So wait a minute. You're suggesting that despite the fact that this memo allegedly written in 1972/73 includes proportional letterspacing (very rare at the time), a font that didn't exist at that time and kerning which was mechanically impossible for a typewriter or desktop typesetting system of that era, it's not forged because the superscript in the screen-shot is two points off of the superscript in the PDF?
I see no evidence of Kerning. The spacing looks to me like it is typewritten, not computer typeset.
Having a key for superscript th was certainly not uncommon, having a proportional printing typewriter was not uncommon either, the IBM Executive model had proportional fonts in 1941.
A Lt Colonel is a pretty high rank, they get to have a few office toys. I would not expect a fancy typewriter in the typing pool, but in a senior officer's private office, hell yes. Also I would expect the notes to be either dictated or for the officer to tell the clerk roughly what he wanted and leave the clerk to do all the tedious looking up order numbers etc then hand him a stack of stuff to sign all at once. The signature looks exactly like what you get when you do that.
It will be pretty easy to check this, the Bushies can just release the microfiche and all questions would be answered. Instead they resist release of the microfiche which can only be because there is something damaging there.
It is an established fact that Bush did not show up for his medical, nobody disputes this. If a pilot fails to take their medical it is a big big deal, the senior officer could well be expected to explain why he allowed an expensively trained officer to walk away. Ordering Bush to take the medical is exactly what you would expect his commanding officer to do.
Correction: 1000 U.S. citizens have died. The number of Iraqi civillians is over 11,000 by LOW estimates. If you add in Iraqi soldiers, and you've got a total body count around 17,000, again, by low estimates.
This is for their benefit. so they should not complain about ending up somewhat dead or tortured.
Oops, just remembered, its not for their benefit, its for the benefit of Haliburton.
Re:And this is an issue because?
on
Open the Debates
·
· Score: 1
You're an idiot,
You sound like a Republican.
you have the percentages wrong
Who cares if the figure is 5% or 15%? We both know that Nader is not going to get 5%. Its like arguing whether the atlantic is 500 miles or 3500 miles across, you still ain't going to swim across it.
The LAST thing you want is the candidates able to completely dictate the information given to the american public. You WANT the candidates to be asked questions they don't want to answer!!
It works well enough in court rooms, have each side ask the questions that the other one does not want to hear.
Of course Dufus is too cowardly to even do a Town Hall style of debate unless it is in front of one of his audiences who have taken a personal loyalty oath so I don't think that he would want to take questions from Kerry.
I have negative thoughts about removing the the keyboard. I always thought that was a huge plus. Remember, a majority of Blackberry users are the suits who could care less about the technology and just want to do nothing more then send and recieve their corporate email and have the ability to read attachments.
On the contrary, they care very much about the technology. They want a keyboard, a real keyboard, not a cell phone number pad.
I hate number pad schemes and I really, realy loathe anything that is 'predictive'. What that means is that I will not be able to predict the machine's idiotic guess about what I intended.
I have a RIM with the GOOD software on it. I am not going to be replacing it with this phone, no way. If I want a point and poke scheme then I will use my motorola cell phone. The RIM software is in any case sub-standard when it comes to exchange integration. With Good I get full synchronization of every folder, including calendar and contacts.
RIM and Palm both make the same mistake, they think it is acceptable to have to sync the handheld to the main system.
Well said. He is also doing spectacular work of making the people of the USA look like apathetic dimwits for electing him and putting up with it.
He is embarrassing your country on the world stage.
As a point of fact he isn't embarrasing my country. We have that Tony Blair chap.
Getting rid of the electoral college system would require a constitutional amendment. And if you're going to fix it, fix it right, and put in an Approval Voting system. That would put third party candidates in the same boat as candidates from any other party. It would eliminate the concepts of the wasted vote and the spoiler.
That would be a good move, it would certainly be good for the Democrats. I suspect that most green and more than half the libertarian votes would move to them on second preferences. At least until the Republicans jettionsed the Religious Reich and Ashcroftism.
But there would still have to be some ballot qualification if the ballot was not going to look even more idiotic as the California gubnatorial one.
I doubt that Nader would run in that scheme. The only reason he gets attention is as a spoiler. The greens would not want him, he does not support their agenda.
This is just one big ego trip for Ralph. He has made his millions and he is going to be alright even if Bush is elected or re-selected.
Re:And this is an issue because?
on
Open the Debates
·
· Score: 1
It's not 5%, it is 15%! Which would exclude Perot in both 92 and 96, and Anderson. Anderson is on the board of the CDC, FWIW.
None of the independent parties is even at 5%, and 15% sounds more than reasonable. To win you need 50%. 5% to 50% means increasing your support ten fold.
And it also means your tax dollars go to candidates (which IS a 5% barrier) whom you're not allowed to hear in the debates.
Sure I can hear them if I want, that is what CSPAN is for. Nader gets to rant as much as he likes there. What you are objecting to is that I have the choice to ignore them because they don't get the advantage of a network block out.
]]This sort of thing always makes me roll my eyes, and I'm a Kerry supporter.
Same for everybody else.
The point of this attack is to shut down the Swift Boat Liars. Kerry is demonstrating that he will respond when attacked, not sit there and take it as previous victims of Bush smear campaigns have done - Dukakis & Gore.
Bush is going to try to keep up the smears and negative attaqck ads because that is absolutely all he has. He cannot mention any domestic policy success or anything that would normally be considered a foreign policy success. Starting wars is easy, finishing them is hard.
Bush clearly does not have what it takes to get us out of the quagmire he drove us into. Worse still he is intent on driving into more.
The problem with pre-emptive response is that once you have your military committed that is it, you cannot do anything more. So now that the US is firmly in the swamp of iraq everyone else, Iran, North Korea, Saudi Arabia, they all know that there is nothing more that the US can do.
Re:And this is an issue because?
on
Open the Debates
·
· Score: 2, Insightful
The Democratic primary debates were hopeless. Only five candisates stood any chance of winning the nomination but instead of hearing from them we have to hear from Al Sharpton and co.
If the minor party candidates want to have a debate then let them. I am sure that CSPAN will cover it and anyone who is interested will watch. But just because Ralph Nader wants to talk to us does not mean that people are interested in listening.
There have been serious third party candidates in the debates. The 5% bar is hardly onerous or unreasonable. Anderson and Ross Perot both managed to qualify and were present in the debates.
What is a much bigger issue is who gets to choose the questions. In a true debate the candidates would face off against each other. Instead the US media insists that it get to ask the questions. It would make much more sense to have the candidates question each other.
If left to its own devices the media will only ask Kerry questions about his service in Vietnam and Bush questions about the Texas Air National Guard. The economy, iraq, health care, education, forget those they won't come up.
Speaking as a person who usually votes "left"
Michael Moore has become known for this junk.. He alters text and then displays it like it was an original document. He edits together people's words.
Michael Moore is the Rush Limbaugh of the left, he is sloppy and his politics are often infantile - he was a Naderite in 2000, he helped elect Bush.
If you want good journalism then don't go to Rush Limbaugh, Commander Taco or Michael Moore, they all have their axes to grind. Don't go to Fox News, best still avoid the US "news" altogether, try the UK press, the Economist, Guardian, Times, BBC, Independent, Financial Times will all give a much better view of US politics than pretty much any US journalism.
Moore is simply giving the right a taste of what Fox News has done for years and to a far lesser degree.
Moore is not good journalism, he is not even particularly great as a propagandist, but he does not practice the absolutely deliberate distortions that Fox, Limbaugh, Swift Boat Veterans for Bush, etc. peddle.
Sure it would be good if US citizens actually learned to think for themselves. Since they refuse to people lime Limbaugh, Moore and Murdoch will do their thinking for them.
That is why Bush is at arround 50% in the polls instead of 15% which isw where you would expect a President whose economic plan is an utter failure, who has increased federal govt. spending more than either Carter or Clinton, who has lost millions of jobs, has stopped trying to catch Bin Laden and has instead started a $200 billion plus 1000 dead war of choice.
Bush is not a conservative, he is a complete incompetent.
Not a surprise really. Oxford University recently announced that Beaker will be delivering the inaugural lecture for this year's Department of Biochemistry Distinguished Lecture Series. Rumor has it he will address "Neuro-imaging and Neuropathological Studies of Mood Disorders in Primates."
Beaker has not spoken at Oxford, but I did see Kermit the Frog speaking at the Oxford Union.
P?=NP refers to the asymptotic complexity as the problem. i.e. as the input size goes to infinity. It quite possible to have a problem whos complexity is approximately linear at the 100-1000-bit range and still NP-Complete. Conversely, it's possible to have a p-time algorithm for solving a problem that has a O(n^100) so it's still difficult to solve. While resolving P?=NP might bring new tricks to the table it's difficult to legislate for these tricks. There might not even be any we don't already know.
Early on people tried to create public key algorithms out of known NP complete knapsack problems. They ended up with exactly this problem, most NP complete problems have subsets that are way simpler. With cryptography you want a problem that is predictably difficult to break.
Factorization is not an NP complete problem, a solution to the travelling salesman problem will not solve factorization. [BTW the gender is intentional, the reason the salesman is visiting the cities in the first place is he has a mistress in each town]
When you get to something like a block cipher the difficulty is not even characterisable in terms of a single dimension. You have the number of bits of key, the number of rounds, etc. etc. The exponential difficulty in the length of the key is the consequence of the number of rounds, the mixing caused by the interchange function etc. etc.
Re:One of the unfortunate things about Apache...
on
Hardening Apache
·
· Score: 1
In "Apache: The Definitive Guide", Ben and Peter Laurie suggest a way to learn how to build an Apache config file - start with a blank file, and start Apache. Oops, it won't start. OK, so what's it missing? Check the log files. It needs a User directive - OK, add that. Try to start. Hm, it started, but where do I put my HTML? Ah, add a DocumentRoot. And so forth.
That is a good start, but also make sure you start from a completely blank file tree, delete all the default cgi scripts etc. A lot of exploits in Apache and IIS have the same cause - holes in the demo scripts that the installer never even knew had been enabled.
The configuration point is a very good one. It is all very well for folk to go flaming on about how great Linux and Apache are and then go run four year old distributions with no security patches. It only takes one hole for an attacker to get through. Apache and IIS both have enough holes found each year to make running an unpatched out of date distribution risky. The absolute number of bugs found is only really relevant if it is indicative of the probability of a zero day attack being found, in this case the higher number of IIS bugs found seems to be mostly due to more lines of code and more people actively reviewing them.
In the old orange book world there was a requirement for an O/S to come with a security guide in order to get any level of accreditation. Linux today would still flunk C level accreditation because the security information is not brought together in one single comprehensive guide.
Orange book is way out dated, but the requirement to document secure configuration is still relevant, it was by far the most useful requirement.
Why not generate hashes that use both SHA-1 and MD5. The combined result would be that more unique.
SSL does this. It is not a very good idea.
The problem is that MD5 and SHA-1 are both variations of MD4. Each one has an extra cycle. SHA-1 has in addition a mysterious expansion function that blocks many attacks and has five chaining variables rather than four. But at root there is no real difference. Both use the exact same functions for the transformation.
There would be slightly more point to using SHA-1 with a hash algorithm with an entirely different construction mechanism. But even then the keying mechanism is not very satisfactory.
And too bad that ECC is a) not provably secure and b) is rumored to have been broken already.
And according to Denis Hastert George Soros is 'rumoured' to be a drugs dealler, Brittney Spears is rumoured to be a virgin and George W. Bush is 'rumoured' to have been an AWOL coke head during Vietnam, not a sissy getting three purple hearts.
Some forms of ECC have been 'broken', Len Adlemann (A of RSA) showed that ECC in dimensions higher than 2 was no more secure. He has been working on some further attacks and thinks that ECC as a whole might be vulnerable.
I don't like ECC for two reasons. The first is that ECC is a very new field of mathematics, new results come regularly. It is entirely possible that someone would find an efficient means of transforming ECC problems into discrete math problems and come up with a solution.
The other reason is that ECC is patented up the wazoo. The most efficient ways of using ECC are patented and if you can't use them there is no efficiency advantage over RSA in a discrete field so why bother?
The hash algorithm thing is massively overblown. MD5 was already toast. SHA1 was due to be withdrawn in 2010 in any case and has already been superceded by SHA-256 and SHA-512. New versions of DSA for the larger hash sizes are also due.
It remains to be seen whether the construction of SHA-256 needs to be adjusted in the light of the MD5 results. It may well be that it shares the same vulnerability as SHA-1 and we should forget about the new hash functions and move straight to something else. Alternatively all might be right with the world. We do not know yet.
A lot of people are suggesting a competition similar to the AES competition for a new digest algorithm. There is already something underway for stream ciphers. This seems like a good plan, not least since the cryptographers seemed to have fun with the last one.
As satisfying as it would be for IBM to buy SCO and give the execs 10 minutes to clean out their offices, I believe the reason they have resisted doing this so far is because it would create an enormous incentive for every failing technology company to try the same thing.
One of the SCO contracts with their lawyers reportedly has a provision that means that the lawyers get paid in the case of a change of ownership of SCO.
What interests me is what happens with any appeals. If SCO has been bled dry will they continue on to the bitter end or call it quits after the summary judgement?
Ok seriously there are too many hyperlinks. Which one is the article. You don't need to hyperlink every single word to get your point across!
I wish that people who link to an article would not link to the publisher as well. If its an article on CNN they will provide a link to their home page, ditto for anyone else.
Going to ECMA can mean many things. Sure it is patent friendly, but it is also a rubber stamp standards body. Thats why Netscape took Javascript aka ECMAscript there. Why bother spending years arguing with a bunch of bozos when the whole technology will be different by the time it is ready.
You can expect that not a single corporate player wants PGP used. That would mean a decentralized solution that doesn't really allow charging anyone any money.
At the IETF VeriSign argued for an email signature scheme which anyone could use for free.
CA services have value for a certain type of user, corporations, professionals etc. An individual does not get enough value out of them to make the cost of a cert worthwhile.
Better to have 5% of a market with a billion users than 100% of a market with a few million.
What about PGP is "difficult"?
its security for geeks, not real people. PGP was designed for use by people who were technically savy. Most people can't program their VCR.
And you think that the patent won't be granted?! You hold the USPTO in much too high regard.
Lets imagine the patent filing was Jan 2003. If Microsoft is lucky the examiner might start the exam by Jan 2005, but at the current load quite likely it would be 2006. By the time the prosecution is complete it could easily be 2008 or even 2009.
Chances that the USPTO is still being run by idiots then?
OK still high but there is a chance that Microsoft has created enough paranoia by then for Congress to be serious about reform.
This would allow user-level granularity and fix a vast number of problems with the existing schemes -- frankly SPF and Caller ID are nothing more than fairly bad authentication schemes, whereas GPG is mature, well tested, and strong.
Jon Callas, CTO of PGP is actually quite definite that Domain Keys and PGP need keeping appart. You do not want to dilute PGP by applying it at the domain level.
Meanwhile the Principal Scientist of VeriSign is making a similar argument, S/MIME is waaay over built for ordinary users, let alone PGP.
At this point the objective is to arrive at a widely deployed authentication scheme that everyone can support.
The email experts of the world are not onside, I'm sorry to say.
I have yet to see Vernon contribute anything positive in the IETF anti spam efforts. His approach has basically been to attack all ideas other than his own and troll for flamewars. At one point he was automatically reporting all posts made to the ASRG list from people he disagreed with to DCC as spam.
The only people Vernon was helping was the spammers. We have no need of his type of help.
It appears that the other person you are quoting as an expert is yourself or a relation.
The SPF/SenderID group understands exactly what it is doing. It is not making the claims you are asserting.
the same government that claimed a truck full of fertiliser blew up the murragh building in OKC when you can see from the debris field most of the building was blown outwards from the inside, the same government that halted the afghan war and flew out upwards of 6,000 taliban, then resumed the war, same government that claimed the abuses in iraqi prisons were just a few low level grunts, same government that claimed that a helium truck for weather balloons was a mobile bioweapons lab,
Nope, it was not the same government. The OKC bombing was during the Clinton Administration, the Afghan and Iraq wars took place under Bush.
As for the OKC bombing, the debris field looked exactly the way you would expect it to when you place a very, very large truck full of explosives in front of a building. There was a large roughly circular hole in the building with the plack McVeigh's truck was parked at dead center. The far wall stood up to the blast so you would expect the shock wave to bounce off the wall and push debris back out again.
Bush lied about the weather balloons sure, or to be strictly accurate he got Powell to lie for him, just like he has these swift boat perjurers to lie for him. We know what sort of character the man has, he smeared McCain, he smeared McClellan, he is smearing Kerry. But the truth of one conspiracy theory does not make all conspiracy theories true.
As to the phone taps, I have always assumed the government taps, opens mail, plants evidence, hides real evidence, etc, as much as they want to, and warrants and laws be damned.
Which is why procedures to make cryptographic assurance of data integrity are so important. Why do you think that PKI companies are involved in placing the taps? It is so that there a cast iron chain of evidence is possible.
Its bad when O.J. gets away with murdering his wife and a waiter. It is worse when people go to jail for the rest of their life or are executed for crimes they never committed. Having assurance that the evidence is sound is a good thing.
As far as terrorism goes, that is not the main area where wiretaps are useful, never has been. Several terrorist groups have come to grief when they used faulty codes. But even the best transport encryption does not conceal the most useful information - traffic analysis. Knowing who Mohamed Atta called in the six months prior to 9/11 was very useful.
What Al Qaeda are doing today is using pay as you go chips in cheap mobile phones. They discard these regularly, but not regularly enough. The whole 9/11 plot was done using a bizare mixture of sophistication and sloppiness. If as Clarke had urged W had put the country on full terrorism alert instead of going on vacation to cut brush there was a good chance of being lucky.
That is why Al Qaeda have been so quiet of late. They never did have many people and they lost a significant number in the 9/11 attack. They have also had defections after Bin Laden was heard joking about how some of the hijackers did not know it was a suicide mission.
Slashdot Mirror
I see no evidence of Kerning. The spacing looks to me like it is typewritten, not computer typeset.
Having a key for superscript th was certainly not uncommon, having a proportional printing typewriter was not uncommon either, the IBM Executive model had proportional fonts in 1941.
A Lt Colonel is a pretty high rank, they get to have a few office toys. I would not expect a fancy typewriter in the typing pool, but in a senior officer's private office, hell yes. Also I would expect the notes to be either dictated or for the officer to tell the clerk roughly what he wanted and leave the clerk to do all the tedious looking up order numbers etc then hand him a stack of stuff to sign all at once. The signature looks exactly like what you get when you do that.
It will be pretty easy to check this, the Bushies can just release the microfiche and all questions would be answered. Instead they resist release of the microfiche which can only be because there is something damaging there.
It is an established fact that Bush did not show up for his medical, nobody disputes this. If a pilot fails to take their medical it is a big big deal, the senior officer could well be expected to explain why he allowed an expensively trained officer to walk away. Ordering Bush to take the medical is exactly what you would expect his commanding officer to do.
This is for their benefit. so they should not complain about ending up somewhat dead or tortured.
Oops, just remembered, its not for their benefit, its for the benefit of Haliburton.
You sound like a Republican.
you have the percentages wrong
Who cares if the figure is 5% or 15%? We both know that Nader is not going to get 5%. Its like arguing whether the atlantic is 500 miles or 3500 miles across, you still ain't going to swim across it.
The LAST thing you want is the candidates able to completely dictate the information given to the american public. You WANT the candidates to be asked questions they don't want to answer!!
It works well enough in court rooms, have each side ask the questions that the other one does not want to hear.
Of course Dufus is too cowardly to even do a Town Hall style of debate unless it is in front of one of his audiences who have taken a personal loyalty oath so I don't think that he would want to take questions from Kerry.
On the contrary, they care very much about the technology. They want a keyboard, a real keyboard, not a cell phone number pad.
I hate number pad schemes and I really, realy loathe anything that is 'predictive'. What that means is that I will not be able to predict the machine's idiotic guess about what I intended.
I have a RIM with the GOOD software on it. I am not going to be replacing it with this phone, no way. If I want a point and poke scheme then I will use my motorola cell phone. The RIM software is in any case sub-standard when it comes to exchange integration. With Good I get full synchronization of every folder, including calendar and contacts.
RIM and Palm both make the same mistake, they think it is acceptable to have to sync the handheld to the main system.
As a point of fact he isn't embarrasing my country. We have that Tony Blair chap.
That would be a good move, it would certainly be good for the Democrats. I suspect that most green and more than half the libertarian votes would move to them on second preferences. At least until the Republicans jettionsed the Religious Reich and Ashcroftism.
But there would still have to be some ballot qualification if the ballot was not going to look even more idiotic as the California gubnatorial one.
I doubt that Nader would run in that scheme. The only reason he gets attention is as a spoiler. The greens would not want him, he does not support their agenda.
It's his head thats too big.
This is just one big ego trip for Ralph. He has made his millions and he is going to be alright even if Bush is elected or re-selected.
None of the independent parties is even at 5%, and 15% sounds more than reasonable. To win you need 50%. 5% to 50% means increasing your support ten fold.
And it also means your tax dollars go to candidates (which IS a 5% barrier) whom you're not allowed to hear in the debates.
Sure I can hear them if I want, that is what CSPAN is for. Nader gets to rant as much as he likes there. What you are objecting to is that I have the choice to ignore them because they don't get the advantage of a network block out.
Same for everybody else.
The point of this attack is to shut down the Swift Boat Liars. Kerry is demonstrating that he will respond when attacked, not sit there and take it as previous victims of Bush smear campaigns have done - Dukakis & Gore.
Bush is going to try to keep up the smears and negative attaqck ads because that is absolutely all he has. He cannot mention any domestic policy success or anything that would normally be considered a foreign policy success. Starting wars is easy, finishing them is hard.
Bush clearly does not have what it takes to get us out of the quagmire he drove us into. Worse still he is intent on driving into more.
The problem with pre-emptive response is that once you have your military committed that is it, you cannot do anything more. So now that the US is firmly in the swamp of iraq everyone else, Iran, North Korea, Saudi Arabia, they all know that there is nothing more that the US can do.
If the minor party candidates want to have a debate then let them. I am sure that CSPAN will cover it and anyone who is interested will watch. But just because Ralph Nader wants to talk to us does not mean that people are interested in listening.
There have been serious third party candidates in the debates. The 5% bar is hardly onerous or unreasonable. Anderson and Ross Perot both managed to qualify and were present in the debates.
What is a much bigger issue is who gets to choose the questions. In a true debate the candidates would face off against each other. Instead the US media insists that it get to ask the questions. It would make much more sense to have the candidates question each other.
If left to its own devices the media will only ask Kerry questions about his service in Vietnam and Bush questions about the Texas Air National Guard. The economy, iraq, health care, education, forget those they won't come up.
Michael Moore is the Rush Limbaugh of the left, he is sloppy and his politics are often infantile - he was a Naderite in 2000, he helped elect Bush.
If you want good journalism then don't go to Rush Limbaugh, Commander Taco or Michael Moore, they all have their axes to grind. Don't go to Fox News, best still avoid the US "news" altogether, try the UK press, the Economist, Guardian, Times, BBC, Independent, Financial Times will all give a much better view of US politics than pretty much any US journalism.
Moore is simply giving the right a taste of what Fox News has done for years and to a far lesser degree.
Moore is not good journalism, he is not even particularly great as a propagandist, but he does not practice the absolutely deliberate distortions that Fox, Limbaugh, Swift Boat Veterans for Bush, etc. peddle.
Sure it would be good if US citizens actually learned to think for themselves. Since they refuse to people lime Limbaugh, Moore and Murdoch will do their thinking for them.
That is why Bush is at arround 50% in the polls instead of 15% which isw where you would expect a President whose economic plan is an utter failure, who has increased federal govt. spending more than either Carter or Clinton, who has lost millions of jobs, has stopped trying to catch Bin Laden and has instead started a $200 billion plus 1000 dead war of choice.
Bush is not a conservative, he is a complete incompetent.
Beaker has not spoken at Oxford, but I did see Kermit the Frog speaking at the Oxford Union.
Early on people tried to create public key algorithms out of known NP complete knapsack problems. They ended up with exactly this problem, most NP complete problems have subsets that are way simpler. With cryptography you want a problem that is predictably difficult to break.
Factorization is not an NP complete problem, a solution to the travelling salesman problem will not solve factorization. [BTW the gender is intentional, the reason the salesman is visiting the cities in the first place is he has a mistress in each town]
When you get to something like a block cipher the difficulty is not even characterisable in terms of a single dimension. You have the number of bits of key, the number of rounds, etc. etc. The exponential difficulty in the length of the key is the consequence of the number of rounds, the mixing caused by the interchange function etc. etc.
That is a good start, but also make sure you start from a completely blank file tree, delete all the default cgi scripts etc. A lot of exploits in Apache and IIS have the same cause - holes in the demo scripts that the installer never even knew had been enabled.
The configuration point is a very good one. It is all very well for folk to go flaming on about how great Linux and Apache are and then go run four year old distributions with no security patches. It only takes one hole for an attacker to get through. Apache and IIS both have enough holes found each year to make running an unpatched out of date distribution risky. The absolute number of bugs found is only really relevant if it is indicative of the probability of a zero day attack being found, in this case the higher number of IIS bugs found seems to be mostly due to more lines of code and more people actively reviewing them.
In the old orange book world there was a requirement for an O/S to come with a security guide in order to get any level of accreditation. Linux today would still flunk C level accreditation because the security information is not brought together in one single comprehensive guide.
Orange book is way out dated, but the requirement to document secure configuration is still relevant, it was by far the most useful requirement.
SSL does this. It is not a very good idea.
The problem is that MD5 and SHA-1 are both variations of MD4. Each one has an extra cycle. SHA-1 has in addition a mysterious expansion function that blocks many attacks and has five chaining variables rather than four. But at root there is no real difference. Both use the exact same functions for the transformation.
There would be slightly more point to using SHA-1 with a hash algorithm with an entirely different construction mechanism. But even then the keying mechanism is not very satisfactory.
Some forms of ECC have been 'broken', Len Adlemann (A of RSA) showed that ECC in dimensions higher than 2 was no more secure. He has been working on some further attacks and thinks that ECC as a whole might be vulnerable.
I don't like ECC for two reasons. The first is that ECC is a very new field of mathematics, new results come regularly. It is entirely possible that someone would find an efficient means of transforming ECC problems into discrete math problems and come up with a solution.
The other reason is that ECC is patented up the wazoo. The most efficient ways of using ECC are patented and if you can't use them there is no efficiency advantage over RSA in a discrete field so why bother?
The hash algorithm thing is massively overblown. MD5 was already toast. SHA1 was due to be withdrawn in 2010 in any case and has already been superceded by SHA-256 and SHA-512. New versions of DSA for the larger hash sizes are also due.
It remains to be seen whether the construction of SHA-256 needs to be adjusted in the light of the MD5 results. It may well be that it shares the same vulnerability as SHA-1 and we should forget about the new hash functions and move straight to something else. Alternatively all might be right with the world. We do not know yet.
A lot of people are suggesting a competition similar to the AES competition for a new digest algorithm. There is already something underway for stream ciphers. This seems like a good plan, not least since the cryptographers seemed to have fun with the last one.
One of the SCO contracts with their lawyers reportedly has a provision that means that the lawyers get paid in the case of a change of ownership of SCO.
What interests me is what happens with any appeals. If SCO has been bled dry will they continue on to the bitter end or call it quits after the summary judgement?
I wish that people who link to an article would not link to the publisher as well. If its an article on CNN they will provide a link to their home page, ditto for anyone else.
Going to ECMA can mean many things. Sure it is patent friendly, but it is also a rubber stamp standards body. Thats why Netscape took Javascript aka ECMAscript there. Why bother spending years arguing with a bunch of bozos when the whole technology will be different by the time it is ready.
At the IETF VeriSign argued for an email signature scheme which anyone could use for free.
CA services have value for a certain type of user, corporations, professionals etc. An individual does not get enough value out of them to make the cost of a cert worthwhile.
Better to have 5% of a market with a billion users than 100% of a market with a few million.
What about PGP is "difficult"?
its security for geeks, not real people. PGP was designed for use by people who were technically savy. Most people can't program their VCR.
Thats what you need for your copy of The Omen
Lets imagine the patent filing was Jan 2003. If Microsoft is lucky the examiner might start the exam by Jan 2005, but at the current load quite likely it would be 2006. By the time the prosecution is complete it could easily be 2008 or even 2009.
Chances that the USPTO is still being run by idiots then?
OK still high but there is a chance that Microsoft has created enough paranoia by then for Congress to be serious about reform.
Jon Callas, CTO of PGP is actually quite definite that Domain Keys and PGP need keeping appart. You do not want to dilute PGP by applying it at the domain level.
Meanwhile the Principal Scientist of VeriSign is making a similar argument, S/MIME is waaay over built for ordinary users, let alone PGP.
At this point the objective is to arrive at a widely deployed authentication scheme that everyone can support.
I have yet to see Vernon contribute anything positive in the IETF anti spam efforts. His approach has basically been to attack all ideas other than his own and troll for flamewars. At one point he was automatically reporting all posts made to the ASRG list from people he disagreed with to DCC as spam.
The only people Vernon was helping was the spammers. We have no need of his type of help.
It appears that the other person you are quoting as an expert is yourself or a relation.
The SPF/SenderID group understands exactly what it is doing. It is not making the claims you are asserting.
Nope, it was not the same government. The OKC bombing was during the Clinton Administration, the Afghan and Iraq wars took place under Bush.
As for the OKC bombing, the debris field looked exactly the way you would expect it to when you place a very, very large truck full of explosives in front of a building. There was a large roughly circular hole in the building with the plack McVeigh's truck was parked at dead center. The far wall stood up to the blast so you would expect the shock wave to bounce off the wall and push debris back out again.
Bush lied about the weather balloons sure, or to be strictly accurate he got Powell to lie for him, just like he has these swift boat perjurers to lie for him. We know what sort of character the man has, he smeared McCain, he smeared McClellan, he is smearing Kerry. But the truth of one conspiracy theory does not make all conspiracy theories true.
As to the phone taps, I have always assumed the government taps, opens mail, plants evidence, hides real evidence, etc, as much as they want to, and warrants and laws be damned.
Which is why procedures to make cryptographic assurance of data integrity are so important. Why do you think that PKI companies are involved in placing the taps? It is so that there a cast iron chain of evidence is possible.
Its bad when O.J. gets away with murdering his wife and a waiter. It is worse when people go to jail for the rest of their life or are executed for crimes they never committed. Having assurance that the evidence is sound is a good thing.
As far as terrorism goes, that is not the main area where wiretaps are useful, never has been. Several terrorist groups have come to grief when they used faulty codes. But even the best transport encryption does not conceal the most useful information - traffic analysis. Knowing who Mohamed Atta called in the six months prior to 9/11 was very useful.
What Al Qaeda are doing today is using pay as you go chips in cheap mobile phones. They discard these regularly, but not regularly enough. The whole 9/11 plot was done using a bizare mixture of sophistication and sloppiness. If as Clarke had urged W had put the country on full terrorism alert instead of going on vacation to cut brush there was a good chance of being lucky.
That is why Al Qaeda have been so quiet of late. They never did have many people and they lost a significant number in the 9/11 attack. They have also had defections after Bin Laden was heard joking about how some of the hijackers did not know it was a suicide mission.
Appology accepted.