Slashdot Mirror


User: Zeinfeld

Zeinfeld's activity in the archive.

Stories
0
Comments
3,931
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 3,931

  1. Re:Some thoughts on Don't Trust Code Signed by 'Microsoft Corporation' · · Score: 1
    There is no way ANYONE, even Microsoft, can prove that it has not happened. But it will only take one counterexample to prove that it has.

    Ok, no-one has complained about a piece of seriously malicious code that was traceable to the certificate. We still don't have any evidence to suggest it has happened.

    But as you point out, yes, someone might have had their hard drive munched due to this cert and not realised it.

  2. Re:Has the cat got out of the bag? on Don't Trust Code Signed by 'Microsoft Corporation' · · Score: 1
    That is, are we talking about a real threat or a potential threat?

    Potential, according to CNET no evidence that anyone attempted to use the key or posted it anywhere.

    I just searched google and dejanews and did not find someone claiming to have the key. Of course it might be in a different language.

  3. Re:Shows the vulnerablility in PKI on Don't Trust Code Signed by 'Microsoft Corporation' · · Score: 2
    This would be a non-issue if CRLs or something better could realtime authentication of certs.

    There are two technologies out there, OCSP which has been arround for a while as a specification and is just comming into service and XKMS which is XML based and only been arround a few months.

    The problem is that this does nothing for the legacy browsers out there...

  4. Re:All PKI suffers from this on Don't Trust Code Signed by 'Microsoft Corporation' · · Score: 1
    Unfortunately, Microsoft has crappy PKI capabilities in their products. It wasn't until Internet Explorer 5 that they could handle CRLs at all

    And exactly whose undisclosed patent application was responsible for that situation, eh? I would go talk to Carlisle and Tim if I were you before attempting to score points on that particular issue.

  5. Re:Wondering... on Don't Trust Code Signed by 'Microsoft Corporation' · · Score: 1
    Most browsers (at least, IE and Netscape) come equipped to trust any certificate signed by Verisign. When you go to a page with a Verisign cert, the browser will trust the certificate, regardless of what company actually owns it.

    This is true for SSL certificates but false for authenticode certificates. With SSL the worst thing that can happen with a fraudulent certificate is that you are having a confidential conversation with someone who is impersonating the party you think you are communicating with.

    With authenticode the default trust is off since even if the code is authentic and does come from crackersrus.com you may not want to trust and run code from that provider by default.

    The default trust is actually enabled at the certificate level, so trusting Microsoft by default does not mean you trust the fraudulent certs by default.

  6. Re:True story: Why you shouldn't trust Verisign on Don't Trust Code Signed by 'Microsoft Corporation' · · Score: 3
    So I called Verisign customer service, told them that I was calling on behalf of this company, the engineer had left so could they send me a copy of the certificate? The customer service representative goes: "Oh sure, what's your email address?". I give her my email and she emailed it to me. That was it! No id checking. No passphrases. Nothing. And they sent it to me in plaintext email.

    The certificate would also be in the VeriSign LDAP directory and would in any case be handed out to everyone who accesses your Web site using SSL

    With certificate based PKI the security does not lie in keeping the certificate secret. The purpose of the certificate is to authenticate your public key.

    The security depends on you maintaining the secrecy of your private key. That was generated by your engineer on the server itself and VeriSign would never see it.

    So calling up VeriSign and asking for a copy of the certificate does not constitute a security problem. It is like telling someone your PGP fingerprint, or someone downloading a keysigning from BAL's MIT key server or whatever it does not compromise your key.

  7. Re:Always trust content from Microsoft Corporation on Don't Trust Code Signed by 'Microsoft Corporation' · · Score: 1
    A while ago I checked a checkbox labelled "Always trust content from Microsoft Corporation". Is it possible to undo that?

    There should not be any need. The 'always trust' flag is tied to the certificate itself. So unless you encountered the fraudulent cert you should not be trusting it by default, and hey if you are then you is already toast:-)

    You can check your situation / undo the default trust by going into Internet Options / Tools and opening up the 'Conent' tab, then open the 'certificates' dialog (don't ask me why certificates are not under security).

    The certificates dialog lists all the certificates you have chosen to trust for whatever reason or are trusted by default. If you selected 'always trust content from Microsoft' then there should be a certificate in the tab labelled 'intermediate certificate providers', open up the certificate and look at what it is trusted for, 'uncheck code signing'.

    If anyone does this and finds the fraudulent certs already there then I guess you need to call up VeriSign so they can pass the information on to the FBI. The fraudulent certs have a Subject of Microsoft Corp. and (according to C|NET the "Valid from" field starts with either a Jan. 29, 2001, date or a Jan. 30, 2001, date, the certificate is fraudulent and the person should not download the software.

    Now unless Microsoft have been needlessly clever and set it up so that if you trust one certificate you will automatically trust a 'replacement' accepting the bona fide Microsoft certificate should not cause the fraudulent one to be accepted.

    If they were "clever" they might have a default so that if you trusted a particular certified key in the past and the cert was reissued you would trust the successor. I will attempt to test that but it really should not be the case.

  8. Some thoughts on Don't Trust Code Signed by 'Microsoft Corporation' · · Score: 1
    First off, the system has not failed when someone obtains a fraudulent certificate. It has failed at the point that someone successfully uses it. That has not yet happened. We are talking about a significant and serious failure of one part of the Authenticode system. This should be borne in mind before people start saying that Authentication gives zero security.

    Security is about risk control, it is not risk elimination. Authenticode was designed to make downloading software over the net possible by giving a certain degree of assurance that it came from a specific source.

    Sure the authentication proceedure could be toughened up, requiring people to fly out to California to apply in person, present their passports etc. But does anyone believe that if that had been the requirement people would have used authenticode at all?

    One of the rationales given for not insisting on stronger authentication proceedures in the SSL space was that if you set a bar that can filter out 99% of the attackers you can then go after the remaining 1% with lawyers and handcuffs. In this case the culprits will have a target painted on their forehead if they try to use the certificates.

    So what can the attacker do with their certificates?

    They certainly can't boast about their involvement since they have committed fraud. The FBI are reportedly investigating already.

    The only thing that an authenticode certificate is good for is to sign code. They could sign a piece of malicious code. But how would they distribute it? They would have to make sure that the Web site the code was distributed through could not be traced back to them.

    Even if they did sign malicious code the code itself would be signed with the known 'fraudulent key'. They might catch some people out initially, but the first person to check the cert would raise the alarm.

    The problem would go away if the Authenticode verifier did a CRL check or OCSP verification. Until now there has been resistance to checking of CRLs as 'too complex', the technology certainly exists however, VeriSign issues a CRL and VeriSign was the original inventor of OCSP. Hopefully what people will take out of this is that CRLs and OCSP are needed.

  9. I am not a lawyer, but ... on Secure Shell Will Remain 'SSH' · · Score: 3
    Ob. Disclaimer, I am not a lawyer. I just get pestered about this issue by our lawyers.

    I would see two possible barriers to an attempt to recapture the use of the SSH trademark.

    The first is that it appears that the trademark holder gave an explicit license to use the term SSH for independent implementations of the software.

    The evidence for this includes (1) the original program documentation and (2) the IP submission to the IETF

    The other track would be dilution. SSH communications did not take steps to protect their trademark. In fact they took positive steps to encourage the use of the name 'ssh' as a generic term to refer to a secure shell. These steps included submitting standards proposals to the IETF that used the name SSH.

    The purpose of the dilution clause in trademark law is expressly to prevent companies from locking competitors out of a market by first encouraging them to use a term, then restricting its use. The problem with the SSH corp behavior is that it appears to fit exactly that pattern.

    That is not to say that the SSH folk were necessarily doing anything calculated in advance. The project started off as an open source hobbyist type hack. Then it became an income for the developer, then a company. Problem with a company is that you have to meet payroll each month, you have responsibilities to your employees and shareholders.

    The lesson for open source projects is that they need to be careful anout the names they use and make sure they establish their own brand independent of the 'open' generic brand.

    These issues were almost certainly raised at the IETF meeting and the IETF hs no shortage of competent legal advice when it needs it. If the SSH people wanted to make a fight of it then they would have to go to the IESG in any case.

  10. Real need is a Geekpliance on 3Com Drops Internet Appliances · · Score: 1
    All the flaming of 3Com for the lame product misses the point that you are not the target market for internet appliaces if you read slashdot. Unfortunately for 3Com though the type of person who pays early adopter prices for kool gadgets is a slashdot reader type.

    OK so 3Com was doomed from the start. What should they have built?

    I think there is a market out there for a 'Geekpliance' built on a WiFi (802.11b) enabled cpu, some memory and some I/O, specifically audio in/out, vga display and USB. It should be possible to plug in a cheap (read IDE) drive of choice and memory.

    Now this can be had in many motherboard stores, but I also want the thing to fit in a case that looks good. I don't want it to look like I have a cheap PC.

    Something that I could program to work like a Tivo but without the ability to upgrade to the hard drive size of my choice and to use free TV listings from the web rather than the tivo service.

    Also somethin I can program to download and play stuff from the house media server on demand.

    A laptop motherboard might be a good start. But they tend to get very hot in operation and I don't want the expense of an LCD display - it won't be used.

  11. Re:This is an opportunity! on Report On The Texas Censorware Bill · · Score: 1
    This amounts to social engineering and forced propaganda, a recurring theme for liberals. Since you don't seem to understand the purpose of this bill, perhaps I can enlighten you:

    Unfortunately even with your handle I have to assume you are serious and not just trolling. You might be simply emulating a southern conservative ideologue but there are plenty that have the same warped mindset.

    I think it should be quite ovious that nobody would ever want to use the censorship scheme I proposed other than 1) as a joke or 2) to meet the forced propaganda goals of the bill.

    NB: key propaganda technique being used by troll, projection. The bill is forced censorship, this is projected onto the 'liberals' who are accused of attempting "forced propaganda".

    Pornography has many beneficial social effects. It changes social values. In the 19th century women were treated as chattels in European society, arranged marriages were very common as any reader of the fiction of the time knows. Knowledge of contraception was censored by the state - Comstock's main objective was suppressing birth control information.

    The spread of material called 'pornography' by its detractors has had major beneficial social effects in the west. I hope that over the comming years the Web will spread 'pornography' to countries such as Iran, India, Sudan and in due course Afghanistan where the position of women is distinctly unequal.

    Denying means of control to the mulahs, priests and other clerics who would use religion as an excuse for political power is the reason why the web must remain censorship free.

    This is the reason why feminists in the 1950s were active in their support of Pornography, Simmone de Beauvoir's famous essay 'must we burn de Sade' being a seminal text.

    On a closing note, I am offended by the idea of casting Larry Flint or a Penthouse concubine as role models. Please think before you post.

    That is the point. I am quite honestly offended by the idea of Pat Robertson or George Bush as a role model. Pat Robertson claims to speak with divine authority, I consider that to be blasphemy. I do not believe that Christ was a biggot. George Bush's handling of the Texas death penalty demonstrates a callous and politcally ambitious deriliction of duty.

    I honestly believe that there is a need to protect children from the bigotry of the religious right. I don't want my child to be reading the racist propaganda or Southern Partisan or the homophobic bigotry of the Christian Coalition until he is at least 12 and knows enough to know better.

  12. When, not if. on Is The Semantic Web A Pipe Dream? · · Score: 1
    I see the semantic Web as a matter of When and not 'if'. I have been working on the Web since 1992 when I joined Tim at CERN to work on the Web. That is nine years ago folks. The full semantic Web could take as long again, perhaps twenty.

    Worst thing that happened to the Web was the false expectations set by 'internet time'.

    If on the other hand people want to look at a real world application of an assertion scheme see my work on XTASS, follow the links through to XTASS. What we are planning to do is to apply assertion markup to address real world, near term business problems.

    The Security Technical Committee of OASIS is performing work that uses a lot of the XTASS specification. If I wasn't flaming on Slashdot now I would be writing the specification. The OASIS group is meant to be handing in a deliverable by July (yes really), now it may be late 2002 before Security Assertion Markup Language is a reality but there is major momuentum behind it.

    What Tim and Ralf are working on is basic research. They have a lot of flexibility, they can fail for example. What I am working on is solving real problems for an early adopter community.

    If we get enough early adopter communites together we might see a more general semantic framework by mid decade. I suspect that this will require some additional work on the natural language problem as a means of filling out the initial RDF frames and on the collaboration problem as a means of refining them.

    I helped to put together the coalition that established critical mass for the Web. I think that there is a good chance we can do a repeat here. OK so the semantic web is a vastly harder business than the document web. However when we got the Web off the ground Tim could not get a paper published as a poster at the hypertext coinferences, now he is the keynote speaker.

    The point about the 'web' in semantic web is key. I think that the problem with many ontology programs was that they started from the concept of a central server.

    Also the use of the word 'ontology' is bogus. What is being talked about is not an ontology it is a vocabluary of shared terms and not a system of being. The confusion comes from misreadings of Heidegger. What we need is not an Ontology but an intersubjective shared vocabulary, folk need to read Habbermas (and then explain it to me please:-).

    If people thought the semantic web was possible it would not be worth doing.

  13. This is an opportunity! on Report On The Texas Censorware Bill · · Score: 1
    First off what does this bill do if passed (unlikely) and upheld by the supreme court (like they can be trusted)?

    Bill Gates would obviously have to buy a censorware company and include it in windows. In the process he would put all the other censorware companies out of business. Sounds like a positive result to me.

    Second there would be an immediate need for an open source censorware initiative to protect children from the types of Internet site that would corrupt them. First on my list would be the Republican Party, "Christian" Coalition and Eagle Forum sites.

    But open source censorware could be so much more than simple filtering, it could enforce a balanced view of the world.

    Kids attempting to view the NRA homepage would get a split screen, NRA propaganda in one window and pictures of kids killed in gun accidents, cops being killed etc. in the other.

    Anyone visitng the Pentagon would be shown their choice of either hippie videos or the UN report on the effect of sanctions on civilians in Iraq.

    Anyone visitng the FBI would be shown balancing material from the RAND corporation on why the war on drugs is a collosal failure.

    Anyone visitng the home page of Nike corporation would see a web cam of their sweatshops in the third world.

    Anyone visitng the Whitehouse would see a Webcam of the chads being examined in Florida.

    As you can see the opportunities for censorware are not limited to ultra-right texas loonies. The censorship/balance list would be drawn up by an impartial panel consisting of Noam Chomsky, Ralph Nader, Wendy McElroy, Nadine Strossen, Susie Bright, Larry Flint, the current Penthouse Pet of the Month and myself.

    Any media whore wanting to write the filter as a hack could probably do the code in Perl in a couple of days using Apache as a proxy filter. The filter list could be compiled from suggestions to a Web site, Stalininst denunciation mode, anyone can denounce anyone for any reason and they are considered guilty with no chance of reprieve.

  14. Re:MS's version? on Game Boy Advance Arrives · · Score: 2
    I can't see why Microsoft would produce a handheld gaqme unit separate from their PocketPC line.

    I give the game boy max this generation. After that the handheld platform will be a $50 convergence of Palm meets Blackberry meets gameboy.

    Oh I forgot it will play MP3! if the game boy does not they are lusers

    First thing that hit me when I read the PocketPC specs was the audio input and output.

    What would be ultra mega cool would be a device like my Archos 6Gb MP3 player with an o/s and display.

    WiFi internet connectivity would be cool as well. Then you could play games at the back of a lecture hall.

    Sorry, I just can't get excited about carrying another gadget arround with me. Already I have a RIM pager, Palm VII, Cell Phone, Archos Mp3 jukebox - not to mention the DVD theatre. Now it occurs to me that one of the new Sony Vaios would be smaller than that lot. And it would play games that would kick ass compared to the Gameboy (as cartman would say.)

  15. Re:Inflated damage numbers on The Honeynet Project Has A Winner · · Score: 1
    Oh wait, you weren't advocating that? I would hate to create a Straw Man Argument.

    It is not an uncommon argument in the cracker sub-culture.

    Until a couple of years ago it would appear regularly in print as a journalist wrote up a story on the basis of an interview with a cracker group.

    These pieces were notable for their complete lack of balance, the journalists would never contact a security professional such as myself to give the other side and describe the effect that the attacks have.

    Another cracker conceit is the pieces were noted for is the idea that security consultants are all former crackers - most of us are not. In fact a security consultancy firm will almost certainly do background checks and refuse to hire anyone with a cracking conviction.

    It has taken several years and a lot of work with the media to demolish the false image that crackers have been allowed to project.

  16. Re:Inflated damage numbers on The Honeynet Project Has A Winner · · Score: 1
    Absolutely. Their expense, not the intruder's.

    Given the number of people who go to jail for cracking I can't think of anyone who got a raw deal. It is pretty rare for someone to go to jail for a first offense.

    There is certainly a problem with political prosecutors looking to goose their poll numbers for re-election by inflating the damage caused.

    The only multi-year sentence that I can recall offhand was for Mitnick and he get several warnings. His sentence did not stike me as steep compared to what people who are convicted of house breaking a third time.

    Given the number of people on sentences of 20 years to life for minor drugs charges under the 'war on drugs' I don't think that crackers get a raw deal.

    I don't think that a 10 year sentence would be unfair for someone writing a highly destructive virus.

  17. Re:Not an HTTP header on Earthlink's Extra HTTP Header · · Score: 1
    The tag at issue is:

    User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT) ::ELNSB50::0000811505000400029802c3000000000505000 b00000000

    Now the User-Agent field has been widely abused and was never intended to be used for reporting browser features. However it is not such an illogical place to put the data given subsequent usage.

    A better approach would be to actually add an X-header to convery the information directly and to write an internet draft and submit it to the IETF.

  18. Re:Inflated damage numbers on The Honeynet Project Has A Winner · · Score: 1
    So if someone steals a packet of M&Ms from the local grocery store, and the grocery store conducts a full review and decides to hire a $20/hour security guard, spend $1500 installing cameras and a closet-circuit TV system, and install a checkpoint at the candy aisle, that shoplifter caused tens of thousands of dollars worth of damage?

    If someone breaks into a candy store with a large jar of cyanide and a syringe then it is pretty logical to infer that he may have poisoned one of the packets of candy and that therefore the entire stock has to be destroyed.

    I don't accept that crackers are performing a social service. If someone wants their security analysed they can ask someone.

    If someone breaks into someone else's site and gets caught then they deserve what they get. Nobody forces people to go cracking. If you can't do the time don't do the crime.

    In any case it certainly takes more than 30 minutes to do a complete installation of any operating system from scratch on a main server and restore all the facilities to full working order. It may be possible to return a dumb client machine quickly but rebuilding a server takes time. At $2K per day consulting rates that is a non-trivial amount of cash.

  19. Conclusions about operating systems generaly wrong on The Honeynet Project Has A Winner · · Score: 4
    One of the depressing end results of these projects is that they tend to come down to people making staements like 'we proved system x to be better than y' as if this was a soap powder comparison test.

    Unfortunately in the real world security is much trickier. Simply installing system X does not necessarily mean you get the better security. Configuration is everything.

    Quite often it comes down to did the guy who installed the O/S know what they were doing. More often it comes down to did the person comming after him screw it up?

    Windows NT can be reliably and securely configured, however you really have to watch out for keeping up with the latest Microsoft patches.

    Unix can be reliably secured, particularly if you don't install sendmail which was the root of 30% of CERT reports a few years back.

    Unfortunately no mainstream O/S ships designed to be secure out of the box, and those that do tend to be military O/S which are practically unusable.

    Here comes the catch with UNIX security, to secure a UNIX system I take off every package and every service that I don't absolutely need. I'm not talking about removing finger from the inetd, I am talking about removing the binary for finger, ftp, rlogin, telnet and every other executable file that is not critical for the system to run - if possible including X-Windows and emacs.

    Now the result is secure but by the time I am finished the 'UNIX' I have left has no resemblance to a machine most folk would want to use. If you put back the executables I have taken out then you are back to roughly the same degree of exposure as Windows NT.

    Another problem is that 'security' standards for operating systems are all pre-net. Even the common criteria which were meant to be the latest and greatest appear to be written by someone who thinks that the problem is preventing access conflicts on multi-user machines. Unfortunately while that is an interesting problem it has nothing to do with todays problems of securing networks. Is a server in a client/server configuration a single or a multi user machine?

    More interesting than the statistics for which machines got hacked first would be the description of the attack strategies employed.

    What I would like to see is a return to the type of security we used to have in operating systems like VMS where processes could be given specific privillege levels. I would like to prohibit the process displaying my email from doing anything other than drawing to the display visual - no taking a look at my address book, no sending off emails to anyone else.

  20. Re:like you said on Bush Won't Be "The Online President" · · Score: 1
    I note that you don't put your name to your post. It is interesting that you have to start talking about the red army and other paranoid fantasies rather than admit the possibility that Clinton-Gore were trying to do something worth supporting. I can't respond to the substance of your post because it is about as incoherent as an unscripted speech by George W.

    When Newt Gingrich attempted to do the same thing as Gore in the house he was only partly successful. He did manage to get the web site up and did manage to force most of the house data onto it. However that was not a trivial fight for him and he spent a significant amount of political capital in the process. I don't think it is unreasonable to ascribe the same motives to Bush that Gingrich himself complained were the cause of the congressional web server being limited in scope.

    The senate story was that almost nothing has been done. The senate committee chairs resisted anything that might inform the US people about the legislation in progress. There was bipartisan support for making the workings of the senate as obscure as possible to the US people.

    Bush has already ordered a civil servant fired for putting unauthorized information onto government web servers. A naturalist studying bird migration put up a number of maps showing wildlife movements. The one showing the places the cariboo raise their young in the Artic Wildlife Refuge showed cariboo in the places earmarked for drilling so they fired him.

    http://www.latimes.com/news/nation/20010315/t00002 2700.html

  21. Re:The issue is denying accountability on Bush Won't Be "The Online President" · · Score: 1
    ooooooo....the Clintons were putting press releases on the internet in '92. Is that so? How did you find it? Archie? Gopher? back in them days putting it "on the internet" was a good as hiding it....

    Personally I used the Web. However the press releases were distributed through NNTP which had close to half a million users at the time.

    I got Gore's support for the Web early on when we had very few sites and fewer users, in large measure because he wanted to publish government information to make it generally available.

  22. Web Designer Control Freak Nazis on Earthlink's Extra HTTP Header · · Score: 1
    I have not come across sites that insist on browsing full screen, however there are many that attempt to. I am really fed up with Web Designers who are control freaks and attempt to dictate how I surf.

    A lot of the blame must go the javascript for allowing the web designers too much control. My pet peeve is that a web page can turn off MY toolbars. Cut it out - they are there for MY benefit, they don't concern you Mr Web designer weenie.

    Javascript should definitely be enabled on a site by site basis only. I would enable it for my home banking, stock broker and a handful of others.

    Also lame is the use of 'mouse trapping' that attempts to stop me from using the back button to get out of a site. Again it is a browser design flaw. I don't give diddly for the control freak who designed the page's intentions. The buttons on my browser should be under my control at all times.

    Unfortunately Netscape imposed javascript on the Web in the days when they were very anti-open standards. They liked an 'open standard' if they got their own way but nobody not at Netscape got to comment before it was a fait acompli.

    Another real problem is people who try to dictate the font size. I have a 100dpi LCD panel display. Large areas of the CNN.com site insist on being displayed in what I see as a 6pt font.

    Part of the problem is the lame table width tag. Originally it was meant to be in %width of the screen and ems - the unit from Knuth's TeX being the width of a lower case letter m in the current font. Using font relative sizes works real well. Unfortunately Eric did pixel points which don't work at all well. In the near future 150dpi screens will be commonplace.

    Mind you, the Microsoft IE team could have fixed the problem by allowing the user to configure the 'pixel size'. Rather than choosing the default font size the browser should give a choice more like magnification.

    I make no appologies for using IE by the way, Microsoft did not try to screw me over personally, Netscape did.

  23. Re:You are all missing the real surfing tracker: S on Earthlink's Extra HTTP Header · · Score: 1
    Since all https certificates come from and are checked against Verisign, then Verisign could theoretically track who is going to what SSL site.

    Bzzt, wrong, untrue. Go read the protocol before making such claims.

    Once a certificate is issued VeriSign is not involved in its use. That is why the certificate is digitally signed.

    If you turn on CRL checking then your browser will download the VeriSign CRL however that has the serial number of every cert VeriSign has revoked (it is a big file).

  24. Could have published the spec first on Earthlink's Extra HTTP Header · · Score: 2
    I see a number of problems with the earthlink approach

    1. Notification

    I think Earthlink should have published the spec in advance, if for no other reason than to protect their shareholders from privacy scares. Earthlink has invested millions in its 'serf at AOL' campaign. They need to protect their pro-geek branding.

    Another reason for publishing is so people can make use of the tag.

    2. Standards Approach

    As one of the original designers of HTTP the tag as specified sucks. It is fixed field after fixed field, no extensibility. I think that the idea is fine, but the syntax choosen is not.

    First off a non-standard header should have an X- prefix.

    Secondly, the scheme does not work for text to voice displays, or for that matter very high definition displays (>100dpi) that are on the horizon. It would be handy to be able to give the monitor size and also the gamma. These are all real needs for real people today, and will be mainstream in a couple of years.

    Now there have been folk who have created similar schemes from time to time, none has taken off due to apathy at Netscape and Mr Softy. But that is no real excuse for earthlink. If they don't like the schemes on offer they might at least state why.

  25. Re:ProjectMayo not GPL'd on DivX;), The MPAA, The Future And The Past · · Score: 1
    To the best of anyone's knowledge, MPEG-4 isn't pantented in any way to stop free development. I'm pretty sure they wouldn't have been given any code from MoMuSys, and wouldn't have $100m in backing if this project was violating patent laws

    oh yes, like the mp3.com folk who carefully researched the legality of Beamit? Napster has no shortage of VC money despite a 50:50 chance of lawsuit survival at best. The fact that someone bets money on an Internet does not mean that it is not going to disappear faster than you can say pets.com.

    When it comes to software I would much rather pay for something up front than end up with someone else's idea of 'free' that has me involved in giving my time or money in support of their business plan.

    A codec that sticks ads in front of each clip is no use to me as part of a video editing suite.

    Incidentally, the use of TM after DiviX has no particular legal significance. All it means is that they intend to apply for a trademark. Given that Circuit City will certainly have got one already putting TM after Divix means squiddly. The fact that they clearly are using someone else's trademark does not give me confidence that they have done due dilligence on the patents. Hoping that people have without checking is a sure road to grief.