Slashdot Mirror


User: Zeinfeld

Zeinfeld's activity in the archive.

Stories
0
Comments
3,931
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 3,931

  1. Gates is just an uber-nerd on Crusoe To Power Microsoft-Based Tablet PC · · Score: 1
    It does not surprise me at all that Gates would go into this. I suspect that the mode of use is very different to a laptop, much more book/tv than 'work tool'.

    I sit arround the house and surf on my Sony Vaio and 802.11b. I would much rather have something that was a bit more social, a raised laptop screen is kind of anti-social. I don't think I would use the thing for a really text intensive editing session but I would use it to read CNN and the Times and possibly Slashdot.

    I have tried the Palm grafiti and it sucks baddly. A large part of the reason though is the puny processor is very slow. I suspect that the need to raise the stylus after each letter is to slow down the input rate to a level the processor can manage.

    I have extensively used the CrossPad devices for taking notes. If I had something that would capture my handwritten notes electronically and allow me to go back later and correct the odd mistake I would be quite happy.

    According to C|Net While Microsoft is choosing to build its own demonstration systems, the Redmond, Wash.-based software company will leave it up to PC makers to build final versions of the Tablet PC.

    So there should not be a channel conflict here. Dell can make the devices if they want to. The reason why Dell is not going to make X-boxes by the way is that games console hardware does not make money for anyone. Sega and Sony make money charging exhorbitant prices for the games to make up for the loss on each console.

    The key point is that Microsoft's backing is likely to be enough to create the expectation of critical mass. These things will certainly be built and arrive in the stores fow X-Mas. It is not a sure thing that folk will buy them but very likely that they will.

  2. Re:Seriously on TiVo Usage Info Collected For Sale · · Score: 1
    But there is a way we can fight back.

    Yes, don't buy a Tivo. I have the same functionality as Tivo with my TV tuner video capture board and a honking great hard drive (3x80Gb).

    My main problem at present is that I can't get a satelite box which allows for program control. This means that I can record off-air (and cable if I subscribed) but not the satelite TV which has the only channels I watch - BBC World service, speedvision and comedy.

    What I want is a digital VCR that connects up to my home network. I should be able to move the programs round the house like any other file. I should be able to program the recorder from the Web. I should also be able to buy additional disk drives and plug them in using firewire.

    With Tivo I pay $400 for the box, then $10 per month for the 'service'. I don't want the stinking service. I am already paying for the information I need. I can't upgrade the disk in the box and I can't use the satelite TV provider of my choice.

  3. Bluetooth will not be cheaper on Bluetooth Bombs · · Score: 1
    Folk seem to have bought the idea that bluetooth will be cheaper than 802.11B. The only evidence for this that I can find is vague assertions in the trade press about $5 chips.

    If 802.11 is good enough then pray tell why is it not being embedded in everything from cell phones to laptops to network appliances.

    In the first place it is, 802.11b is being integrated into new laptops as standard. Secondly Bluetooth does not meet that test either, in fact bluetooth does not meet any test because it does not yet exist.

    The cost of implementing any electronic gadget is mainly a function of the number of units the development costs are spread over. At the last IETF I went to CISCO were selling 802.11B NICs for $50. I have no doubt that in time the cost will fall the same way the cost of an ethernet nic has plumeted.

    Since most of the Bluetooth devices will be AC powered I don't buy the power saving argument. I don't think the extra watts will matter. My pocket PC/ MP3 player / camera / cell phone will definitely have 802.11B so the only portable device I intend to carry had better solve the power problem.

    If Bluetooth were ready for prime time today it might just have a chance. As it is it looks like it will be another 2 years at least before it is ready for prime time by which time it will be far too late to have any effect.

    Beyond that nobody has yet explained to me why I want to have a conversation with my fridge. I can see why I want my VCR to have a conversation with my Internet connection, but every other incompatibility problem I have could be solved much cheaper by manufacturers agreeing to support a common set of Infra Red remote control commands.

    Adding Bluetooth to my VCR does nothing for me. I still need to bluetooth enable my computer to be able to program the VCR when I am out. Bluetooth does not have the bandwidth to send the content upstairs to my office PC so I can watch the program there.

  4. Using a cell phone in flight? on Telemetry Made Simple: Rocket Phone Home · · Score: 1
    So like we can't use a cell phone on a normal plane and they are going to use them on the space shuttle?

    Must be because there are no stewardesses to tell you to turn them off.

  5. Re:Secure PC on Free Linux Based Web-Appliances (From Spanish Bank) · · Score: 1
    You fail to recognize this as security through obscurity.

    That is because it isn't. Security through obscurity depends only on concealing the design of the system. BIOS verification of the boot sequence does not depend on obscurity to ad security.

    The ability to mouth slogans like 'security through obscurity' does not make them applicable. You clearly don't know what you are talking about.

    Systems have had secure console modes for years. Checking the system executable is a sensible and viable precaution. It has zero to do with physical security, it is a logical security measure.

  6. Re:Secure Banking requires Secure PC. on Free Linux Based Web-Appliances (From Spanish Bank) · · Score: 1
    OK so we are all saying how copy protection sucks and is a collosal failure. So then we have folk saying 'great lets use the technology for banking...'

    Electronic data can be duplicated, nobody has a viable means of preventing that. After all there is nothing that is said behind closed doors that will not be shouted from the rooftops

    Banking systems are register/account based for good reason. They also work pretty well.

    Trying to make electronic systems ape material systems is a mistake.

  7. Re:Secure PC on Free Linux Based Web-Appliances (From Spanish Bank) · · Score: 1

    sigh

    Why is it that any time there is an attempt to improve the abysmal level of computer security we always have someone come round decrying it as grossly deficient and not secure at all?

    I don't quite see the point in the original article where I said that a secure BIOS bootstrap would solve all security problems, cure all known diseases and end world hunger and wars. Oh thats right, I didn't, I said it would help.

    I don't see why a secure BIOS would let itself be overwritten.

    Security is risk control, if you want risk elimination then tough.

    You don't need absolute physical security to benefit from a secure boot sequence, anything to reduce the spread of viruses is worthwhile.

    But then again it is much easier to demonstrate your credentials as a crypto-weenie by criticising others than to actually do things that are useful and help improve security.

    And yes, signed kernel and all executables is exactly what I am suggesting.

  8. Secure PC on Free Linux Based Web-Appliances (From Spanish Bank) · · Score: 1
    There are some reasonable uses for a secure BIOS boot facility. I would like a scheme that would allow me to lock down a PC so it would only load the O/S after first checking the signature on it.

    The copyright protection stuff strikes me as ludicrous overreach however. What the business model is for the schemes escapes me. Unless the RIAA is going to subsidize tricked up PCs there is no incentive for the customer to buy a PC whose feature set has been choosen by a third party to limit what they can do.

    Look at the sales of the Sony SDMI compatible MP3 player, they only started to sell after they disabled the SDMI pars.

    The part of the copy protection scheme I can't quite work out is how they hope to stop people ripping CDs in the first place. Even if they have a 100% secure means of 'protecting' SDMI labelled content they will have no means of controlling unlablled content.

    All in all I suspect that it turns out to be a solution looking for a market willing to pay for it.

  9. Look at the cryptography literature on History and Culture of Computing? · · Score: 2
    The big problem any history course would have is that the materials arround to date tend to be as biased and one sided as those in any other field.

    A lot of info can be found in the history of cryptograph litterature. Many of the pinoeers of pre-digital computing were also into cryptography, Babbage broke the Vinegre cipher, Turing brok Ultra etc.

    I would not spend more than one week on the pre-machine computing era but the idea that choosing the representation is the key to making systems computable is important. Place-value systems are important because they make the abacus possible

    On the invention of the electronic computer there are a bunch of competing claims. Before WWII Konrad Zues built the Z1 and Z2 computers which were the first programmable electronic devices to be built and working. The Bletchley park systems were the first major electronic computational devices - although programability was limited.

    You could also look at Feynman's biography where he describes the computer facility of the Manhattan project, they used tabulators for computation. [Kind of brings into questioon the effectiveness of ITAR restrictions on 'supercomputers' to 'stop rogue nations building nuclear devices' eh?]

    After that it depends on whether you read a UK or US history. Both tend to imply that the other groups didn't exist - although in practice they were often collaborating. Manchester tends to be ignored in the US histories, as for that matter is the fact that the US was nowhere near dominant in computing until comparatively recently.

    There is quite a bit of computer history in the book 'Big Blue' which is a biography of IBM written by the anti-trust investigator who tried to break them up.

    Another era not to forget is the Micro-vs-Mainframe fight. Again the real action here was in Europe where manufacturers were building $100 computers aimed at the consumer market that sold in millions. Sinclair outsold PET, Apple and Tandy put together in those days. A lot of that was driven by the video-game scene

    There are a bunch of books arround like Where the Wizards stay up late, architects of the web etc. However beware that many of these were written as corporate PR puff pieces. 'Wizards' is mainly an account of the BBN view of the Internet. 'Architects of the Web' is a hard core haigography of Marc Andressen written by the Netscape PR firm, Tim Berners-Lee is mentioned only in passing to explain how he got everything wrong. It was an attempt to rewrite history with Marc as the sole inventor of the Web.

    A lot of the other computer histories tend to fit in the same mould.

  10. Does this mean no dinosaurs? on Cloned Animals Show Grave Health Problems · · Score: 1
    Who gives a rats ass about cloning humans? We got several billion of them already. If we are going to clone stuff might as well clone something cool.

    OK so there are some humans we might want to clone, like if there were 20,000 Pamela Anderson clones walking arround the natural action of supply and demand would mean that pretty much anyone who wanted to could date one of them, only you would still need to wait at least 16 years by which time even a clone of PA is probably not going to give you time of day unless you are driving either a Red Ferrari or an open top Jaguar in British Racing Green.

    There is little point in cloning people for their intelligence since genetics only gets you so far at the genius level. They tried to 'clone' Leonardo da Vinci by sending his cousin off to sire a son with a woman from the same village as da Vinci's mom came from. The prodgeny didn't do much of significance before dying of some plague.

    Back to stuff it would be worth cloning, like a T-Rex. I don't think it would matter much if Dino got to fat, just put him on a cholesterol free diet, would still be way kool.

  11. Bull-poo on your Bull-poo on Red Hat Breaks Even, Beats Street Estimate · · Score: 1
    So no, you didn't say projected P/E. You didn't even say P/E--which is why I mentioned both P/R and P/E ratios. They're objective measures of the same process.

    Funny how you edit my post to omit the point where I discuss P/E and then say that I didn't mention it.

    Oh, please. If you accept that a P/E could reasonably be greater than 1, you're saying that the multiple a stock trades at in sane market conditions (your term), is limited to multiple implied by the cost of doing business.

    Bwwwaahhhaaahhaaahahaa, ok you find a company with a P/E of one that has not had major accounting irregularity accusations or the like made. A P/E of one means that a billion dollar market cap company makes a billion dollars profit in a year.

    A P/E should normally be in the range of about 15 to 30, representing a return on investment of 7% to 3.5%. Companies with very high growth can justify higher P/Es - but these should be rarities not the norm.

    What you have completely overlooked is that the PEG ratio of Red Hat is zero. Contrary to you original claim I know all about PEG ratios, the reason I did not mention them with respect to red hat is Red Hat does not have earnings.

    The reason I sent you to the motley fool is that I thought Tom and David might knock some sense into you. Clearly I was wrong.

    What I suspect you mean here is that the price/revenue/revenue-growth ratio should be 1, o-n-e, in a fully and fairly valued situation.

    You sound like you have been reading too much Henry Blodget - the guy who told us to buy Amazon at $350 a share. Conflating a PEG ratio of one and a PRG ratio of one is insane - that would only hold for a company with 100% margins, something no packager of free software can hope for.

    As other people have observed to justify a billion market cap Red hat needs to make a showing for EBIT of $250 million in five years. Even at their current growth rates my excel spreadsheet does not have them making it. The high growth rates you cite are due largely to acquisiton - so counting in the amortized goodwill is necessary.

  12. Re:Function-level access control on NSA Inside? · · Score: 1
    MOOs have been doing the type of thing the article explains for a while now by implementing task permissions based on the credential bits of the executing player object.

    I once had a project where we needed to code up a system very quickly that did Clarke-Wilson style access controls for chat room access - i.e. the authorizations were statefull.

    So someone took a MOO engine and added in a crypto layer. This had the added advantage that when people were using the system they appeared to be playing silly games - built in steganography!

  13. A good plan on NSA Inside? · · Score: 1
    Adding mandatory access controls makes good sense. The NSA clearly need the facility. I doubt that they would write the code themselves, why use hyper expensively vetted staff to do the work? They might use some of the folk they have sitting arround waiting for their positive vetting to come through.

    I have worked with the NSA on several projects and they have never attempted to tell me what to do, the suggestions they have made have all been aimed at enhancing the security of the product.

    Any code they submit is going to be vetted. I can't see them trying to slip a backdoor after the Microsoft NSA_KEY fiasco - which was a bum rap by the way.

    I would suggest however that before putting in MAC access they go talk to folk like Butler Lampson who has had some additional thoughts on the subject since inventing them in the 1970s :-) Essentially Butler recons that ACLs should not be attached to files directly, the file should have a pointer to the ACL which can then be shared by several files, avoid the whole mess of inheritance that VMS got into. That approach has the additional advantage of minimizing the impact on the file system (the extra data in the file system is a fixed length field, not a variable length one).

    It would also be an idea to look at the work the OASIS security technical committee is up to.

  14. Re:Bull-poo on Red Hat Breaks Even, Beats Street Estimate · · Score: 1
    You watch too much CNBC. P/E or P/R ratios in isolation are meaningless.

    I didn't state a P/E, I stated a projected P/E which is what the PEG Ratio is trying to do.

    P/E is meaningless on a company with no earnings, at present Red hat has a peg ratio of zero. Working off prospective PEG ratios is like taking derivatives of derivatives.

    A better forward forecast is to model revenue growth and cost of sales growth. Only that would be a bit too much like hard work for a slashdot flame eh? Even on that measure Red Hat has problems because they are not strictly speaking a software company so much as a professional service company. Software cos get premium prices because their marginal cost of sales is miniscule. Professional services has a fixed marginal cost, profit rate on one consultant is the same as on a hundred.

    PEG ratios are a stock screening tool, they are not a substitute for proper analysis.

    BTW Price revenue ratio in sane market conditions tends to be 1, o-n-e, not 20. A high P/R is only really justified in a software type industry with very low marginal cost of sales and potential for very high P/E leverage as revenue growth goes straight to the bottom line.

    Go read the motley fool site a bit more, they like PEG ratios but it is only ONE of he criteria they use out of 12 or so.

  15. Re:Price/Revenue Ratio on Red Hat Breaks Even, Beats Street Estimate · · Score: 3
    Generally to support more customers, you need more staff, so profits are much more linear.

    It is worse than that, it is hard to grow the company quickly without the product quality going down the tubes. If a software company stamps out 1 million extra copies of the software and sells them the extra cash is (practically) pure profit and the quality of the millionth extra copy is the same as the first.

    If you have a consulting company it is very difficult to grow faster than 20% a year without quality sinking. Even if you can find the number of good applicants you need it takes time to weed out the good from the bad. Nobody gets a hundred wizards applying for jobs each year, you have to take kids out of college and learn them. That means choosing people who can develop new skills.

    A certain famous Mountain view ex-company started out as an elite net savy company and ended up like one of those big consulting Co.s that hire practically anyone off the street who walks in the door. Nobody can do 100% growth in services without the quality going down the tubes.

    The basic problem is that geeks have skill sets that are at least as specialized, valuable and in demand as lawyers. The average salary of a lawyer might be much higher ($200,000 vs. $100,000 for the alpha geek) but until now the difference has been made up in stock option grants (last year $0 for lawyer, $0->$2,000,000 for geek). OK so for many these are a lottery but as any bookie will tell you the percieved value of a 1 in 100 chance of making a million is much more than the arithmetic $10,000.

    After the dotcrash geeks are demanding cash on the barrel. Those paid in options are getting bigger grants. What this means is that the market is really really good for geeks and not good at all for people hoping to make a fortune off the surplus value of geek labor.

    I would expect that in 5 years time the number of geeks would be perhaps 100% larger and the cost of hiring an alpha geek would be at least as high as a lawyer. Already there are a few geeks who command $5-10,000 / day consulting fees and if the black sholles value of their options is counted in million dollar sallaries. I don't ever expect that to become the norm (bar hyperinflation) but the number of golden-geeks will exceed the number of golden lawyers.

    Another point to ponder, capital has a high rate of return only when it is scarce. Capital is no longer scarce in geekdom. So why should the gains from linux go to the party providing the ubiquitous commodity (shareholders capital) rather than those supplying the scarce commodity (talent).

    Geeks of the world untie, you have nothing to loose but your suits!

  16. Re:A unified standard on AOL Blocking Open Source IM Clones ... Again · · Score: 1
    I agree, and there are folk in the IETF working on a protocol standard.

    The technical problem with AIM is that it requires a huge monolithic central server to act as a hub for the messages. The deployment problem is that AIM has a majority of chat users. So we need to offer a service with a functional advantage over AIM to win.

    The most obvious functional advantage is not being able to talk to AOL lusers. However that is unlikely to fly outside of slashdot-dom.

    A more serious advantage would be to add security and encryption into the protocol. This should support both PGP and X.509, libraries for both are readilly available.

    The protocol I have in mind could be cooked up in a few days by a competent hacker (unfortunately my hacking braincells are burned out these days so I am an architect only). The sequence of events I see happening are as follows:

    1) Registration

    Alice starts her chat client. The client sends a message to her directory server that states that it will be listening on a particular TCP/IP port, will accept certain content types (plain text, html, audio, video, etc.). The message is authenticated using a previously exchanged shared secret.

    Chat service sends Alice an 'accept notification', this also tells the chat client how often it should repeat the registration notification (it will time out in say 1 hour).

    2 Conversation

    Bob wants to send Alice@somewhere.test a chat message. His client first queries the DNS service to discover the SRV record pointing to the chat directory of somewhere.test

    If there is no SRV record the client tries a well known port on somewhere.test.

    Client queries somewhere.test for 1) Alice's public key info amd 2) Alice's current chat client port.

    Client performs a key exchange against the application listening on Alice's the chat client port.

    Client sends data direct to Alice. This is a geniuine Napster type peer/peer contact.

    3) Firewall traversal. You folk thought I had forgot the firewall traversal problem eh? It is a serious issue since if Alice is sitting behind a firewall or NAT box she can't open up a listening port. The firewall issue I have zero sympathy with, that is the point of a firewall! The NAT problem is significant and serious, especially for folk with cable modem access.

    The problem can only be solved by having some sort of 'proxy' at an Internet location that can open up a listening port and poll against the proxy for messages pending. This could be the 'directory' but the design has to allow the function to be separated for scaling reasons (make single points of processing do as little as possible). This means that the conversation protocol needs to tag all messages with the name of the party the message is to be forwarded onto. [i.e. don't screw up like we did with HTTP and leave off the server domain name from the GET line]

    I know there are plenty of companies touting 'open' protocols. But the ones I have seen so far have been designed arround 'closed' business models with a huge central hub meant to take over the world. Perhaps Jabber is different.

    I want something that allows me to encrypt the conversation. Any interest in cryptotalk or is there something out there already?

  17. Price/Revenue Ratio on Red Hat Breaks Even, Beats Street Estimate · · Score: 3
    Err folks even in the software sector a price/revenue of 1 billion to 100 million/yr is pretty rich.

    Red Hat would have to double revenues without increasing costs to get to a P/E of 10. I guess that is possible, just about. But Red Hat also faces serious competition and anyone and their brother can set up to compete at any time.

    I would take the opposite tack, the cost of information approaches the marginal cost of production in a free market.

    Red hat could make money on the consulting side but very few consulting companies are structured as public companies, they are structured as partnerships for very good reasons. Essentially as the Linux market matures the best RedHat employees will do better for themselves by setting up their own consulting companies than working for Red hat.

  18. Re:DeCSS MORON!!!! DVDS *are* MPEG-2 file streams! on DeCSS Reply Brief Posted · · Score: 1
    My theory is that the post is rated interesting precisely because it is so wrong. People read it and say hmm "I didn't know that" then they mod the story up because it told them something they didn't know. Its like being told that Abraham Lincon was an avid collector of mustard pots, interesting but entirely bogus.

    When I read the post I took it to mean that the file was dumped by DeCSS in uncompressed format which would be excentric (and p athetic) but not exactly impossible. The guy is clearly out to lunch though on second reading.

    So now we have that squared away since we have established that DeCSS works for windows anyone know of a DVD player without region control and without the navigation lock out for my Windows PC? My media PC has two functions, to play DVDs and either Tomb Raider or Diablo II.

    BTW while we are discussing hacks, rather than waste time on unimportant matters like DVDs I would be much more excited if someone would turn their attention to a genuinely worthwhile social project - cracking tombraider to allow substitution of certain bit map images, you know the ones I mean.

    A DVD player on Linux would not interest me much. However a DVD player plus Tivo like digital VCR functionality would be kool.

  19. Its more than the keys. on DeCSS Reply Brief Posted · · Score: 1
    The DeCSS case is about the combination of the program plus the Xing key. The Xing key alone would not allow anoyne to read a DVD.

    The Xing key is important but given that it is 40 bits it could be discovered in a moderate amount of time with a brute force attack. To make this possible someone would have to recover the encrypted session keys from a DVD.

    Decrypting all 400 session keys would be a worthwhile project. In the first place the Xing key is not enabled in new CDs. More importantly it would eliminate the ability to rely on the allegedly illegal reverse engineering.

    I am surprised that the validity of the license in Norway is not dealt with. It would appear to me that the burden of proof should be on the party claiming that the reverse engineering was illegal to demonstrate that was the case. This may be because the appeal is no the points of law and is against the interim injunction so the MPAA gets the benefit of relying on facts that they don't have to prove until full trial.

    The plain fact of the case that should be stated repeatedly is that DeCSS is not a device to prevent copying. Its primary purpose is to enforce the region encoding and the navigation controls. I don't think that any court should defend a scheme whose primary purpose is to charge double for a DVD in Europe that is differential pricing and is entirely illegitimate.

    Even Orin Hatch who orgina;;y supported the DMCA is now real pissed with the studios, he has stated in so many words that he thinks he was deceived. He was also well paid for his support in campaign contri-bribe-tions.

  20. Re:The system needs reform on Don't Trust Code Signed by 'Microsoft Corporation' · · Score: 1
    A 5-yr cert might be appropriate, but 1-yr is ridiculous.

    How many dotcoms did you expect to last more than 12 months in 1994?

  21. Re:German Microsoft non-ban on Slashback: Cookies, Germans, Art · · Score: 1
    Oh and a member of what was once a notorious cracker outfit should be automatically believed when he makes such statements?

    If Germany was moving away from US software it would not escape the NSA so why pretend?

    The idea that any beuracracy would have a consistent and coherent policy on the point is a little weird. Any organization monolithic enough to enforce a choice of a single operating system is not going to choose Linux. I mean lets get real here.

    They are going to choose a big monolithic operating system that looks like their organization. Most likely something real stinky like VM/MVS or if it was UNIX it would be one of the real obnoxious military hardened efforts.

    What the comments from Andy M-M come down to is 'although the report is denied they can't prove it to be false therefore it MUST BE TRUE.'

  22. Re:Drive-By Spammings on Free Wireless For Fun And / Or No Profit · · Score: 1
    Spammers should be dealt with using physical security measures. Specifically a large but not too ripe pineapple to be inserted into the nether regions.

    The Mikado would probably insist on a tin of SPAM but even if the punishment should fit the crime the tin woulod be too smooth for discomfort

  23. Re:Cool idea.. on Free Wireless For Fun And / Or No Profit · · Score: 1
    O.K. lets run with it.

    First off, requirements analysis

    I am happy to allow anyone nearby borrow my bandwidth provided it does not negatively affect me

    What this means is that the 802.11b base station should allow me to configure 'guest' access. Guests can get out to the Internet but cannot surf my local network. Also I should be able to set a cap on the amount of bandwidth they suck up and my packets always take precedence.

    What does WEP provide

    Well the big problem is the built in 802.11b security is worthless. "Despite the '128 bit' claims made and the premium price of 'gold' cards the effective secuity is 24 yes 24 bits. Ian Goldberg at Stanford and co worked that one out.

    The Wired Equivalent Privacy protocol is pretty hopeless. There is one secret key for the whole network. So the first employee you fire can sit in the carpark and surf your intranet. It is completely unscalable.

    Best approach at present is to ignore WEP and use IPSEC on your wireless connected machines.

  24. Re:Wondering... on Don't Trust Code Signed by 'Microsoft Corporation' · · Score: 1
    I am wondering if that prompt is authorizing all certs from a company - or a subset ( by date or by class, etc)? Anyone know?

    As I said in another post according to my reading of the spec and dialogs etc. it should not. The 'always trust' is tied to a particular certificate'.

    However it is a useful question to ask and the AC saying it wasn't was wrong. I doubt the person who responded for the article checked the code first.

    BTW Microsoft do have a root key installed in their own browsers but I don't think they actually use it. I am trying to force a new download of a MSFT product to verify this but I can't find an Active-X component now I need one.

  25. Re:True story: Why you shouldn't trust Verisign on Don't Trust Code Signed by 'Microsoft Corporation' · · Score: 1
    But the engineer who had left could very well have taken a copy for himself; and use that for his advantage one day...

    True, but the original poster had mistakenly thought that giving someone his public key was a security failure.

    There is an inherent problem in any public key based system that the security is only as good as the security of the private key.

    There is a significant value to limiting the number of people who could perform an attack to those who have physical access to the machine. If the engineer was corrupt, something bad took place the number of people who could have done it would be few.

    As with any security system, the mere existence of a possible but improbable method of attack does not mean that the security scheme is utterly useless. There is no safe in the world that cannot be cut open with an oxy-acetelene lance. Even the big ones they use at Fort Knox and the Tower of London for Queenie-poos jewlery can be opened given enough time. That is why high security safes are rated in terms of the number of hours they take someone to break.

    Stealling an SSL private key would not do an attacker much good unless they could also do a DNS spoofing attack. Each SSL cert is tied to a specific DNS address (at least in v3, v2 is utterly braindamaged).