Replying to myself, in this case you can only get information about passwords that you are actually able to break (i.e. the easy ones), but it can also be useful as an academic analysis of password complexity in real applications.
People use these kinds of leaks to generate statistically sorted dictionary files for password breaking. The most commonly used (in the real world, as evidenced by these leaked databases) passwords are put at the front so you try all the more likely ones before moving on to the random guessing.
Oh gotcha, I took it as like he was just adding private to everything to emphasize that "the man" should keep their hands off his stuff, not that it was a custom Linux distro. In that case just disable secure boot? That option has to stay around because otherwise kernel developers can't debug their work (not even Microsoft).
The "most likely" here is completely under the control of Red Hat, not Microsoft. You are quick to jump to conclusions without thinking this whole thing through. Somewhere you have to trust someone or else you should just disable secure boot entirely, which is guaranteed to be an available feature (otherwise how will kernel developers debug their code, even at Microsoft?).
If you really want to play around with the kernel you will just disable secure boot, which is guaranteed to be available on all motherboards. I imagine anyone doing development on the kernel, even if it is eventually going to be signed, will have to do this just to save themselves the headache. If you want to work at a deeper level, then you turn it off. I also can't imagine how motherboard manufacturers would require you to pay more for this since it is just a simple software tweak that they likely have to have for debugging anyway (all the secure boot infrastructure and hardware are already in place, you just need a UI gadget to be able to change the certificates).
The whole point of secure boot is that it is a consumer-targeted security feature that doesn't require any setup or interaction from the user, it just works. The difference between legitimate users and malicious adversaries is blurred to the point that you cannot implement strong security at the consumer level without preventing the user from doing something that they might legitimately want to do. You can be sound but not complete or complete but not sound, you cannot have both. If you have a problem with the restrictiveness of it, please by all means come up with something better.
As it said in the original article, all Red Hat has to do is get a "micro-bootloader" signed one time, which in turn will verify anything further up the chain against their own public key which they have complete control over, and they can change their kernel as much as they want without having to pay or deal with Microsoft again. The only time they would need to get it resigned is when the certificate expires.
Please read the article, the $99 is something Red Hat is paying, not the end user. Nothing changes for the user except that your preferred distro has to somehow obtain a valid signature for their kernel (whether directly from Verisign/Microsoft or signed by Red Hat or some other organization that dealt with Microsoft). Barring this, you can disable secure boot or (if your motherboard supports it) install your own root key.
It has been stated many times, the fee is not going to Microsoft but Verisign. Essentially Red Hat is gaining the ability to run their own root of trust by having a signed "stage 0" bootloader that will in turn load any image signed by Red Hat's private key. This micro-bootloader will most likely just chain load a special version of grub that will verify the kernel is signed by a correct key (at this point, any key that Red Hat wants). I really don't see the problem with any of this. As they said in the first report, any big name, trustable Linux organization could volunteer to get their root key signed using this same arrangement and then run a free, open root of trust that could verify other distributions. The problem is no one wants that kind of responsibility. The only downside to this whole mess is that not all motherboards will offer you the ability to install your own root certificates, which could impact the ability to homebrew a Linux distro, but in the end people that care about that kind of thing will only but motherboards that have that ability.
Maybe you should read the article before you call the author a liar. All they need to do is have Microsoft sign their super low level bootloader (just loads Grub and hands off) and then they are free to do whatever they want. Presumably the way you would have a Linux community secure boot thing is to have some organization register with Microsoft and get their bootloader signed, which in turn would only load OSes signed by their key. At that point they have bypassed Microsoft entirely and have a new root of trust.
What does this have to do with openness? Your commend makes no sense. You can still buy Visual Studio and develop any open-source application you want. Or you can use the free (as in money) version and make an open-source metro app. This changes nothing in terms of FOSS.
I love Linux, and I have for years, but it is crazy to ignore the fact that, over the set of all users on all machines they would like to use it on, you end up with a much higher percentage of people having to do something crazy complicated to get their system to work on Linux. Was I mad that I had to monkey around in the synaptics code to get my trackpad to work right? No, it was a pretty fun Sunday afternoon for me, but the average user is not able to nor would he want to do that.
When I was in undergrad I had a Gentoo system and when I was particularly bored I would "emerge update world" because I knew I could kill a few hours fixing all the broken dependencies and compiler errors. Now, I just want my OS to work. I have two laptops, one with Ubuntu and the other Fedora. Both of them are stuck at the last version because they fail on update with cryptic errors I haven't had time to work out. At least Fedora is nice enough to roll back when it messes up so I still have a usable system, but my Ubuntu machine now loads with no mouse functionality and all the icons are red X's. People will not willingly deal with those kinds of problems when they have a choice.
I saw this presented about a year ago at a security talk. If I recall correctly they were getting IP addresses by initiating a call but then terminating it before some threshold where the other party was actually notified, so it was invisible to the people they were tracking. The cooler part in my opinion was how they showed that something like 80% of people could be located on Skype (in the directory) based on information in their Facebook or LinkedIn profiles, allowing for targeted tracking of people. They also had some more advanced geo IP stuff to the point where they could get really good location results. The example they had was a woman in Florida where they could track her whole week's routine i.e. at work at 9:00, home by 5:00, where she goes to lunch, when she is visiting her grandmother in the next town. It is especially effective against people who are logged into Skype on their smart phones.
Arguably the even cooler part was where they showed that they could track the entire population of a small country with something like $20,000 in computer hardware. As obvious as the nefarious applications of this are, it could also be pretty useful for tracking large scale movement for stuff like city planning.
Slashdot Mirror
Replying to myself, in this case you can only get information about passwords that you are actually able to break (i.e. the easy ones), but it can also be useful as an academic analysis of password complexity in real applications.
People use these kinds of leaks to generate statistically sorted dictionary files for password breaking. The most commonly used (in the real world, as evidenced by these leaked databases) passwords are put at the front so you try all the more likely ones before moving on to the random guessing.
Oh gotcha, I took it as like he was just adding private to everything to emphasize that "the man" should keep their hands off his stuff, not that it was a custom Linux distro. In that case just disable secure boot? That option has to stay around because otherwise kernel developers can't debug their work (not even Microsoft).
Considering the "request" was just a joke post an obscure Hungarian blog, they will definitely be ignoring (read: never seeing) it.
The "most likely" here is completely under the control of Red Hat, not Microsoft. You are quick to jump to conclusions without thinking this whole thing through. Somewhere you have to trust someone or else you should just disable secure boot entirely, which is guaranteed to be an available feature (otherwise how will kernel developers debug their code, even at Microsoft?).
If you really want to play around with the kernel you will just disable secure boot, which is guaranteed to be available on all motherboards. I imagine anyone doing development on the kernel, even if it is eventually going to be signed, will have to do this just to save themselves the headache. If you want to work at a deeper level, then you turn it off. I also can't imagine how motherboard manufacturers would require you to pay more for this since it is just a simple software tweak that they likely have to have for debugging anyway (all the secure boot infrastructure and hardware are already in place, you just need a UI gadget to be able to change the certificates). The whole point of secure boot is that it is a consumer-targeted security feature that doesn't require any setup or interaction from the user, it just works. The difference between legitimate users and malicious adversaries is blurred to the point that you cannot implement strong security at the consumer level without preventing the user from doing something that they might legitimately want to do. You can be sound but not complete or complete but not sound, you cannot have both. If you have a problem with the restrictiveness of it, please by all means come up with something better.
As it said in the original article, all Red Hat has to do is get a "micro-bootloader" signed one time, which in turn will verify anything further up the chain against their own public key which they have complete control over, and they can change their kernel as much as they want without having to pay or deal with Microsoft again. The only time they would need to get it resigned is when the certificate expires.
Please read the article, the $99 is something Red Hat is paying, not the end user. Nothing changes for the user except that your preferred distro has to somehow obtain a valid signature for their kernel (whether directly from Verisign/Microsoft or signed by Red Hat or some other organization that dealt with Microsoft). Barring this, you can disable secure boot or (if your motherboard supports it) install your own root key.
It has been stated many times, the fee is not going to Microsoft but Verisign. Essentially Red Hat is gaining the ability to run their own root of trust by having a signed "stage 0" bootloader that will in turn load any image signed by Red Hat's private key. This micro-bootloader will most likely just chain load a special version of grub that will verify the kernel is signed by a correct key (at this point, any key that Red Hat wants). I really don't see the problem with any of this. As they said in the first report, any big name, trustable Linux organization could volunteer to get their root key signed using this same arrangement and then run a free, open root of trust that could verify other distributions. The problem is no one wants that kind of responsibility. The only downside to this whole mess is that not all motherboards will offer you the ability to install your own root certificates, which could impact the ability to homebrew a Linux distro, but in the end people that care about that kind of thing will only but motherboards that have that ability.
Maybe you should read the article before you call the author a liar. All they need to do is have Microsoft sign their super low level bootloader (just loads Grub and hands off) and then they are free to do whatever they want. Presumably the way you would have a Linux community secure boot thing is to have some organization register with Microsoft and get their bootloader signed, which in turn would only load OSes signed by their key. At that point they have bypassed Microsoft entirely and have a new root of trust.
What does this have to do with openness? Your commend makes no sense. You can still buy Visual Studio and develop any open-source application you want. Or you can use the free (as in money) version and make an open-source metro app. This changes nothing in terms of FOSS.
I love Linux, and I have for years, but it is crazy to ignore the fact that, over the set of all users on all machines they would like to use it on, you end up with a much higher percentage of people having to do something crazy complicated to get their system to work on Linux. Was I mad that I had to monkey around in the synaptics code to get my trackpad to work right? No, it was a pretty fun Sunday afternoon for me, but the average user is not able to nor would he want to do that. When I was in undergrad I had a Gentoo system and when I was particularly bored I would "emerge update world" because I knew I could kill a few hours fixing all the broken dependencies and compiler errors. Now, I just want my OS to work. I have two laptops, one with Ubuntu and the other Fedora. Both of them are stuck at the last version because they fail on update with cryptic errors I haven't had time to work out. At least Fedora is nice enough to roll back when it messes up so I still have a usable system, but my Ubuntu machine now loads with no mouse functionality and all the icons are red X's. People will not willingly deal with those kinds of problems when they have a choice.
Obvious man is obvious.
I saw this presented about a year ago at a security talk. If I recall correctly they were getting IP addresses by initiating a call but then terminating it before some threshold where the other party was actually notified, so it was invisible to the people they were tracking. The cooler part in my opinion was how they showed that something like 80% of people could be located on Skype (in the directory) based on information in their Facebook or LinkedIn profiles, allowing for targeted tracking of people. They also had some more advanced geo IP stuff to the point where they could get really good location results. The example they had was a woman in Florida where they could track her whole week's routine i.e. at work at 9:00, home by 5:00, where she goes to lunch, when she is visiting her grandmother in the next town. It is especially effective against people who are logged into Skype on their smart phones. Arguably the even cooler part was where they showed that they could track the entire population of a small country with something like $20,000 in computer hardware. As obvious as the nefarious applications of this are, it could also be pretty useful for tracking large scale movement for stuff like city planning.