GP is right: Somewhere in the code, the password has to be kept before it is passed on to the hashing function. His point was that the system maintainer might be forced by a spy agency to alter the code so that the password variable is not temporary, but instead logged in persistent storage.
But even disregarding NSA, the link between the authentication system and the UI is usually the weakest. That's where we see attacks like key-loggers, phising scams, attack on secure memory, etc. Again, it proves his point: The password will be known by some part of the system, even if it's temporary, before it is passed on for hashing or validation.
Why spend time and energy kicking down the door when they can just force you to hand over the key. It is clear that they've had broad access to user data, and metadata. At any rate, it's more interesting to see what we can do to defend against these kinds of attacks. SSL as it is currently used is obviously not enough
Furthermore, it has become clear that the "I have nothing to hide" argument is not only ignorant, but also arrogant and egoistic: If we had encrypted all our one-to-one (e-mail, chat, etc.) messages, we would have helped our brethren who actually do have something to hide from the government, whether they are journalists, activists, or whistle-blowers. Their encrypted traffic would no longer stand out, and brute force cracking every one-to-one PKI message is not feasible. The government would have to rely on more targeted attacks, like man-in-the-middle for specific sessions, or key-loggers etc. on specific computers.
Dragnet surveillance of data can be defended against, though the metadata part is harder, lest everybody use Tor for everything.
That's exactly why I pirate stuff: Because it is not free. For every copy I download of the latest Bieber fad *, he will lose hard cash. In fact, even using the lowest court case estimates of per-track value, he should be pretty much broke by now. That's how many times I've downloaded it. That's exactly how it works, right? Right?
Sorry, but bits and bytes are for free. That somebody wants to get paid for Imaginary Property should not be my problem.
*) Note, I reckon I don't actually have to listen to his stuff for the loss of money to occur. Because if I have to, I'd rather download Britney Spears
I find that sarcasm has more to do with context, and often detailed knowledge of both the background topic and the author making the statement. Lose any of that information or context, and it can become impossible to say if something was meant as a fact, or the opposite.
To illustrate, take this statement:
Windows is a great operating system.
If the author of that is Bill Gates, you'd assume he was stating his opinion, and trying to sell his OS. Of course, to get to that conclusion, you'd have to know who Gates is, what he did, and what Windows is.
Now let's assume Linus or Stallman made the same comment. You'd automatically assume it was made in gist. However, it could very well be that the following text would seem to back up the statement, but would be sarcasm throughout, e.g. my following up with "... and it has great security". Again, you'd have to know the author, what his stance is, and the details on the topic and its history.
Finally, give the quote to Tim Cook. What would you make of it? Maybe one would expect a follow-up which countered the statement, but still not implying sarcasm to begin with. Taken out of context, it'd be impossible to say.
If a random Slashdot commenter dotted down the statement, it'd also be impossible to say. There's posters from all fractions here, and usually it's not clear what's their previous stance on a particular topic. Maybe the intent can be deduced from the surrounding discussion, but not always. Thus a lot of "woosh" replies.
It has always been obvious that most of this has been going on for decades. However, if you had claimed as much about four weeks ago, you would have been labelled a conspiracy nut job.
Now the cards are on the table, and we all know what to do. Hopefully.
The "I can't define it, but I know it when I see it" stance works when you want to weasel out of the topic, which is why it was acceptable for the judge who used that line. However, as policy or for classification, it should be obvious that it doesn't work.
In fact, there are many examples of content classification systems and age recommendations. Sometimes these might seem out of touch; e.g. a single swearword or naked breast might be enough for a stricter rating. However, at least we've progressed to discuss the precise definitions and guidelines, as opposed to "I'll make up my mind when it suits me".
Now, in Google's case, there's no surprise they've weaselled out such a discussion. First of all, it would be a nightmare to get all cultures across the world to agree on one standard. But even if you allowed for country specific guidelines, you'd have to have an ongoing conversation with customers about those definitions. Google can hardly handle simple end-user sales support, so a highly subjective topic like morality is way beyond their competence and ability.
Google does have intensives in this matter: User trust. If they lose it, there will be less page views, less ads clicks and less money. Even if the likelihood of any single user being affected by the surveillance laws is small, it's the perception which counts. It's some of the same fear Microsofts plays on with their Scroogled ads.
The reason you don't see other companies take up the surveillance issue in same way, is that they don't stand to lose as much. Microsoft will still sell Windows and Office licenses, Apple will sell fashion accessories.
Sorry to cut your wanking session short, but Google is not your friend. As any business, their primary objective is to line their own and their investor's coffers. It is true that some of their PR campaigns and interests align with the political ideals of the average Slashdot user, but to think they spend time and millions of lawyer money fighting the government for the grater good is rather disingenuous.
As we've seen time and again, any project or effort which does not make enough money will be cut. If they did not benefit from a stance against government surveillance, they simply would not bother. Look no further than their silent nodding towards the CISPA as an example.
> You say "off" and and your XBOX, TV, hifi, laptop, phone, tablet, air conditioning and lights all turn off simultaneously.
Well, I suppose you'll have to address each device by its manufacturer and product name, e.g. "Google Glass, take a picture". Which of course will still fail in your first example. So, we'll have to come up with some kind of unique identifier for devices. Let's make it at 256 bit number, and call it... IP7! Now, if there only was a way to map a number to a more human readable name...
So that bit about the rotten fruit seemed like a spur of the moment comment. But the prison arrangement you really had figured out to the last detail... Did I miss any prison games lately? "Theme Prision", "The Sims Behind Bars", or "GTA - Caught DLC"?
Your argument for total police surveillance of public space is flawed on two points:
1) Your comparison between yours or your neighbour's private recording, and blanket systematic surveillance is not valid. It is not valid because of the difference in scale. When you commit a crime, or a good deed, scale always matters. Kill a person, vs. a million, and you will see very different reactions. Same thing if you give a homeless person a coffee, or feed million hungry.
If we were to allow blanket police surveillance of all public space, with automatic face-detection, and what not of other technologies they deem useful, we'd end up in a 1984 / Kafka world of tyranny. Only from the false positives alone, there would be a prison population dwarfing the US' current for-profit "correctional" facilities.
2) Secondly, you seem to believe that the police can be trusted and uphold the law and code of conduct to the letter. Spend any time searching (YouTube or Google) for police brutality and mistakes, and you will find that the opposite is true. And no, this is not that case of "a few bad apples", it is a natural effect from the abuse and corruption of power.
Any power or privilege will be abused by a not insignificant number of people it is given to. It is unfortunately human nature. The police force is no different, and that is why there is thousands on thousands of videos showing the police acting like thugs all over the place. They cannot be trusted, and we must seek to limit their power, not expand it.
So coming back to the original problem of camera surveillance, the case in the article was a typical example of abuse of power by those who were entrusted with it. Give out more power, and this effect will only multiply. Nor are technological solutions to this social problem adequate or possible; they never are. Instead, we must simply avoid putting up cameras everywhere.
To summarize: All power will be abused. Therefore, we must grant only as little power as possible to any system or person in control, lest they abuse it. That's a basic property of any modern democracy, and the police force is no different.
Totally with you, and here's the quote you're looking for:
"Android is very different from the GNU/Linux operating system because it contains very little of GNU. Indeed, just about the only component in common between Android and GNU/Linux is Linux, the kernel. People who erroneously think "Linux" refers to the entire GNU/Linux combination get tied in knots by these facts, and make paradoxical statements such as "Android contains Linux, but it isn't Linux". If we avoid starting from the confusion, the situation is simple: Android contains Linux, but not GNU; thus, Android and GNU/Linux are mostly different."
Also known as "GNU/Linux" (as opposed to Android/Linux)?
Does it matter, you say? When you talk to your mom, probably not. When you discuss on geek forum, yes, it does make you come across a slightly more informed if you don't call it "half Linux", "full Linux" or "real Linux".
> I wish there was a standard for servers, so that I wouldn't have to keep reconfiguring my data center layout.
I know! The 1U vs. 1Ui is driving me nuts!! Why would anybody think that 1024 mm to the meter would make any sense? Thus a 44.45 mm 1U becomes 45.516 mm in the 1Ui unit!!
(Since this is the Internet, I guess I'll have to put in the small print: This is a joke. It's supposed to be funny).
> What you really need to do is buy a couple drives and beat the heck out of them with *realistic* usage patterns.
No. We need to stop confusing stress testing from load testing simulations. Your "realistic" usage patterns will just be another simulation with different parameters, in the end.
The posted article is an estimate on what a stress test would give you. However, as already mentioned by others, some of the parameters are off. The write count is lower, but so is the top write speed. Let's say 250MByte/s, and 10k write count on a 32 GB disk. Using his plots, I then get a cross of the 10% line after about 14 days.
So when we have an estimate which matches what we have on our hands in terms of write count and controller speed, we can go ahead and do a stress test to verify the hypothesis. Buy a few disks from different manufactures, and let them run. Only problem is, you'll have to spend time on erasing and checking as well, so it will take at least twice as long, so maybe a bit more than a month. Still doable, though.
As for the "realistic" test. Sure, let us know in ten or twenty years when you have your results.
That's just utter bullshit. Some degree of privacy is a basic human need; in fact a right. Just because some kids are not bright enough to yet understand that exposing their whole life on the Internet is not a good idea, does not mean that the rest of society has to follow their mistakes.
As long as we live in free societies, we are still free to control what and how much information is shared. Admittedly, there might be some conveniences you will not be able to take advantage off, but that's an individual choice. However, to be able to have a choice, it is important that alternative infrastructure, systems and user applications are available. Luckily, they are: You can set up your own e-mail server, your own web hosting, chat, VOIP and so on; all based on open source. Bitcoin is still somewhat niche, but will hopefully be one amongst many alternatives to Visa/MasterCard or Paypal. And so the story continues.
As long as we don't follow in the footsteps of kids who will gobble up the latest Insta-hipster-iThing like a godsend, we'll be just fine.
But *what* are all those apps for? 41 GB; that's a lot of stuff. (Somebody mentioned a recovery partition, but even 20 GB is too much for the OS and apps).
> this person didn't know what they were doing was illegal.
I didn't get that bit. Surly, she knew after the first strike? She was informed at the first occurrence, right? Or is there just some internal counter in somebody's system, which only sends out a letter once it hits 3?
It seems that Samsung will have to take the blame for this; that is, they should have tested for this. As it stands, it should be considered a manufacturing fault on their part. So the question is now, will the unlucky owners of Samsung bricks have them replaced under warranty?
Before we go ahead with any of this, could we please not "verbify" all the nouns? In other words, feel free to implement a proxy based p2p protocol or network, as long as you don't "proxify" it.
Slashdot Mirror
GP is right: Somewhere in the code, the password has to be kept before it is passed on to the hashing function. His point was that the system maintainer might be forced by a spy agency to alter the code so that the password variable is not temporary, but instead logged in persistent storage.
But even disregarding NSA, the link between the authentication system and the UI is usually the weakest. That's where we see attacks like key-loggers, phising scams, attack on secure memory, etc. Again, it proves his point: The password will be known by some part of the system, even if it's temporary, before it is passed on for hashing or validation.
Why spend time and energy kicking down the door when they can just force you to hand over the key. It is clear that they've had broad access to user data, and metadata. At any rate, it's more interesting to see what we can do to defend against these kinds of attacks. SSL as it is currently used is obviously not enough
Furthermore, it has become clear that the "I have nothing to hide" argument is not only ignorant, but also arrogant and egoistic: If we had encrypted all our one-to-one (e-mail, chat, etc.) messages, we would have helped our brethren who actually do have something to hide from the government, whether they are journalists, activists, or whistle-blowers. Their encrypted traffic would no longer stand out, and brute force cracking every one-to-one PKI message is not feasible. The government would have to rely on more targeted attacks, like man-in-the-middle for specific sessions, or key-loggers etc. on specific computers.
Dragnet surveillance of data can be defended against, though the metadata part is harder, lest everybody use Tor for everything.
George Orwell begs to differ. As do Richard Stallman.
Maybe if they had worked with open standards, that would not have been a problem...
That's exactly why I pirate stuff: Because it is not free. For every copy I download of the latest Bieber fad *, he will lose hard cash. In fact, even using the lowest court case estimates of per-track value, he should be pretty much broke by now. That's how many times I've downloaded it. That's exactly how it works, right? Right?
Sorry, but bits and bytes are for free. That somebody wants to get paid for Imaginary Property should not be my problem.
*) Note, I reckon I don't actually have to listen to his stuff for the loss of money to occur. Because if I have to, I'd rather download Britney Spears
I find that sarcasm has more to do with context, and often detailed knowledge of both the background topic and the author making the statement. Lose any of that information or context, and it can become impossible to say if something was meant as a fact, or the opposite.
To illustrate, take this statement:
Windows is a great operating system.
If the author of that is Bill Gates, you'd assume he was stating his opinion, and trying to sell his OS. Of course, to get to that conclusion, you'd have to know who Gates is, what he did, and what Windows is.
Now let's assume Linus or Stallman made the same comment. You'd automatically assume it was made in gist. However, it could very well be that the following text would seem to back up the statement, but would be sarcasm throughout, e.g. my following up with "... and it has great security". Again, you'd have to know the author, what his stance is, and the details on the topic and its history.
Finally, give the quote to Tim Cook. What would you make of it? Maybe one would expect a follow-up which countered the statement, but still not implying sarcasm to begin with. Taken out of context, it'd be impossible to say.
If a random Slashdot commenter dotted down the statement, it'd also be impossible to say. There's posters from all fractions here, and usually it's not clear what's their previous stance on a particular topic. Maybe the intent can be deduced from the surrounding discussion, but not always. Thus a lot of "woosh" replies.
It has always been obvious that most of this has been going on for decades. However, if you had claimed as much about four weeks ago, you would have been labelled a conspiracy nut job.
Now the cards are on the table, and we all know what to do. Hopefully.
The "I can't define it, but I know it when I see it" stance works when you want to weasel out of the topic, which is why it was acceptable for the judge who used that line. However, as policy or for classification, it should be obvious that it doesn't work.
In fact, there are many examples of content classification systems and age recommendations. Sometimes these might seem out of touch; e.g. a single swearword or naked breast might be enough for a stricter rating. However, at least we've progressed to discuss the precise definitions and guidelines, as opposed to "I'll make up my mind when it suits me".
Now, in Google's case, there's no surprise they've weaselled out such a discussion. First of all, it would be a nightmare to get all cultures across the world to agree on one standard. But even if you allowed for country specific guidelines, you'd have to have an ongoing conversation with customers about those definitions. Google can hardly handle simple end-user sales support, so a highly subjective topic like morality is way beyond their competence and ability.
> He's still living in his own little world where all software should be [GPL'ed]
Reach for the stars - hit the moon
Google does have intensives in this matter: User trust. If they lose it, there will be less page views, less ads clicks and less money. Even if the likelihood of any single user being affected by the surveillance laws is small, it's the perception which counts. It's some of the same fear Microsofts plays on with their Scroogled ads.
The reason you don't see other companies take up the surveillance issue in same way, is that they don't stand to lose as much. Microsoft will still sell Windows and Office licenses, Apple will sell fashion accessories.
Sorry to cut your wanking session short, but Google is not your friend. As any business, their primary objective is to line their own and their investor's coffers. It is true that some of their PR campaigns and interests align with the political ideals of the average Slashdot user, but to think they spend time and millions of lawyer money fighting the government for the grater good is rather disingenuous.
As we've seen time and again, any project or effort which does not make enough money will be cut. If they did not benefit from a stance against government surveillance, they simply would not bother. Look no further than their silent nodding towards the CISPA as an example.
> You say "off" and and your XBOX, TV, hifi, laptop, phone, tablet, air conditioning and lights all turn off simultaneously.
Well, I suppose you'll have to address each device by its manufacturer and product name, e.g. "Google Glass, take a picture". Which of course will still fail in your first example. So, we'll have to come up with some kind of unique identifier for devices. Let's make it at 256 bit number, and call it... IP7! Now, if there only was a way to map a number to a more human readable name...
"AmiMoJo-dot-xbox-dot-microsoft-dot-com, please turn on!"
So that bit about the rotten fruit seemed like a spur of the moment comment. But the prison arrangement you really had figured out to the last detail... Did I miss any prison games lately? "Theme Prision", "The Sims Behind Bars", or "GTA - Caught DLC"?
Your argument for total police surveillance of public space is flawed on two points:
1) Your comparison between yours or your neighbour's private recording, and blanket systematic surveillance is not valid. It is not valid because of the difference in scale. When you commit a crime, or a good deed, scale always matters. Kill a person, vs. a million, and you will see very different reactions. Same thing if you give a homeless person a coffee, or feed million hungry.
If we were to allow blanket police surveillance of all public space, with automatic face-detection, and what not of other technologies they deem useful, we'd end up in a 1984 / Kafka world of tyranny. Only from the false positives alone, there would be a prison population dwarfing the US' current for-profit "correctional" facilities.
2) Secondly, you seem to believe that the police can be trusted and uphold the law and code of conduct to the letter. Spend any time searching (YouTube or Google) for police brutality and mistakes, and you will find that the opposite is true. And no, this is not that case of "a few bad apples", it is a natural effect from the abuse and corruption of power.
Any power or privilege will be abused by a not insignificant number of people it is given to. It is unfortunately human nature. The police force is no different, and that is why there is thousands on thousands of videos showing the police acting like thugs all over the place. They cannot be trusted, and we must seek to limit their power, not expand it.
So coming back to the original problem of camera surveillance, the case in the article was a typical example of abuse of power by those who were entrusted with it. Give out more power, and this effect will only multiply. Nor are technological solutions to this social problem adequate or possible; they never are. Instead, we must simply avoid putting up cameras everywhere.
To summarize: All power will be abused. Therefore, we must grant only as little power as possible to any system or person in control, lest they abuse it. That's a basic property of any modern democracy, and the police force is no different.
Totally with you, and here's the quote you're looking for:
"Android is very different from the GNU/Linux operating system because it contains very little of GNU. Indeed, just about the only component in common between Android and GNU/Linux is Linux, the kernel. People who erroneously think "Linux" refers to the entire GNU/Linux combination get tied in knots by these facts, and make paradoxical statements such as "Android contains Linux, but it isn't Linux". If we avoid starting from the confusion, the situation is simple: Android contains Linux, but not GNU; thus, Android and GNU/Linux are mostly different."
Source: http://www.gnu.org/philosophy/android-and-users-freedom.html
> an epidemic of people rocking in the corner and talking to themselves.
;-)
I didn't realise Google Glass was released for mainstream adoption yet.
> install a full version of Linux
Also known as "GNU/Linux" (as opposed to Android/Linux)?
Does it matter, you say? When you talk to your mom, probably not. When you discuss on geek forum, yes, it does make you come across a slightly more informed if you don't call it "half Linux", "full Linux" or "real Linux".
> I wish there was a standard for servers, so that I wouldn't have to keep reconfiguring my data center layout.
I know! The 1U vs. 1Ui is driving me nuts!! Why would anybody think that 1024 mm to the meter would make any sense? Thus a 44.45 mm 1U becomes 45.516 mm in the 1Ui unit!!
(Since this is the Internet, I guess I'll have to put in the small print: This is a joke. It's supposed to be funny).
Behind the clouds, the sky is always blue.
> What you really need to do is buy a couple drives and beat the heck out of them with *realistic* usage patterns.
No. We need to stop confusing stress testing from load testing simulations. Your "realistic" usage patterns will just be another simulation with different parameters, in the end.
The posted article is an estimate on what a stress test would give you. However, as already mentioned by others, some of the parameters are off. The write count is lower, but so is the top write speed. Let's say 250MByte/s, and 10k write count on a 32 GB disk. Using his plots, I then get a cross of the 10% line after about 14 days.
So when we have an estimate which matches what we have on our hands in terms of write count and controller speed, we can go ahead and do a stress test to verify the hypothesis. Buy a few disks from different manufactures, and let them run. Only problem is, you'll have to spend time on erasing and checking as well, so it will take at least twice as long, so maybe a bit more than a month. Still doable, though.
As for the "realistic" test. Sure, let us know in ten or twenty years when you have your results.
> it's a post-privacy society, get over it.
That's just utter bullshit. Some degree of privacy is a basic human need; in fact a right. Just because some kids are not bright enough to yet understand that exposing their whole life on the Internet is not a good idea, does not mean that the rest of society has to follow their mistakes.
As long as we live in free societies, we are still free to control what and how much information is shared. Admittedly, there might be some conveniences you will not be able to take advantage off, but that's an individual choice. However, to be able to have a choice, it is important that alternative infrastructure, systems and user applications are available. Luckily, they are: You can set up your own e-mail server, your own web hosting, chat, VOIP and so on; all based on open source. Bitcoin is still somewhat niche, but will hopefully be one amongst many alternatives to Visa/MasterCard or Paypal. And so the story continues.
As long as we don't follow in the footsteps of kids who will gobble up the latest Insta-hipster-iThing like a godsend, we'll be just fine.
But *what* are all those apps for? 41 GB; that's a lot of stuff. (Somebody mentioned a recovery partition, but even 20 GB is too much for the OS and apps).
> this person didn't know what they were doing was illegal.
I didn't get that bit. Surly, she knew after the first strike? She was informed at the first occurrence, right? Or is there just some internal counter in somebody's system, which only sends out a letter once it hits 3?
It seems that Samsung will have to take the blame for this; that is, they should have tested for this. As it stands, it should be considered a manufacturing fault on their part. So the question is now, will the unlucky owners of Samsung bricks have them replaced under warranty?
Before we go ahead with any of this, could we please not "verbify" all the nouns? In other words, feel free to implement a proxy based p2p protocol or network, as long as you don't "proxify" it.