2%
> today alone) and can be in a bear market. I
> haven't noticed a lack of confidence in any
> American market.
This was the other reason I didn't use the Bear term--it's not particularly "bear" in the Long Term timeline, at least not yet. However, from Caldera's perspective, the Dow had picked up some unprecedented levels of investor interest(wasn't there like a 9% jump in value of "unloved" stocks?), their entire market had *totally* missed the boat on that major stock jump, and their stock, with its (undeserved) bland image, standardly broken PE ratio, and underperforming competitors, sure didn't look like it was time to release.
So...they added in a delay, and raised the stakes for the possible reasons I outlined earlier.
Sorry for the misunderstanding.
--Dan
> Are you stoned, or just stupid?
I originally said bear market, but I figured that was a little bit too much industry jargon for one day.
In case you haven't noticed, confidence in an entire stock market(NASDAQ) is fluttering as people realize just how "amazing" all those companies on the Dow are, you know, with price-to-earning ratios that don't exceed the number of years this country has been in existence.
My apologies if I've caused you any distress.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Best I can tell, there are two major reasons behind Caldera's move(beyond "they're afraid that NASDAQ is puking right now"):
1) Reverse psychology. Stocks have their prices raised in response to heavy demand. An interesting way to turn the tide on low investor demand is to *act* like there's high investor demand. Some portion of investors would believe that a company being convinced that their stock is going to be heavily demanded means their stock actually *is* going to be heavily demanded. And, gee, if investors think that a stock *is* demanded, suddenly it *is*.
2) Cash distribution, particularly if the market isn't thought to be amenable to second offerings. Caldera may not want to sell any more of its soul to venture capitalists. In order to do that, it has to make as much money--as a company--selling its shares to the market. Now, you do multiple releases when you think that your stock sale at time B is going to net more cash than a stock sale at time A. If you don't think the market will keep your stock so highly valued, or if you think you'll never "escape the gravity" of your present market position without an extensive war chest with which to market and develop with, you sell your shares off on the market once at as high a price as you can muster. Raising your IPO price, so you don't have to directly sell any more of the company to the venture capitalists, gives your company a much larger war chest, is moderately neutral to existing owners(although the lack of an initial runup to the higher price may harm momentum; see PALM), and is most painful to those lucky enough to have the right to purchase stock at the IPO price(since the delta from IPO to sale price is necessarily shrunken).
At least that's how I see it.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Surprisingly common form of steganography, really. There is *absolutely* no obfuscation actually hidden in the data itself--it's literally plaintext encoded as simple entries in the DNA sequence. The security comes from the fact that its surrounded by a significant amount of difficult to search(without knowledge of the correct primers) of non-secret information.
Essentially, you're talking about a symmetric "location" secret protecting unencrypted content within a significant amount of data.
Such techniques are actually used quite commonly as countermeasures against legally mandated discovery procedings--a large corporation(Microsoft or Tobacco companies in particular) is sued for its memo records; tens of thousands of boxes of unrelated material are delivered to the suing party on the presumption that they will hide the one "smoking gun" memo that will seriously damage the corporation.
In the inevitable arms race that follows, the entire mass of data gets OCR'd and searched for critical keywords. That solves the legal issues, but without an efficient "OCR" method that can quickly sequence a chromosome into its underlying data, this student's steganographic method is extraordinarily effective.
However, should such a technology be created, the size of the "keyspace" becomes drastically shortened: Apparently, the entire human genome will fit into six hundred megabytes--this is quite a bit of data, but it's not "trillions and trillions" of possibilities. A simple statistical analysis tool will reveal *any* non-natural data, as nCipher revealed when they showed that a cryptographic private key will stick out even within 2GB of fluff data--it's *TOO* random.
What'd really blow me away is if Viviana was able to follow up this fascinating research with an implementation of Public Key Steganography. There was a paper referenced on Counterpane that talked about this; essentially it hides data in such a manner that the ensteganographer(and thus, anyone other than the recipient of the hidden message) cannot determine the exact location of their own message. The way I'd imagine it working, you'd mutate a virus such that it delivered a given message to a location dependant upon not the data being delivered but some publically available key. That key would essentially be a one way hash of bioreceptors that the virus should attach itself to, and you'd essentially have a restriction that the virus would not infect any cell that did not possess those specific bioreceptors. An attacker would need to sequence not only the global DNA sequence for changes but each possible type of cell that could have been modified to contain the secret, whereas the message reader would know exactly what types of cells to search--viola, your asymmetric primitive. Maybe you'd only find a link to the appropriate primer, or possibly your entire message, but you'd have your public key steganography implemented with biological methods.
Funky.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Funny to see this topic on /.
m .org/58.txt
t ml/1999/06/msg00319.html
I *just* discovered IPSec's rather bloody implementation history. I think I'm just gonna Res Ipsa Loquitar here...trust me. If you ever wondered whether RFC's had any drama in their birth, well...
Take a peek:
http://www.google.com/search?q=cache:gnietf.vls
http://www.sandelman.ottawa.on.ca/linux-ipsec/h
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
> It's purely subjective.
;-)
> Therefore you are wrong.
If time is purely subjective, then time is by definition what I think it is, and thus I am right. Are you telling me that I do not know what I think that time is?
Semantics. Phunphunphun
--Dan
I would rather function in an environment where the vast majority of incompetently assigned patents are never enforced upon an otherwise free market, rather than suffer a vast number of patents that never should have been validated in the first place be actually enforced.
A three to five year limit on software patents is ludicrous. The problem is not the timespan--the problem is the standard. One Slashdot poster mentions Unisys's patent on a basic linked list. Memepool posted the patent on (and I'm not kidding) using a laser to entertain a cat. Amazon's patent abuses are well documented.
The American software industry cannot be made to live in fear of an agency which has repeatedly argued its own infallibility in assigning patents in the face of widespread evidence to the contrary. The simple fact is that the market, not the courts should decide what providers prosper and what providers fail. Establishing monopolies out of the sheer act of provision is antithetical to everything we've learned about writing quality software, encouraging quality business, or even running a quality society.
The time allotment on a software patent is nothing more than a red herring. If somebody points a gun at me, and threatens to shoot me in the head, I am not going to try to negotiate for a less vital organ to be shot, or perhaps that the bullet could be of a lesser caliber. I'm going to fight, or I'm going to run, but I'm *not* going to stand there and agree that it's OK for me to get shot.
Accepting software patents, no matter how obvious they may be, for "not that long of a time" simply means that the jackpot for the patent claimjumpers has a quicker payoff.
This is the wrong direction to move in. Period. Remember, the status quo is that, for the most part, software patents do not exist. They are only defensively registered. Preventing the need for such a hidden tax is critical.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Windows 2000 either supports Kerberos authentication or it doesn't.
Kerberos is a well defined standard. If they misimplemented it in such a way that their product will not interoperate with existing Kerberos domains, then they didn't implement Kerberos.
If Microsoft chooses to lie to their customers, no amount of IP whining is going to help--oh, unless this UCITA thing happens to pass...oh.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
I spent a good six hours (twelve total, but half of it was spent driving the full weight of my head into my keyboard) today trying to make C2Net's Stronghold and Allaire's JRun play nice together.
d own.html
On the plus side, I am much more familiar with Apache now, even 1.3.x versions that mysteriously cost more money but don't have autoconf and won't do Dynamic Shared Objects right.
On the minus side, I was already screwed for time and this didn't help.
So, for the first time in my life, a grin came to my face as I saw a site thrashed by the Slashdot hordes:
http://www.newscientist.com/error-messages/jrun
JRunDown?
Yeah, that's about right...I felt pretty damn jrunned down earlier today...
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
OK, thought about this a little.
SRP essentially combines the concept of "Hashed Password" and "Secret Key" into one small, low entropy object: The stored password.
"Dictionary attack" difficulties aside, it's not hard to imagine an intruder running a pre-computation attack against a password file. *However*, the password file *can be* much more secure--crypt() is far less secure than SHA-1, though SHA-1 isn't drastically better than the MD5 passwords deployed on most Linux boxen.
It is moderately unclear through the documentation how the "public verifier" gets distributed; more emphasis should be placed on this. The public verifier, distributed via OOB mechanisms, is *the only* way to get around "first contact" problems. Now, the public verifier can be shared, extended, chained, and so on, but at some point there has to be a Out Of Band(OOB) contact.
Of course, the problem with chains is Entropy Erosion and Failure Amplification--your original entropy never increases, but your risk of compromise *does*.
Another brought up a good point--SSH ideally requires compromise of both a private key(what you have) *and* passphrase(what you know) to experience a critical failure; SRP only requires one. One nice thing is that SRP can mandate that a user have a passphrase; I don't believe SSH has a truly secure method(not client based) to make sure that they don't.
More later, if anyone's still alive in this thread. (Gotta go.)
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Switched networks are (at present) irrelevant to a determined attacker--I send out a gratuitious ARP identifying myself as the MAC to send all your IP traffic to, everyone sends me your traffic, which I then A) Read and B) Send along to you with a forged MAC address.
Really nasty when you do this to the gateway.
Defeating this requires security mechanisms which are rarely deployed at the switch level.
See the dsniff toolkit for example code.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
MeTV.Com already has Bruce Lee movies online.
I'd rather watch a camcorder'd version taped off a television, dragged through mud, and dubbed thrice by Bob The Clowny Boy.
MP3 is the real thing. Streaming video is just...awful. I mean, there are people out there not impressed with DVD, and I see where they're coming from(could we please have a mathematical algorithm that pays a little more attention to the human visual system than YUV?), but it's nothing like streaming video.
*LOL* If anything, streaming video will *increase* the market for Hong Kong movies that don't suck in encoding quality...so the pirates get to sell more content.
Greaaaaaat....
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
"80% of all purchasing decisions are made on the basis of color."
--Brand Packaging magazine
Serious--I actually saw that stat. Obviously a...bit shortsighted, but what's really scary is that somehow there was a study designed to prove that.
When all you've got is a vested interest in diagnosing physical isolation as personal isolation...
You design your study to get your nail.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Bjarne:
First, let me take this opportunity to thank you for offering the Slashdot community this chance to interview you. It is highly appreciated!
As I'm sure you're well aware, computer security has risen to the forefront of risks involved with online business(even beyond "nonexistent paying customers"!). From the external risks of network protocol weaknesses to the internal failure of insufficient buffer overflow prevention mechanisms, the number of "weakest links" available to fall against a determined attacker can be quite staggering.
In fact, an attacker is often not necessary to make code fall flat on its face--as many computer users can attest to, software written under several software paradigms falls apart in the face of extended but ultimately normal usage.
My question for you is, as a well respected language designer and programmer, what can we as a community do to deal with these sibling demons of instability and insecurity? Should we adopt languages such as Ada, which place breathtaking amounts of protections into the compile-time phase? Do we move towards the model of simplicity advocated by Schneier, well aware of the exponential increase in unpredictable interactions? Should we worry about the prevalence of interpreted languages as a vector for in-band attacks? What should we be doing that we aren't?
In short, Bjarne...Where To, Fearless Leader?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Couple issues that need to be brought up--
1) Compatibility with existing 2.4ghz networks(i.e. 802.11): Apparently, Bluetooth nukes Wireless LANs(source: MicroTimes, about 3 months ago). So, Rob and Jeff are sitting around at a convention, when suddenly their Zoom Air wireless link dies. Rob looks up. "Who's the moron with a bluetooth device?!?"
2) The Resurrecting Duckling. Great paper; look around online and check it out. Talks about security issues with wireless networking. Among other things, you're now *infinitely* more susceptible to somebody "nearby"(think airport) hacking your wireless device--how are ya gonna find 'em, even if you're alerted? 10m, up to 100m with extenders...you're talking about looking for a miniscule wireless extender into a well hidden wired network. Good luck...and lets not forget that with wireless devices, draining the battery is an astonishingly effective DoS attack.
3) Trustable functionality. 10m isn't enough for cordless phones, and I don't think it'll be enough for cordless computing. Has there been any research into the human factors involved with a wireless device that can't leave the room? If you can't trust something to work, you don't use it.
4) Broken encryption. There's no way in hell that Bluetooth has serious encryption built into it, but you can be assured that developers will design their own protocols to assume that the hardware encryption layer will take care of all secrecy concerns. At least with 802.11, you *know* when you're shining out your password publically!
It's sad. I want something like Bluetooth...but the fact that it may kill existing wireless nets--thus, a rogue visitor could kill the LAN!--could possibly make it a tragic non-starter.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
P.S. That being said, I desperately want to get my hands on some Bluetooth devices...
"AOL grants to you a non-exclusive, limited license to use the Software, pursuant to the terms hereof, to connect to the Service only, and you may not modify, reverse-engineer, decompile, or disassemble the Software."
2 03&cid=201 ]. It's a good thing that companies throughout the country will be contributing to the campaign funds of opposition legislators throughout the country, because that's the mandate of their shareholders [ http://slashdot.org/comments.pl?sid=00/02/14/22212 03&cid=192 ].
"The laws of the Commonwealth of Virginia, excluding its conflicts-of-law rules, govern the Agreement and your registration, and you expressly agree that exclusive jurisdiction for any claim or dispute arising from the use of the Service or Software resides in the courts of the Commonwealth of Virginia."
Rob wrote that UCITA is supported by, and I quote, "Virginia's own "star" online business, AOL."
Thanks, Rob! I can't believe I didn't find out about this 'till now!
According to the AOL Instant Messenger page, "45 Million People Can't Be Wrong." Looks to me like 45 Million People Are About To Be Wronged, and AOL is *lying* to their legislators to do it.
Yep, you heard me. Lying. How much you wanna bet those lobbyists that AOL is paying all sorts of money to are mentioning any of the "pork"(the term isn't really applicable; pork refers to extra stuff slagged on, not the true intention of the bill masked in Happy E-Commerce Friendly Language) that this bill will implement?
Lemme tell you something. The moment that the company that's about to buy Time Warner, A.K.A. one of the biggest media conglomerates in the world, exposes a significant portion of the populaiton of this country to tremendous, unnegotiated, and unconscionable breach of contract liability, and doesn't mention this to the legislators they've communicated with, AOL's got a huge local problem.
Because lemme tell you something else: If UCITA passes in Virginia, I'm donating cash money to any party that promises to get it repealed. Remember Taxation without Representation? Pass a law without even going so far as to analyze the national implications of such a drastic overhaul of basic commerce law(which, incidentally, traces back long before the birth of this country), and this California geek is gonna Represent.
It's simple, really: If Virginia is going to expose me to tremendous risk from any Virginian software I use, I'm going to boycott Virginian software. And I'm gonna start with AOL, because they're doing their damndest to get this passed.
After all, why should I trust a company that's trying to make it illegal for me to complain about their service?
You best not say how many times AOL net service broke down on you; that's a prohibited unauthorized benchmark. You talk, you walk--to another ISP because your AOL has just been terminated...better hope you can get DSL, by the way, because the AOL Road Runner cable modem service you depend upon is being terminating. They'll be sending you a bill, by the way, for that early termination of your service. Incidentally, don't expect to find anyone else able to give you cable modem service--isn't that convenient, AOL has all their lobbyists working on UCITA, and just took everyone away from that "Open Access" push. So, if you can't get DSL, better enjoy going back to 56K. Complain about service, will ya?
You better not talk to anyone about privacy, or even look into it for that matter. If you start accessing a bunch of sports sites just to determine whether AOL is selling your browsing interests to outside companies to spam you...guess what, you're making an unauthorized attempt to reverse engineer propietary backend routing code, and your service is terminated and you're getting sued for breach of contract. I wonder what will cost more...your lawyers, or your flight to Virginia...
But don't worry, you have nothing to worry about in terms of security, because they've already chilled any speech or research that might cause you to be scared that your AOL Instant Messenger might pose a risk to your home, your work, or your data. "Accidental buffer overflows that let anyone on the Internet take over your computer" hidden within AOL's software will be unheard of, because the force of Virginia's Expressly Agreed To Laws will make it Expressly Illegal to exercise electronic self-defense by making sure there's no time bomb ticking within your computer or the computers of millions of others.
Heh, at least the next time Yahoo gets taken down, you can get the warm and fuzzy feeling that your box might have had something to do with it, but you don't have the right to find out.
Any Self-Defense is just another one of those stupid little Magna Carta era common law things we can throw away. You know, kind of like "The product you're being sold should do what it says it does.", which UCITA also removes. It's the Thousands, folks. Who needs those crufty consumer protection truth in advertising lemon law product liability rules anyway?
Boy, I'd really be worried about this UCITA thing if it didn't expose so many very large non-computer related corporations to so much financial risk, like the fact that they won't be able to get untainted evidence about which products to buy or even to pull their data out of a remotely disabled database(disabled, of course, because one of their employees breached dared breach the company's contract with the software supplier by stating that the present software solution was costing too much money for way too little speed)[ http://slashdot.org/comments.pl?sid=00/02/14/2221
For once, companies are screwed just as much as the average citizen is going to be. [ http://slashdot.org/yro/00/02/01/211222.shtml#36 ] So really, I have no reason to be concerned.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com