Definitely true. There is only one reason why Perl code is so frequently ugly:
Perl exposes the mind of the programmer more directly than any other programming language.
If you are more interested in quick hacks and dirty tricks than writing clean and manageable code, your perl will reflect that. If you are interested in impressing people by compressing seventeen operations into a single line of code, your perl will be an ugly, ugly thing.
However, if your intention is to write clear, maintainable, understandable code, then this is what you will write. It isn't hard -- in fact I believe that Perl's flexibility makes this a much easier task than just about any other language. Here are a few of my favourite rules for Perl programmers:
1) Just because you can, doesn't mean you should.
2) One line of code means one operation or idea. MAAAAYBE 2. See point #1.
3) If there is a cute, short, hackerish way to do something, and a longer, more boring, more explicit way to do the same thing, ALWAYS pick the boring way. Anyone who looks at your code in six months will be very pleased (instead of ready to kill you). Since Perl is so flexible, this is always possible. As for performance, well, in my experience the slick, hackerish ways of doing things often slow things down more than the explicit-using-more-lines way of doing things.
Oh, absolutely you're right. There may be strange undisclosed limitations that specifically limit sublicensees to be US or Canadian corporations (say), and that these sublicensees may not themselves sublicense under any conditions.
In that case, it would kill any GPL hopes right away.
By "appears" I mean exactly that. It seems to me, on first reading, that they're allowed to do pretty much whatever they want with the (GF(p), p > 2**256) instance of ECC, and that naively I would read that that is the only restriction. At least, this is what I'm hoping is the case.
Uh yeah. That's kinda my point that you're explaining to me there, and you appear to be contradicting yourself.
They've licensed the patent, not the code. The algorithm. No source. No binaries. "It's just an algorithm" as the folks as RSA are fond of saying. They are allowed to use the math. There is probably no programming involved here, as you state yourself. How many times can it be said?
It appears that the NSA have licensed this math in such a manner that they are free to sublicense it however they see fit. Thus, they may be able to choose to implement those magical algorithms with their own source code, and then license that implementation out to other people (possibly even in an open-source fashion?)
Now who would trust the NSA's implementation of a particular algorithm in a closed binary? Hopefully nobody. So my hope is that they've licensed this to use as a service to the US as a whole (well within the mandate of the NSA, and relatively inexpensive at $25 million). Ideally, this means that they'll say "Alright kids, here you go: you can now use this shiny new algorithm for your PK stuff. Here, we'll even throw in a reference implementation. No need to thank us, just keep using that encryption, and Stay In School."
Perhaps wishful thinking?
Still, as I said before, the NSA is full of very smart people, and they know that if they want an encryption standard to be widely accepted, it has to be freely available. AES is a great example of that. Perhaps the NSA took a look at Certicom's work and said, "Well, these Canadian chaps have pretty much nailed it. Maybe instead of running a big fancy competition like we did for AES, let's just bite the bullet and pay off Certicom and use that for our PK component."
Well, the nice thing about it is that they've paid for the rights to the patent, including sublicensing. The NSA could whip up their own implementation of it and distribute that software as some kind of standard. Who knows?
For all we know, the sublicensing agreement for the use of the specific parts of the patents may be absolutely up to the NSA (they seem to suggest as much from the Certicom press releases..? Anyone know more?)
If that is the case, the NSA might very well release an open source version that the world can use and modify to their heart's content. They're not stupid, and they know that the world will not use a closed-source implementation of an algorithm.
As far as I understand the deal, this has nothing to do with licensing software. They couldn't have gone with an OSS version (or "roll their own") as so many suggest because they're not licensing just software, they're licensing patents.
You'll note that they've also got sublicensing rights on those patents. There could be a software component to this deal, but as far I can tell it appears that this is mainly about patents.
"Nothing seems to happen", as I read it, means that nothing notable happens in the real world. No large companies switch en masse, nobody adopts it in a big way, no websites insist on Mozilla browsers, no Apache server logs show more than the tiniest fraction of hits from mozilla.
Let me start off by saying that, on Windows, I use Mozilla exclusively. On Mac, I use Safari, and on other Unix it's Konqueror. I hate IE, and I never choose to use it.
I recall the rising anticipation that preceded the Mozilla 1.0 release. It was an exciting time. And then, just over a year ago, it was released. I didn't see it on the nightly news, my dad (the guy who taught me to program, the guy who first brought home a Sinclair ZX-81...) had no idea what it was. Mozilla really hasn't changed a thing in the real world.
I think many of us folks were almost expecting this major revolution, where moms and dads everywhere would cast aside IE and flock to Mozilla in droves. If that was unrealistic, well then surely Mozilla will be sucked into all kinds of embedded browsers and used as a platform for applications, right? Well.... No. Nothing. (Yes, I know about Komodo and a few others, but they truly don't count. Even *I* don't use them, nevermind my mom).
All of these features that Mozilla has are quite nice, yes. But in the computer world at large, they're somewhat meaningless. Mozilla didn't really drive other browsers to higher standards. Mozilla didn't really encourage HTML authors to write better code. The only people Mozilla has seriously affected are those who actually deliberately choose to use it. For the most part, it has improved their lives (it has mine).
However, the point is that Mozilla *only* affects those who use it. And, if you have access to Apache logs (even/. logs, I'd wager), you know that, to a good approximation, nobody uses it.
For me, the definition of being an engineer is all about being a professional and taking responsibility for the work you do. In Canada, engineering is very strongly linked to ethical responsibility.
A good example of this is the fact that all engineers here wear a symbolic iron ring on their right pinky, supposedly made from the iron of a failed bridge that collapsed due to poor engineering, IIRC. This ring is a constant reminder of the responsibility that engineers have to society, as we all put our lives in their hands dozens of times per day at _least_.
Unless software programmers are bound by the same codes of conduct, and follow the same guidelines, they are not engineers.
In short it is definitely NOT the job description that makes the engineer. It is their responsibility to society. Almost every purely software development project I have ever seen fails this test miserably, and therefore software development is generally NOT engineering.
Now, of course, there are engineers who program, and they do often do a lot of programming as part of their very legitimate engineering jobs (maybe that's all they do, in practice). But software development IN GENERAL is not engineering.
Sure, but gasoline, lighter fluid, antifreeze, motor oil, drain cleaner, and all kinds of other liquids are poisonous too, and most people don't have a problem with them.
With well-designed containers and filling system, the consumer need never be directly exposed to methanol in any form. It simply goes from filling station into receptacle (possible your own small personal storage flask, holding maybe 500 ml), and then from receptacle to device (a cell phone, a laptop, whatever). A good design can ensure that those transfers are clean.
Not only does this keep Joe Moron from drinking it, it also goes a long way towards preventing spills, vapours, and other bad things.
Yeah, it's not perfect. I guess pretty much all I'm trying to say with my posts here is that this is definitely possible to do well, if we're motivated to solve the problems.
Um.. Are you serious? Where in the world are you that you can't find AA/AAA batteries practically everywhere?
AA/AAA batteries are DEAD easy to buy at almost any kind of retail store I can think of! Now I'm saying that they'll just add in a methanol source as well. Maybe along side the rows of Duracells and Energizers in displays, there'll be pods full of methane like the butane cans for filling up lighters and stuff. Since it's just a liquid, I'm guessing that a coin-op will be the simplest delivery mechanism.
If you're at home, you can plug into the power line to recharge your devices over night quite cheaply and easily if you have the time. In my part of the world (Canada), there's absolutely zero market for pay-per-charge electrical outlet, as electricity is so cheap that most places don't even bother covering them up (libraries, universities, etc). I can plug in anywhere. But, of course, the drawback is that it's a slow charge thing, so it's only useful if you're sitting in that one spot for an extended period of time.
Nah. How long do you think it would be before there would be coin-op small-device refill stations everywhere, to serve the laptop and cell-phone geeks? Methanol would be cheeeaaaap stuff, like twenty cents or less per litre retail. So maybe you go to the refilling station, dial in a 250 ml fill, drop in a quarter (and curse those ridiculously high vending-machine prices), fill up your laptop, and off you go, good for another five or ten hours.
Heck, even if it was the same price as gasoline it would still be cheap, considering how much you use. At home, you'll probably buy it by the gallon to fill up your own filling station. Offices will get it delivered just like jugs for the water coolers.
Sure, the early adopters will have some annoyances, but I don't think it'd be too long before you'll see them at airports first... Shopping malls... Office buildings... Street corners... Remember, it's not just laptops, it's also cellphones and other gadgets that use the methanol.
And no, this stuff isn't dangerous or volatile -- certainly no more so than vodka. I imagine the real-world implementation might have the methanol at a 75% (or lower) concentration, or something like that, to limit its flammability. Perhaps at home, you can fill with 100%, but in a public places they'll only serve up 75% to limit the danger. Whatever.
I dunno, people will probably find all kinds of potential problems with my scenario here, but I have very little doubt that some enterprising entrepreneurs will find a way of addressing all the problems and getting it all to work.
No, "Applied Cryptography" is what I'm talking about. It is, as its title suggests, about -applying- cryptography. It teaches you exactly how to implement the algorithms in code, and it teaches you how to use those algorithms in every day situations.
He gives some insight into the workings of the algorithms, by eg. explaining how the S-Boxes and stuff work. But it doesn't really teach you how to do cryptanalysis. And it doesn't really teach you how to make your own algorithms.
The books I've suggested are less practically-oriented. The Handbook goes into the mathematics of it all quite nicely. It's a good introduction to the field, and those who can get through it will have a very solid background for more advanced study. The Invitation book is aimed at maybe second-year students or first year students with some knowledge of linear algebra. It gives you a taste of what cryptology is like, and starts you off on the right path early in your education.
Actually, I disagree. I don't think Schneier's book is the best place to start. It's a fine book, no doubt, but it says very little about real cryptology from a theoretical standpoint, or from the point of view of teaching you to develop or break codes.
If your math isn't quite as godly, start with Thomas Barr's "Invitation to Cryptology". It's an excellent starter book for anyone with even a little bit of mathematical skill. You really don't need much but some high school math, maybe a bit of first-year algebra and stuff, and a willingness to do the chapter problems.
Or at least -part- of the source of the problem is that nobody wants to improve the old stuff. They just want to start all over again!
How many of you have worked in a software development shop? Lots, I bet. And how old was the oldest software development project that you'd keep incrementally upgrading? In my experience in the software world, it's not very old. There'd be a first release, some updates, a second version that's very much like the first version, only nicer. Maybe there's a third version.... This goes on for a couple of years, probably (which, in the real world, is a VERY short time).
Pretty soon, though, Marketing starts demanding a vast reworking. They're just not selling enough of the boxes. You need to do something radical, because the version they've got works nicely so the customers have no real reason to upgrade. So what do you do? You rebuild it completely from scratch in a whole new way -- so that it's completely different from the last version!
The whole problem is that the industry doesn't WANT to converge on a nice working model that you can understand and be happy with for a long time, because then you'd never buy any more! It's not like a car, where it wears out after a few hundred thousand kilometers. The software industry has to keep switching year after year in order to get the customers to keep following and keep buying so the cashflow stays high.
Also, if they converged on something and stayed with it for a while, it wouldn't be long until all the file-importing filters worked pretty much perfectly, and all the difficult features had been reversed engineered, and so on -- so now the competition pretty much puts out exactly as good a product as the original maker. We can't have that now, can we? The easiest way to do this is to make yourself a moving target, and to drag all the customers kicking and screaming along with you.
Not really... what? Not really available? Sure it is. It's right there. I didn't say is was "Free-as-in-libre".
If you take a peek at the specification, it's not really that hard of a thing to do. The specification is available and readable. Yeah, the license for that code isn't perfectly floating-on-a-cloud wonderful, but at least a reference implementation exists and can be used for testing.
Is Sony going to do add Rendezvous to their pocket drive? Nah. I don't really care either. If Apple did it, though, that would be awesome. It'd be Airport Extreme, it'd have Rendezvous built in, it may or may not have a firewire port, and it would look very cool.
Yep -- wonderful, reliable, dependable clustering. VMS does clustering like no other operating system that I've ever seen, and it's been doing it for ages.
Well, perhaps IBM has improved in the last few years, as far as their marketing goes. Don't get me wrong -- there's nothing wrong with the _hardware_! Indeed, the thinkpads are pretty rock solid notebooks, and except for the rubber nipple mouse (which is admittedly a taste thing and not a quality thing) I can't say enough good about them. And their big iron is... well... Big. and Iron. Heh. Yes, I've used both extensively, as well as a lot of IBM-built NT servers, and I've always been happy with IBM equipment (even servers running AIX, believe it or not).
There's a difference between good -products- and good -marketing-. IBM has good products. Their marketing, IMHO, sucks (at least to consumers anyhow). They're getting as much play as they possibly can out of the Linux thing, in order to try to get out of their dinosaur-era mainframe stuffy-shirt perception. They still have that image though, and they've done little to shake it in my books. Perhaps that's not such a bad thing though...
They're playing to very different markets, of course. IBM sells mainly to stuffy shirts, Apple doesn't. IBM doesn't -have- to be sexy and cool to make a zillion bucks.
I guess my point was just to differentiate the approaches that Apple and IBM take wrt OSS. I think I can strip it down to this: Apple doesn't necessarily have to care about OSS as a philosophy, they're just using some robust, free software to build their products.
As per licensing requirements (and to foster some developer good will), they contribute back to the community. And why not? What they've discovered is that it doesn't matter. People aren't going to -not- buy a Mac just become KDE or (say) MySQL has become a bit better. Well, maybe a couple will, but I'd be willing to be that the prospect of a super-fast, slick, fun set of applications (iLife, Safari, etc) will win more customers over than they'll lose -- their applications get better right along side the free stuff. Apple is selling hardware, and all these cool applications working seamlessly together. The fact that you can get the source code really doesn't matter. Is this not one of the reasons we have free software? So we can all have good quality software and we can all benefit without someone taking it away from us?
IBM, on the other hand, is cashing in on the openness of Linux/OSS and its popularity in the tech world. And good for them! There's nothing wrong with this. It's not appealing to consumers though, not really. You and I are an exception. Buuut as I've already said, IBM doesn't deal so much with consumers, they're much bigger in the big business. Fine, that works for me. Ultimately, I think IBM has more invested in the "success" of free software in the long term -- if the entire Linux development process was suddenly to collapse under its own weight, then it might affect IBM. I'm about as afraid of this happening as I am of getting hit by a comet.
Yeah, IBM is using Linux. However, we all know that IBM can't market it's way out of a wet paper bag. Apple, though.. Those guys *definitely* know a thing or two about making their products sexy. You're right, Apple contributes marketing. But I don't think they're going to seriously affect the way that the public thinks about OSS. That would be nice, and I hope I'm wrong, but I just don't think Apple cares. While IBM is using the popularity of Linux to boost itself, Apple isn't using the popularity of OSS and KHTML to boost itself. Yeah, they mention it I suppose, but it's more in passing than anything else.
They don't really care so much about OSS in principle, I'd say, as much as they care about having a robust product working very quickly. It happens to be a fact that OSS very often displays those features. It also happens to be a fact that a lot of OSS lacks polish and flair, "sexiness" -- to Joe Public. Very few people question the fact that Apple is very good at making things friendly, useable, and just all around sexy.
It's a perfect match, I'd say. Apple gets the robust code, and the value they add (and charge for) is the interface that they put on the front. The OSS community gets a few patches and bugfixes, and a bit of publicity. Everyone gets something out of it.
Well, but who cares? In the mean time, Apple cleans up KHTML, gives some credibility to Unix-on-the-desktop, and makes a bunch of pretty notebooks.
What's the worst that could happen?
Imagine Jobs has a change of heart tomorrow and decides that open source sucks. So what then? They stop using KHTML. KDE will continue on without them, I guarantee it -- and they'll always have the work that Apple contributed. The xBSD crowd will probably be a little disappointed if Apple stops developing BSD stuff, but it's not going to shut them down or hurt them in any way. Maybe they won't get the benefit of some of Apple's work, if Apple chooses to keep it to themselves, but there's no real subtraction there. BSD software abounds in closed-source applications, yet BSD is still doing just fine (despite what the trolls will have you believe:)
See, that's the beauty of open source. Companies can -help- by improving the software, but they can't -hurt- by wrecking it for everyone. About the dirtiest trick they could pull would be to try a Microsoftian embrace-and-extend. We've dealt with those before, and they're not that big of a deal in the long run.
I dunno, I say we encourage Apple to do as much as they can with open source software. They're already discovering just how they CAN make money on OSS, and it's not even in the quasi-traditional "support" line of business that people seem fixated on. They take the best of what's out there, improve it, use it in their products, and contribute back to the community at large. It's win-win, as far as I can see.
About the rabid wolves, well, hey, if the shoe fits...
And about the people in the pigs, sure I would want to know. But that's not what has happened. You can bet that if that happened, the products would be quickly and quietly recalled. Incidentally, his pigs were (supposedly) never sold to the general public. But that's irrelevant.
There are definitely ways to protect the public from that kind of risk without ruining the accused's chance at a fair trial. It doesn't require another OJ Simpson trial to do it.
Perhaps they're hoping that the media will just respect the wishes of the court, rather than trying to force the issue through technology?
Note: there is no ban on the public -being- there, so this isn't a case of a closed trial. This isn't a ban on people talking about it -- just a ban on media publication. The rules are in place simply to give a fair trial.
In Canada, a criminal suspect's right to a fair, untainted trial trumps the right of the media to descend upon the courtroom like a pack of rabid wolves. This is a murder trial, not public entertainment (no matter what the media would have you believe).
If I leave the doors unlocked at my office, I could (and should) lose my job. But, at least where I live, I cannot be charged, sued, or forced to pay for the losses. A friend of mine did *exactly* this recently -- she left the back door unlocked at the restaurant she worked at after closing up and leaving for the night. The restaurant lost about $100k in theft and damages that night. She lost her job, and the restaurant tried to make her pay for the losses (her parents are fairly well off) -- until they talked to their lawyer and were advised that they had no claim. Essentially it came down to exactly this: she did something really stupid by not locking up and so she could be fired, but that does not mean she's responsible for the theft by making it easier for a criminal to commit. The thief chose to steal those things, so the thief is responsible for the losses, period.
In the end, insurance paid for all the losses, as it should. Also, the restaurant's insurance premiums went way up, as they should. My friend lost her job. The thief was eventually caught, and is spending two years in jail.
Similarly, if a criminal takes my gun and shoots someone, only the criminal has done something wrong (assuming, of course, that I have complied with the law in my storage of the gun etc). I don't know what the laws are like in your area, but here it is illegal to leave a firearm laying around in a public place -- that is, the criminal would have to commit a crime (B&E) to get the gun in the first place. Do I need a super-duper security system to not be negligent? No. Heck, I don't even need to lock my doors.
We're talking about a moral obligation versus a legal responsibility. Morally, I am required to keep my employer's store locked. But remember, all this is doing is keeping honest people honest! Ultimately, every criminal makes a conscious choice to commit a crime.
It's not my responsibility to make it impossible for you to commit a crime. If you seriously think it through, you'll realize that it's a requirement that's impossible to satisfy in a logical and peaceful manner. I don't know where you live, but if you live in a place like that I suggest you move to a more sane place.
There are situations where I am negligent if someone commits a crime. I am negligent if I know it's happening and I do absolutely nothing about it and permit it to happen. In fact, in many cases I'm actually a criminal (eg. if I know someone is going to murder someone else and I don't say anything about it). Similarly, if I discover that my computer is being used to commit a crime, and I continue to let it happen and I don't fix the problem, then I am negligent.
Think about it: where would you draw the line in computer cases? Is it negligence if I allow anonymous logins to my computer, and then they are used to launch attacks? How about if I restrict the logins so only people who sign in with their real names can log in? What if I restrict it to just my friends?
Now as far as security goes, how secure do I have to be? Do I have to be invulnerable to any known attack? Good luck!! I'd be willing to wager that there isn't a single system connected to the internet that is invulnerable to every known attack. Do I just have to deal with those vulnerabilities that are published on Bugtraq? SANS? And within what window do I have to apply patches as they come out? That day? That week? And what networks does it apply to? Internet only?
Finally, I would not be surprised if, in some parts of the world (especially the US), these sorts of things really ARE negligence and you really WILL be sued for them. My argument is intended to persuade people that applying this to computer security is a very stupid idea that will only bite them in the ass in the end.
No. You are not negligent when someone else commits a crime against you (or someone else). You are not responsible for ensuring that it is impossible for another person to commit a crime (even to the best of your abilities). I am no more responsible for someone rooting my box and using it against someone else than I am responsible for someone grabbing my steak knife at the dinner table and stabbing someone in the chest -- even if I happen to be sitting next to an ex-con!
Negligence is when you allow something bad to happen by an omission, a failure to do something that you are responsible for doing. In the case of shovelling the sidewalk, people have the right to walk down a sidewalk. By doing something they are entitled to do, they are endangered by the fact that you have neglected to shovel your walk. However, here is the crucial difference: that l33t idiot has absolutely no right to be using your computer in the first place!
Now, as far as an -insurance- company goes, that's a whole different matter. If a company has a box that is rooted and destroyed, one day I hope the time will come where they will lose any claim for damages they make if their computer is not adequately secured. People don't have "hacker" insurance yet, but one day they probably will.
My point is this: it is not your fault if you are the victim of a crime. Another (inflammatory?) example: no matter how scantily-dressed, a woman is always the victim of a crime if she is raped. Is it -stupid- to leave your computer unsecured? Sure it is. Just like it's stupid to leave your doors unlocked, or to walk in a bad part of town at two am wearing a mini-skirt and a halter top. However, neither one makes it your fault if someone else breaks the law and takes advantage of the situation.
Laws are laws, and it is your duty to follow them. It's not my duty to make sure that it is impossible for you to break them.
Can you imagine the sort of vigilante society we would have if that were the case? People's houses would be booby trapped. Mail carriers would get shot. Meter maids would be beaten as would-be car thieves.
Let me repeat one more time: It is your duty to obey the laws. It it not my duty to make it impossible for you to break those laws. That is the essence of my point.
Slashdot Mirror
Definitely true. There is only one reason why Perl code is so frequently ugly:
Perl exposes the mind of the programmer more directly than any other programming language.
If you are more interested in quick hacks and dirty tricks than writing clean and manageable code, your perl will reflect that. If you are interested in impressing people by compressing seventeen operations into a single line of code, your perl will be an ugly, ugly thing.
However, if your intention is to write clear, maintainable, understandable code, then this is what you will write. It isn't hard -- in fact I believe that Perl's flexibility makes this a much easier task than just about any other language. Here are a few of my favourite rules for Perl programmers:
1) Just because you can, doesn't mean you should.
2) One line of code means one operation or idea. MAAAAYBE 2. See point #1.
3) If there is a cute, short, hackerish way to do something, and a longer, more boring, more explicit way to do the same thing, ALWAYS pick the boring way. Anyone who looks at your code in six months will be very pleased (instead of ready to kill you). Since Perl is so flexible, this is always possible. As for performance, well, in my experience the slick, hackerish ways of doing things often slow things down more than the explicit-using-more-lines way of doing things.
Oh, absolutely you're right. There may be strange undisclosed limitations that specifically limit sublicensees to be US or Canadian corporations (say), and that these sublicensees may not themselves sublicense under any conditions.
In that case, it would kill any GPL hopes right away.
By "appears" I mean exactly that. It seems to me, on first reading, that they're allowed to do pretty much whatever they want with the (GF(p), p > 2**256) instance of ECC, and that naively I would read that that is the only restriction. At least, this is what I'm hoping is the case.
Uh yeah. That's kinda my point that you're explaining to me there, and you appear to be contradicting yourself.
They've licensed the patent, not the code. The algorithm. No source. No binaries. "It's just an algorithm" as the folks as RSA are fond of saying. They are allowed to use the math. There is probably no programming involved here, as you state yourself. How many times can it be said?
It appears that the NSA have licensed this math in such a manner that they are free to sublicense it however they see fit. Thus, they may be able to choose to implement those magical algorithms with their own source code, and then license that implementation out to other people (possibly even in an open-source fashion?)
Now who would trust the NSA's implementation of a particular algorithm in a closed binary? Hopefully nobody. So my hope is that they've licensed this to use as a service to the US as a whole (well within the mandate of the NSA, and relatively inexpensive at $25 million). Ideally, this means that they'll say "Alright kids, here you go: you can now use this shiny new algorithm for your PK stuff. Here, we'll even throw in a reference implementation. No need to thank us, just keep using that encryption, and Stay In School."
Perhaps wishful thinking?
Still, as I said before, the NSA is full of very smart people, and they know that if they want an encryption standard to be widely accepted, it has to be freely available. AES is a great example of that. Perhaps the NSA took a look at Certicom's work and said, "Well, these Canadian chaps have pretty much nailed it. Maybe instead of running a big fancy competition like we did for AES, let's just bite the bullet and pay off Certicom and use that for our PK component."
Well, the nice thing about it is that they've paid for the rights to the patent, including sublicensing. The NSA could whip up their own implementation of it and distribute that software as some kind of standard. Who knows?
For all we know, the sublicensing agreement for the use of the specific parts of the patents may be absolutely up to the NSA (they seem to suggest as much from the Certicom press releases..? Anyone know more?)
If that is the case, the NSA might very well release an open source version that the world can use and modify to their heart's content. They're not stupid, and they know that the world will not use a closed-source implementation of an algorithm.
As far as I understand the deal, this has nothing to do with licensing software. They couldn't have gone with an OSS version (or "roll their own") as so many suggest because they're not licensing just software, they're licensing patents.
You'll note that they've also got sublicensing rights on those patents. There could be a software component to this deal, but as far I can tell it appears that this is mainly about patents.
"Nothing seems to happen", as I read it, means that nothing notable happens in the real world. No large companies switch en masse, nobody adopts it in a big way, no websites insist on Mozilla browsers, no Apache server logs show more than the tiniest fraction of hits from mozilla.
/. logs, I'd wager), you know that, to a good approximation, nobody uses it.
Let me start off by saying that, on Windows, I use Mozilla exclusively. On Mac, I use Safari, and on other Unix it's Konqueror. I hate IE, and I never choose to use it.
I recall the rising anticipation that preceded the Mozilla 1.0 release. It was an exciting time. And then, just over a year ago, it was released. I didn't see it on the nightly news, my dad (the guy who taught me to program, the guy who first brought home a Sinclair ZX-81...) had no idea what it was. Mozilla really hasn't changed a thing in the real world.
I think many of us folks were almost expecting this major revolution, where moms and dads everywhere would cast aside IE and flock to Mozilla in droves. If that was unrealistic, well then surely Mozilla will be sucked into all kinds of embedded browsers and used as a platform for applications, right? Well.... No. Nothing. (Yes, I know about Komodo and a few others, but they truly don't count. Even *I* don't use them, nevermind my mom).
All of these features that Mozilla has are quite nice, yes. But in the computer world at large, they're somewhat meaningless. Mozilla didn't really drive other browsers to higher standards. Mozilla didn't really encourage HTML authors to write better code. The only people Mozilla has seriously affected are those who actually deliberately choose to use it. For the most part, it has improved their lives (it has mine).
However, the point is that Mozilla *only* affects those who use it. And, if you have access to Apache logs (even
For me, the definition of being an engineer is all about being a professional and taking responsibility for the work you do. In Canada, engineering is very strongly linked to ethical responsibility.
A good example of this is the fact that all engineers here wear a symbolic iron ring on their right pinky, supposedly made from the iron of a failed bridge that collapsed due to poor engineering, IIRC. This ring is a constant reminder of the responsibility that engineers have to society, as we all put our lives in their hands dozens of times per day at _least_.
Unless software programmers are bound by the same codes of conduct, and follow the same guidelines, they are not engineers.
In short it is definitely NOT the job description that makes the engineer. It is their responsibility to society. Almost every purely software development project I have ever seen fails this test miserably, and therefore software development is generally NOT engineering.
Now, of course, there are engineers who program, and they do often do a lot of programming as part of their very legitimate engineering jobs (maybe that's all they do, in practice). But software development IN GENERAL is not engineering.
Sure, but gasoline, lighter fluid, antifreeze, motor oil, drain cleaner, and all kinds of other liquids are poisonous too, and most people don't have a problem with them.
With well-designed containers and filling system, the consumer need never be directly exposed to methanol in any form. It simply goes from filling station into receptacle (possible your own small personal storage flask, holding maybe 500 ml), and then from receptacle to device (a cell phone, a laptop, whatever). A good design can ensure that those transfers are clean.
Not only does this keep Joe Moron from drinking it, it also goes a long way towards preventing spills, vapours, and other bad things.
Yeah, it's not perfect. I guess pretty much all I'm trying to say with my posts here is that this is definitely possible to do well, if we're motivated to solve the problems.
Um.. Are you serious? Where in the world are you that you can't find AA/AAA batteries practically everywhere?
AA/AAA batteries are DEAD easy to buy at almost any kind of retail store I can think of! Now I'm saying that they'll just add in a methanol source as well. Maybe along side the rows of Duracells and Energizers in displays, there'll be pods full of methane like the butane cans for filling up lighters and stuff. Since it's just a liquid, I'm guessing that a coin-op will be the simplest delivery mechanism.
If you're at home, you can plug into the power line to recharge your devices over night quite cheaply and easily if you have the time. In my part of the world (Canada), there's absolutely zero market for pay-per-charge electrical outlet, as electricity is so cheap that most places don't even bother covering them up (libraries, universities, etc). I can plug in anywhere. But, of course, the drawback is that it's a slow charge thing, so it's only useful if you're sitting in that one spot for an extended period of time.
Nah. How long do you think it would be before there would be coin-op small-device refill stations everywhere, to serve the laptop and cell-phone geeks? Methanol would be cheeeaaaap stuff, like twenty cents or less per litre retail. So maybe you go to the refilling station, dial in a 250 ml fill, drop in a quarter (and curse those ridiculously high vending-machine prices), fill up your laptop, and off you go, good for another five or ten hours.
Heck, even if it was the same price as gasoline it would still be cheap, considering how much you use. At home, you'll probably buy it by the gallon to fill up your own filling station. Offices will get it delivered just like jugs for the water coolers.
Sure, the early adopters will have some annoyances, but I don't think it'd be too long before you'll see them at airports first... Shopping malls... Office buildings... Street corners... Remember, it's not just laptops, it's also cellphones and other gadgets that use the methanol.
And no, this stuff isn't dangerous or volatile -- certainly no more so than vodka. I imagine the real-world implementation might have the methanol at a 75% (or lower) concentration, or something like that, to limit its flammability. Perhaps at home, you can fill with 100%, but in a public places they'll only serve up 75% to limit the danger. Whatever.
I dunno, people will probably find all kinds of potential problems with my scenario here, but I have very little doubt that some enterprising entrepreneurs will find a way of addressing all the problems and getting it all to work.
No, "Applied Cryptography" is what I'm talking about. It is, as its title suggests, about -applying- cryptography. It teaches you exactly how to implement the algorithms in code, and it teaches you how to use those algorithms in every day situations.
He gives some insight into the workings of the algorithms, by eg. explaining how the S-Boxes and stuff work. But it doesn't really teach you how to do cryptanalysis. And it doesn't really teach you how to make your own algorithms.
The books I've suggested are less practically-oriented. The Handbook goes into the mathematics of it all quite nicely. It's a good introduction to the field, and those who can get through it will have a very solid background for more advanced study. The Invitation book is aimed at maybe second-year students or first year students with some knowledge of linear algebra. It gives you a taste of what cryptology is like, and starts you off on the right path early in your education.
Actually, I disagree. I don't think Schneier's book is the best place to start. It's a fine book, no doubt, but it says very little about real cryptology from a theoretical standpoint, or from the point of view of teaching you to develop or break codes.
If you're a math god, start with the Handbook of Applied Cryptography by Menezes, van Oorschot, and Vanstone.
If your math isn't quite as godly, start with Thomas Barr's "Invitation to Cryptology". It's an excellent starter book for anyone with even a little bit of mathematical skill. You really don't need much but some high school math, maybe a bit of first-year algebra and stuff, and a willingness to do the chapter problems.
Or at least -part- of the source of the problem is that nobody wants to improve the old stuff. They just want to start all over again!
How many of you have worked in a software development shop? Lots, I bet. And how old was the oldest software development project that you'd keep incrementally upgrading? In my experience in the software world, it's not very old. There'd be a first release, some updates, a second version that's very much like the first version, only nicer. Maybe there's a third version.... This goes on for a couple of years, probably (which, in the real world, is a VERY short time).
Pretty soon, though, Marketing starts demanding a vast reworking. They're just not selling enough of the boxes. You need to do something radical, because the version they've got works nicely so the customers have no real reason to upgrade. So what do you do? You rebuild it completely from scratch in a whole new way -- so that it's completely different from the last version!
The whole problem is that the industry doesn't WANT to converge on a nice working model that you can understand and be happy with for a long time, because then you'd never buy any more! It's not like a car, where it wears out after a few hundred thousand kilometers. The software industry has to keep switching year after year in order to get the customers to keep following and keep buying so the cashflow stays high.
Also, if they converged on something and stayed with it for a while, it wouldn't be long until all the file-importing filters worked pretty much perfectly, and all the difficult features had been reversed engineered, and so on -- so now the competition pretty much puts out exactly as good a product as the original maker. We can't have that now, can we? The easiest way to do this is to make yourself a moving target, and to drag all the customers kicking and screaming along with you.
Not really... what? Not really available? Sure it is. It's right there. I didn't say is was "Free-as-in-libre".
If you take a peek at the specification, it's not really that hard of a thing to do. The specification is available and readable. Yeah, the license for that code isn't perfectly floating-on-a-cloud wonderful, but at least a reference implementation exists and can be used for testing.
Is Sony going to do add Rendezvous to their pocket drive? Nah. I don't really care either. If Apple did it, though, that would be awesome. It'd be Airport Extreme, it'd have Rendezvous built in, it may or may not have a firewire port, and it would look very cool.
Indeed it is available, with a version for Linux -- no porting required.
http://developer.apple.com/macosx/rendezvous/
I think this would make the pocket drive a truly must-have product for me.
Now, if we could get these things with rendezvous up and working, so they just automagically work with MacOS X (and eventually everything else).
:^)
That'd be nice, to have a portable scratch-space drive or something like that, that you just plug in and suddenly it works for everyone
Or you just buy new computers and add them to the cluster, as you retire the old ones.... You don't need to stop the cluster to add or remove servers.
Yep -- wonderful, reliable, dependable clustering. VMS does clustering like no other operating system that I've ever seen, and it's been doing it for ages.
Well, perhaps IBM has improved in the last few years, as far as their marketing goes. Don't get me wrong -- there's nothing wrong with the _hardware_! Indeed, the thinkpads are pretty rock solid notebooks, and except for the rubber nipple mouse (which is admittedly a taste thing and not a quality thing) I can't say enough good about them. And their big iron is... well... Big. and Iron. Heh. Yes, I've used both extensively, as well as a lot of IBM-built NT servers, and I've always been happy with IBM equipment (even servers running AIX, believe it or not).
There's a difference between good -products- and good -marketing-. IBM has good products. Their marketing, IMHO, sucks (at least to consumers anyhow). They're getting as much play as they possibly can out of the Linux thing, in order to try to get out of their dinosaur-era mainframe stuffy-shirt perception. They still have that image though, and they've done little to shake it in my books. Perhaps that's not such a bad thing though...
They're playing to very different markets, of course. IBM sells mainly to stuffy shirts, Apple doesn't. IBM doesn't -have- to be sexy and cool to make a zillion bucks.
I guess my point was just to differentiate the approaches that Apple and IBM take wrt OSS. I think I can strip it down to this: Apple doesn't necessarily have to care about OSS as a philosophy, they're just using some robust, free software to build their products.
As per licensing requirements (and to foster some developer good will), they contribute back to the community. And why not? What they've discovered is that it doesn't matter. People aren't going to -not- buy a Mac just become KDE or (say) MySQL has become a bit better. Well, maybe a couple will, but I'd be willing to be that the prospect of a super-fast, slick, fun set of applications (iLife, Safari, etc) will win more customers over than they'll lose -- their applications get better right along side the free stuff. Apple is selling hardware, and all these cool applications working seamlessly together. The fact that you can get the source code really doesn't matter. Is this not one of the reasons we have free software? So we can all have good quality software and we can all benefit without someone taking it away from us?
IBM, on the other hand, is cashing in on the openness of Linux/OSS and its popularity in the tech world. And good for them! There's nothing wrong with this. It's not appealing to consumers though, not really. You and I are an exception. Buuut as I've already said, IBM doesn't deal so much with consumers, they're much bigger in the big business. Fine, that works for me. Ultimately, I think IBM has more invested in the "success" of free software in the long term -- if the entire Linux development process was suddenly to collapse under its own weight, then it might affect IBM. I'm about as afraid of this happening as I am of getting hit by a comet.
Yeah, IBM is using Linux. However, we all know that IBM can't market it's way out of a wet paper bag. Apple, though.. Those guys *definitely* know a thing or two about making their products sexy. You're right, Apple contributes marketing. But I don't think they're going to seriously affect the way that the public thinks about OSS. That would be nice, and I hope I'm wrong, but I just don't think Apple cares. While IBM is using the popularity of Linux to boost itself, Apple isn't using the popularity of OSS and KHTML to boost itself. Yeah, they mention it I suppose, but it's more in passing than anything else.
They don't really care so much about OSS in principle, I'd say, as much as they care about having a robust product working very quickly. It happens to be a fact that OSS very often displays those features. It also happens to be a fact that a lot of OSS lacks polish and flair, "sexiness" -- to Joe Public. Very few people question the fact that Apple is very good at making things friendly, useable, and just all around sexy.
It's a perfect match, I'd say. Apple gets the robust code, and the value they add (and charge for) is the interface that they put on the front. The OSS community gets a few patches and bugfixes, and a bit of publicity. Everyone gets something out of it.
Well, but who cares? In the mean time, Apple cleans up KHTML, gives some credibility to Unix-on-the-desktop, and makes a bunch of pretty notebooks.
:)
What's the worst that could happen?
Imagine Jobs has a change of heart tomorrow and decides that open source sucks. So what then? They stop using KHTML. KDE will continue on without them, I guarantee it -- and they'll always have the work that Apple contributed. The xBSD crowd will probably be a little disappointed if Apple stops developing BSD stuff, but it's not going to shut them down or hurt them in any way. Maybe they won't get the benefit of some of Apple's work, if Apple chooses to keep it to themselves, but there's no real subtraction there. BSD software abounds in closed-source applications, yet BSD is still doing just fine (despite what the trolls will have you believe
See, that's the beauty of open source. Companies can -help- by improving the software, but they can't -hurt- by wrecking it for everyone. About the dirtiest trick they could pull would be to try a Microsoftian embrace-and-extend. We've dealt with those before, and they're not that big of a deal in the long run.
I dunno, I say we encourage Apple to do as much as they can with open source software. They're already discovering just how they CAN make money on OSS, and it's not even in the quasi-traditional "support" line of business that people seem fixated on. They take the best of what's out there, improve it, use it in their products, and contribute back to the community at large. It's win-win, as far as I can see.
About the rabid wolves, well, hey, if the shoe fits...
And about the people in the pigs, sure I would want to know. But that's not what has happened. You can bet that if that happened, the products would be quickly and quietly recalled. Incidentally, his pigs were (supposedly) never sold to the general public. But that's irrelevant.
There are definitely ways to protect the public from that kind of risk without ruining the accused's chance at a fair trial. It doesn't require another OJ Simpson trial to do it.
Perhaps they're hoping that the media will just respect the wishes of the court, rather than trying to force the issue through technology?
Note: there is no ban on the public -being- there, so this isn't a case of a closed trial. This isn't a ban on people talking about it -- just a ban on media publication. The rules are in place simply to give a fair trial.
In Canada, a criminal suspect's right to a fair, untainted trial trumps the right of the media to descend upon the courtroom like a pack of rabid wolves. This is a murder trial, not public entertainment (no matter what the media would have you believe).
Nope. Still doesn't work.
If I leave the doors unlocked at my office, I could (and should) lose my job. But, at least where I live, I cannot be charged, sued, or forced to pay for the losses. A friend of mine did *exactly* this recently -- she left the back door unlocked at the restaurant she worked at after closing up and leaving for the night. The restaurant lost about $100k in theft and damages that night. She lost her job, and the restaurant tried to make her pay for the losses (her parents are fairly well off) -- until they talked to their lawyer and were advised that they had no claim. Essentially it came down to exactly this: she did something really stupid by not locking up and so she could be fired, but that does not mean she's responsible for the theft by making it easier for a criminal to commit. The thief chose to steal those things, so the thief is responsible for the losses, period.
In the end, insurance paid for all the losses, as it should. Also, the restaurant's insurance premiums went way up, as they should. My friend lost her job. The thief was eventually caught, and is spending two years in jail.
Similarly, if a criminal takes my gun and shoots someone, only the criminal has done something wrong (assuming, of course, that I have complied with the law in my storage of the gun etc). I don't know what the laws are like in your area, but here it is illegal to leave a firearm laying around in a public place -- that is, the criminal would have to commit a crime (B&E) to get the gun in the first place. Do I need a super-duper security system to not be negligent? No. Heck, I don't even need to lock my doors.
We're talking about a moral obligation versus a legal responsibility. Morally, I am required to keep my employer's store locked. But remember, all this is doing is keeping honest people honest! Ultimately, every criminal makes a conscious choice to commit a crime.
It's not my responsibility to make it impossible for you to commit a crime. If you seriously think it through, you'll realize that it's a requirement that's impossible to satisfy in a logical and peaceful manner. I don't know where you live, but if you live in a place like that I suggest you move to a more sane place.
There are situations where I am negligent if someone commits a crime. I am negligent if I know it's happening and I do absolutely nothing about it and permit it to happen. In fact, in many cases I'm actually a criminal (eg. if I know someone is going to murder someone else and I don't say anything about it). Similarly, if I discover that my computer is being used to commit a crime, and I continue to let it happen and I don't fix the problem, then I am negligent.
Think about it: where would you draw the line in computer cases? Is it negligence if I allow anonymous logins to my computer, and then they are used to launch attacks? How about if I restrict the logins so only people who sign in with their real names can log in? What if I restrict it to just my friends?
Now as far as security goes, how secure do I have to be? Do I have to be invulnerable to any known attack? Good luck!! I'd be willing to wager that there isn't a single system connected to the internet that is invulnerable to every known attack. Do I just have to deal with those vulnerabilities that are published on Bugtraq? SANS? And within what window do I have to apply patches as they come out? That day? That week? And what networks does it apply to? Internet only?
Finally, I would not be surprised if, in some parts of the world (especially the US), these sorts of things really ARE negligence and you really WILL be sued for them. My argument is intended to persuade people that applying this to computer security is a very stupid idea that will only bite them in the ass in the end.
No. You are not negligent when someone else commits a crime against you (or someone else). You are not responsible for ensuring that it is impossible for another person to commit a crime (even to the best of your abilities). I am no more responsible for someone rooting my box and using it against someone else than I am responsible for someone grabbing my steak knife at the dinner table and stabbing someone in the chest -- even if I happen to be sitting next to an ex-con!
Negligence is when you allow something bad to happen by an omission, a failure to do something that you are responsible for doing. In the case of shovelling the sidewalk, people have the right to walk down a sidewalk. By doing something they are entitled to do, they are endangered by the fact that you have neglected to shovel your walk. However, here is the crucial difference: that l33t idiot has absolutely no right to be using your computer in the first place!
Now, as far as an -insurance- company goes, that's a whole different matter. If a company has a box that is rooted and destroyed, one day I hope the time will come where they will lose any claim for damages they make if their computer is not adequately secured. People don't have "hacker" insurance yet, but one day they probably will.
My point is this: it is not your fault if you are the victim of a crime. Another (inflammatory?) example: no matter how scantily-dressed, a woman is always the victim of a crime if she is raped. Is it -stupid- to leave your computer unsecured? Sure it is. Just like it's stupid to leave your doors unlocked, or to walk in a bad part of town at two am wearing a mini-skirt and a halter top. However, neither one makes it your fault if someone else breaks the law and takes advantage of the situation.
Laws are laws, and it is your duty to follow them. It's not my duty to make sure that it is impossible for you to break them.
Can you imagine the sort of vigilante society we would have if that were the case? People's houses would be booby trapped. Mail carriers would get shot. Meter maids would be beaten as would-be car thieves.
Let me repeat one more time: It is your duty to obey the laws. It it not my duty to make it impossible for you to break those laws. That is the essence of my point.