If its not availbale for sale in my region, its not theft. If they wont sell it to me, they cant claim lost sale. Want Game of Thrones outside the USA?? hahahahahahahahaha, only one way to get it.
Game of Thrones is available on DVD in regions 1, 2, and 4 (Basically North & South America, Europe, Australia/Oceania, and much of Africa and Asia including Japan, the Middle East, Egypt, and South Africa). It's available on Blu-Ray in Regions A and B (North and South America, Western Europe, Africa, Australia/Oceania, Japan, Korea, the Middle East, and Southeast Asia).
And the US wasn't even the first DVD release; region 2 was released before region 1.
Movies like the Avengers will tend to do well vs. Piracy, because these high effect movies, look really good with all the sound, and large screens... If you pirate it, you get a shaky little display with perhaps stereo sound.
You're understating the state of piracy. For big releases like the Avengers, Telesync bootlegs come out essentially as soon as the first screenings; they're shot with high-def cameras on tripods mounted in the projection booth directly over/under the projector, with the complete Dolby Digital (5.1 or even 7.1) soundtrack ripped directly from a sound source (not recording it from playback).
Game of Thrones has dialogue that's almost exactly the same as the books; most scenes are directly from the books, and just changed a bit because of the change of medium.
That was kind of true in season 1 but is very much not the case in season 2.
For instance, last week's episode had 7 major storylines; of those, 5 are pretty much created entirely for the show with little resemblance to exact scenes from the books. 1 of them (Sansa/Cersei/Hound period scenes in King's Landing) is very close to the book, and 1 of them (Theon chasing Bran and Rickon) is parallel to book scenes but rewritten because some of the major characters don't exist on the show. The show's doing a remarkable job of staying relatively true to the overarching story without really following exact scenes all that closely in season 2.
Breakdown: Theon chasing Bran and Rickon: These scenes are altered greatly from the books because major characters are omitted. The escape is led by Meera and Jojen Reed in the books and they drive all the conversation about Bran's dreams. They don't exist at all in the TV show.
Jon Snow/Ygritte: The whole "wandering alone with Ygritte in the cold" storyline is the show's fabrication, it never happens in the books (there, Jon frees Ygritte and remains with the rangers until they're captured by Rattleshirt).
Arya/Tywin: These scenes are fabricated entirely for the show, as Arya never serves Tywin in the books. They're awesome but brand new dialog.
Sansa/Cersei: These scenes are pretty close to the book.
Daenerys in Qarth: These scenes are completely fabricated for the show; the whole dragons-getting-stolen plot doesn't exist in the book.
Rob Stark: These scenes are completely fabricated for the show; the books never show the western campaign at all and never have Rob-POV chapters. The character of Talisa seems maybe based on Jayne Westerling, but it's tough to know for sure because we never see Jeyne until after a major SPOILER event happens in the books. Catelyn is certainly not out west in the books, and her book version would never let things develop between Robb and Talisa.
Jaime Lannister: Again fabricated completely for the show, he never has any escape sequence like this in the books (he does have an escape sequence but it's nothing like this and certainly doesn't have nearly identical dialog).
This is nothing new. We still talk about pencil lead even though it's been graphite since Roman times, bands cutting new tracks though wax recording is long past, calculus though we don't count with stones, and dialing phones though the rotary phone is nearly extinct. "Pump the brakes" has enjoyed a renaissance of popularity as a slang phrase despite antilock brakes being universal, and people still go balls to the wall or run out of steam.
It's more important that these icons and idioms are standard and well-understood than that people remember their origins.
2-pass let's you determine your final filesize (IMO, the reason one recodes)
That's a weird IMO. Certainly 2-pass is the best way to go if you care about exact filesize, but that's not what most people care about. They care about having video that will play back so they can watch and hear it, and the primary reason anyone I know recodes is to convert to a format that they can actually play (generally for ipad/smartphone or ps3 playback).
"Looks like a soap opera" to me means the weird overly contrasty look you get when some of the stupid autocontrast/edge "enhancement" features are turned on on modern TVs.
The way that people figured this out is that if five hunters go into a forest as a group, split up and hide. Then one by one, four hunters leave one at a time. The fifth hunter stays in hiding, the monkeys come out of hunting, and the hunter shoots a monkey. This does not happen when there are less than five hunters initially. I should hope not: if there are four hunters initially, then one by one four hunters leave, there are no hunters left to shoot the monkey. And if there are 3 or fewer hunters initially than the scenario's impossible.
How about we have population sizes that suit the arability of available land and supply of water in bad times. It may seem like a defeatist attitude, but when the world population is on an exponential growth curve there is only one answer
It is not on an exponential growth curve. The world population growth rate peaked c. 1960 and has declined since, and huge parts of the world including Europe and the US already have negative native population growth (though immigration is propping up populations for now). As the rest of the world continues to develop, the world population is projected to begin declining around 2060ish.
$30 billion is not much. Bill Gates could fund that personally, if he wanted. Yet he chooses to fund other research - while also important possible doesn't have as much bang for the buck when it comes to saving lives.
Bill's charitable giving is actually pretty savvy at targeting his charity to high-reward areas, and lack of clean drinking water and agricultural development are two of his bigger targets (along with HIV/AIDS, malaria, mother/child deaths, and vaccination, all of which are pretty high on the bang-for-the-buck when it comes to saving lives). FWIW the Bill & Melinda Gates Foundation has given $15 billion to global health and $3.5 billion to global development over the last 15 years (as well as $6 billion in American charitable donations) and Gates has announced his plans to give away $60 billion more over the next couple of decades; Warren Buffet is giving away the vast majority of his fortune through the Gates Foundation as well, at a current rate of around $1.5-2 billion/year.
Interestingly, the original edition of the Lord of the Rings is in the public domain in the US due to an error by his publisher at the time. Tolkien had to go back and make a revised edition and market it with a note on the back pleading with fans not to buy the Ace Books edition that he saw no royalties from. So presumably a similar pub in the US (e.g. Bilbo Baggins, in Alexandria, VA) is on safer ground than this one in the UK.
Several hundred thousand women in the United States suffer from anorexia and ~20% of them will die of anorexia-related symptoms. Being 30 pounds underweight is a lot worse than being 30 pounds overweight, or even 100 pounds overweight. Comprehensive anorexia treatment has rather low success rates and costs around $10k/month, and your health insurance premiums are funding it.
This is an incredibly dangerous way to present this information. The numbers differ based on the source, but it's between hundreds and thousands of times as many women who die from obesity in the US as from anorexia, bulimia, nutritional deprivation, and other undernourishment conditions. Anorexia is much more of a trendy, popular place to focus attention, but if you're actually interested in saving women's lives you need to acknowledge the bigger (by several orders of magnitude) problem first.
the standard, "bread and butter" affordable cars at that time had chokes.
I learned in a Mark II Ford Escort, in case you're interested.
The Mark II Escort was a 1970s car (1975-1980). The Mark III introduced fuel injection in 1983 though carburetors remained on some models until 1989. In America, the first generation Escort was 1981-1990 and introduced electronic fuel injection in 1984 (the second generation was 1991-1996 and was always fuel-injected).
The changeover was pretty quick. In the US in 1984 most cars were carbureted, and by 1990 the last mass-market passenger cars with carbureters shipped--some police models and carbureted trucks ran a year or three longer (the final carbureted Isuzu trucks were shipped in 1994).
They're also aiming at displacing dedicated e-readers from the market. In the printer industry, people stopped caring about improving text resolution at around 600dpi; if that holds true, there's still a little more resolution to chase before things are "as good as books" on that front (there's still the reflective vs. emissive issue, among others).
Try that with Best Buy some time. Seriously. I've actually gone online, searched for an item, found it and its price, called ahead and confirmed the price and asked them to hold it. They said they would, but when I showed up less than 1/2 hour later they had it, but only with a pre-installed Geek Squad markup of $50 (or thereabouts) over the online price. It's BS. You simply cannot expect to call ahead and then go pick up an item at the price their web site lists.
That's a good thing. The problem is that Americans are conditioned to think manufacturing jobs = good, service jobs = bad. In reality that's not the case; pure manufacturing are the most brainless, automatable jobs ever. It would make zero sense to keep paying a person to use a pair of scissors to mow the lawn when you've invented the lawnmower, and likewise it makes no sense today to pay someone to put screws into the car frame when that's trivial to automate
Yet we mourn the loss of manufacturing jobs--truly the shittiest and easiest to replace jobs out there. That''s mainly because of a historic stigma where all of the good service jobs get relabelled to something else.
When it comes down to what you're actually doing, being a doctor, lawyer, engineer, or computer programmer are in actuality service jobs. So is being an artist or home designer or anything else where you're tailoring your service to the customer's needs. The burger industry paper hat stigma has made those jobs lobby to be called "professional" (as though manufacturing jobs or working the line at McDonalds somehow are amateur) or similar.
But as the century progresses, it's the service jobs that are going to be the ones people want to have, and the loss of today's manufacturing jobs will eventually be viewed as just as good as losing all the coal-shoveling, cotton-picking, textile mill-working shitty jobs that machines replaced 100 years ago is today.
That's the wrong comparison for part 1, though. The Siri query is replacing the typical query, and the typical google/bing _query_ is still tiny (certainly less than 4KB and probably less than 1KB).
How big the page you wind up looking at is falls into part 2 (how big are queries as a percentage of overall web use?).
People who do no more than 10-15 searches a day aren't on the radar when it comes to worrying about bandwidth hogs. The real question is how much does each Siri search use compared to an old-style web search (I suspect the answer is "a lot more", probably more than 10 times as much) and whether for heavy users that approaches a significant percentage of overall use (I suspect the answer is "no, when you're listening to a couple of podcasts and watching a vid or two and surfing the web heavily, a few dozen Siri searches doesn't mean all that much).
But mentioning the light users is totally disingenuous--light users aren't where bandwidth concerns are met.
An article that's predicated on using the search 2-3 times a day is seriously supposed to be a rebuttal? I don't doubt that the original numbers are overblown and could easily be disputed, but come on--two or three searches a day doesn't pass the smell test.
That's fine and all, and what I was going to suggest, but what happens when it's intermittent? What the hell exactly do you log? Do you have access to core dumps? You log every single exception or, from a core dump, stack trace, and all the local variables at the time it happens. And as you accumulate them, you get a sense for what more global info you need (in OP's case he mentions URLs--if it's a web app, the complete incoming request, including form variables and cookies and session info, is a no-brainer).
Then you delete old info yourself on your end, but keep a lot more than you think you'll need.
Bugs that don't result in a crash are the harder ones; ideally you have some way to flag a user so that they get traced pretty fully, so if someone calls in a bug report you can turn on tracing for them and log a ton of crap. And it's often worth having the logs generally be a lot huger than you'd anticipate (even for general users who you haven't flagged for special debugging). But it's tougher than debugging the crashes, for sure.
But you cannot get entropy that is there but estimated as zero out of the pool! When reading speed from/dev/random is concerned, this does exactly nothing. Also it does exactly nothing for the amount of other entropy you have to get. So, even though it is hard to understand, you can drop it with no adverse effects and a reduction in code complexity on the plus side.
Entropy gathering is not a guessing game, if the quality needs to be high. There is no "hedging" involved when this is done right. The estimates have to be hard, reliable lower bounds.
That's not how it works in practice. In practice, entropy gathering _is_ a guessing game. Things like timing between keystrokes are added to the pool, with guesses as to the amount of entropy they add. If an attacker has, say, a microphone in the room then those guesses can be off--sometimes dramatically. In real life, it's always possible that any source is compromised. Consequently, very conservative estimates are made with the belief that if one entropy source is compromised, the margins for error built in other places will compensate and keep the random device secure.
In fact, several OSes have moved to using cryptographic PRNGs instead of straight entropy-pool based systems for/dev/random (FreeBSD, for instance, uses Yarrow and/dev/urandom is a symlink to/dev/random) precisely because entropy gathering is a guessing game
Something like the timing of network packets is certainly a potentially useful hedge (and, as noted upthread, even OpenBSD does indeed use such information, with a non-zero entropy estimate).
It's also the only thing that makes the/dev/random behaviour (where any user can add arbitrary information to the pool) make sense: adding stuff to the pool can only help security, not hurt it.
the only valid assumption is an entropy content of exactly zero, so you can drop it from entropy gathering.
This is the part that's nonsensical. The usual course of action with something that's relatively high volume and probably contributes entropy but possibly is under attacker control is to lower the estimated entropy count to zero but continue mixing the source into the pool. The worst-case scenario is no gain (but no loss), but it's likely you get some gain and it hedges against accidental overestimates of other entropy sources.
And we're talking about Theo de Radt here... it doesn't have to be a RATIONAL threat, it just has to be a theoretical one.
But that's the point, as long as you set its entropy count to zero it's not even a theoretical threat. It could potentially improve randomness and can't possibly hurt. That's how entropy pools are designed.
The OpenBSD kernel uses the mouse interrupt timing, network data interrupt latency, inter-keypress timing and disk IO information to fill an entropy pool.
That makes more sense than ignoring the network entirely.
As I remember, OpenBSD used network details to produce entropy, but later stopped, because it allowed a remote attacker the ability to potentially poison the entropy source by carefully sending just the right packets at the right time. Cryptographically secure randomness for Theo de Radt was only satisfactory when it required physical access to the machine to manipulate.
Something's wrong or lost in communication here. The entropy pool in a/dev/random implementation is designed so that even if an attacker can add a known source of numbers to it, it still doesn't decrease the real entropy in the pool. As long as my entropy estimates are correct, I could let you pick half the bits (or 99% of the bits) going into/dev/random's entropy pool and that still wouldn't help you guess the output. Lowering the entropy count on network traffic (even to zero) makes sense, but so long as you do that there's no reason not to include it as a potential source of bonus entropy.
In fact, most/dev/random implementations let any user add bits to the pool. Only the root user can increase the entropy estimate, but any bozo can "echo '0000000000000000' >/dev/random"--adding additional stuff to the pool can never hurt, and might help.
Exactly. Netscape held out and got $4.2 billion from AOL; it seems like they held out pretty well and sold nearer to high than they would have by selling in 1994.
Slashdot Mirror
If its not availbale for sale in my region, its not theft. If they wont sell it to me, they cant claim lost sale.
Want Game of Thrones outside the USA?? hahahahahahahahaha, only one way to get it.
Game of Thrones is available on DVD in regions 1, 2, and 4 (Basically North & South America, Europe, Australia/Oceania, and much of Africa and Asia including Japan, the Middle East, Egypt, and South Africa). It's available on Blu-Ray in Regions A and B (North and South America, Western Europe, Africa, Australia/Oceania, Japan, Korea, the Middle East, and Southeast Asia).
And the US wasn't even the first DVD release; region 2 was released before region 1.
Movies like the Avengers will tend to do well vs. Piracy, because these high effect movies, look really good with all the sound, and large screens... If you pirate it, you get a shaky little display with perhaps stereo sound.
You're understating the state of piracy. For big releases like the Avengers, Telesync bootlegs come out essentially as soon as the first screenings; they're shot with high-def cameras on tripods mounted in the projection booth directly over/under the projector, with the complete Dolby Digital (5.1 or even 7.1) soundtrack ripped directly from a sound source (not recording it from playback).
Game of Thrones has dialogue that's almost exactly the same as the books; most scenes are directly from the books, and just changed a bit because of the change of medium.
That was kind of true in season 1 but is very much not the case in season 2.
For instance, last week's episode had 7 major storylines; of those, 5 are pretty much created entirely for the show with little resemblance to exact scenes from the books. 1 of them (Sansa/Cersei/Hound period scenes in King's Landing) is very close to the book, and 1 of them (Theon chasing Bran and Rickon) is parallel to book scenes but rewritten because some of the major characters don't exist on the show. The show's doing a remarkable job of staying relatively true to the overarching story without really following exact scenes all that closely in season 2.
Breakdown:
Theon chasing Bran and Rickon: These scenes are altered greatly from the books because major characters are omitted. The escape is led by Meera and Jojen Reed in the books and they drive all the conversation about Bran's dreams. They don't exist at all in the TV show.
Jon Snow/Ygritte: The whole "wandering alone with Ygritte in the cold" storyline is the show's fabrication, it never happens in the books (there, Jon frees Ygritte and remains with the rangers until they're captured by Rattleshirt).
Arya/Tywin: These scenes are fabricated entirely for the show, as Arya never serves Tywin in the books. They're awesome but brand new dialog.
Sansa/Cersei: These scenes are pretty close to the book.
Daenerys in Qarth: These scenes are completely fabricated for the show; the whole dragons-getting-stolen plot doesn't exist in the book.
Rob Stark: These scenes are completely fabricated for the show; the books never show the western campaign at all and never have Rob-POV chapters. The character of Talisa seems maybe based on Jayne Westerling, but it's tough to know for sure because we never see Jeyne until after a major SPOILER event happens in the books. Catelyn is certainly not out west in the books, and her book version would never let things develop between Robb and Talisa.
Jaime Lannister: Again fabricated completely for the show, he never has any escape sequence like this in the books (he does have an escape sequence but it's nothing like this and certainly doesn't have nearly identical dialog).
This is nothing new. We still talk about pencil lead even though it's been graphite since Roman times, bands cutting new tracks though wax recording is long past, calculus though we don't count with stones, and dialing phones though the rotary phone is nearly extinct. "Pump the brakes" has enjoyed a renaissance of popularity as a slang phrase despite antilock brakes being universal, and people still go balls to the wall or run out of steam.
It's more important that these icons and idioms are standard and well-understood than that people remember their origins.
2-pass let's you determine your final filesize (IMO, the reason one recodes)
That's a weird IMO. Certainly 2-pass is the best way to go if you care about exact filesize, but that's not what most people care about. They care about having video that will play back so they can watch and hear it, and the primary reason anyone I know recodes is to convert to a format that they can actually play (generally for ipad/smartphone or ps3 playback).
"Looks like a soap opera" to me means the weird overly contrasty look you get when some of the stupid autocontrast/edge "enhancement" features are turned on on modern TVs.
The way that people figured this out is that if five hunters go into a forest as a group, split up and hide. Then one by one, four hunters leave one at a time. The fifth hunter stays in hiding, the monkeys come out of hunting, and the hunter shoots a monkey. This does not happen when there are less than five hunters initially.
I should hope not: if there are four hunters initially, then one by one four hunters leave, there are no hunters left to shoot the monkey. And if there are 3 or fewer hunters initially than the scenario's impossible.
How about we have population sizes that suit the arability of available land and supply of water in bad times. It may seem like a defeatist attitude, but when the world population is on an exponential growth curve there is only one answer
It is not on an exponential growth curve. The world population growth rate peaked c. 1960 and has declined since, and huge parts of the world including Europe and the US already have negative native population growth (though immigration is propping up populations for now). As the rest of the world continues to develop, the world population is projected to begin declining around 2060ish.
$30 billion is not much. Bill Gates could fund that personally, if he wanted. Yet he chooses to fund other research - while also important possible doesn't have as much bang for the buck when it comes to saving lives.
Bill's charitable giving is actually pretty savvy at targeting his charity to high-reward areas, and lack of clean drinking water and agricultural development are two of his bigger targets (along with HIV/AIDS, malaria, mother/child deaths, and vaccination, all of which are pretty high on the bang-for-the-buck when it comes to saving lives). FWIW the Bill & Melinda Gates Foundation has given $15 billion to global health and $3.5 billion to global development over the last 15 years (as well as $6 billion in American charitable donations) and Gates has announced his plans to give away $60 billion more over the next couple of decades; Warren Buffet is giving away the vast majority of his fortune through the Gates Foundation as well, at a current rate of around $1.5-2 billion/year.
http://www.gatesfoundation.org/about/Pages/foundation-fact-sheet.aspx has more detail on exactly where the Gates Foundation money goes; it's much more transparent than a lot of huge charities.
Unfortunately just after Louis CK delivered a particular scathing line for team talent, Gallagher would squash him with a novelty-size mallet.
Interestingly, the original edition of the Lord of the Rings is in the public domain in the US due to an error by his publisher at the time. Tolkien had to go back and make a revised edition and market it with a note on the back pleading with fans not to buy the Ace Books edition that he saw no royalties from. So presumably a similar pub in the US (e.g. Bilbo Baggins, in Alexandria, VA) is on safer ground than this one in the UK.
This is an incredibly dangerous way to present this information. The numbers differ based on the source, but it's between hundreds and thousands of times as many women who die from obesity in the US as from anorexia, bulimia, nutritional deprivation, and other undernourishment conditions. Anorexia is much more of a trendy, popular place to focus attention, but if you're actually interested in saving women's lives you need to acknowledge the bigger (by several orders of magnitude) problem first.
the standard, "bread and butter" affordable cars at that time had chokes.
I learned in a Mark II Ford Escort, in case you're interested.
The Mark II Escort was a 1970s car (1975-1980). The Mark III introduced fuel injection in 1983 though carburetors remained on some models until 1989. In America, the first generation Escort was 1981-1990 and introduced electronic fuel injection in 1984 (the second generation was 1991-1996 and was always fuel-injected).
The changeover was pretty quick. In the US in 1984 most cars were carbureted, and by 1990 the last mass-market passenger cars with carbureters shipped--some police models and carbureted trucks ran a year or three longer (the final carbureted Isuzu trucks were shipped in 1994).
They're also aiming at displacing dedicated e-readers from the market. In the printer industry, people stopped caring about improving text resolution at around 600dpi; if that holds true, there's still a little more resolution to chase before things are "as good as books" on that front (there's still the reflective vs. emissive issue, among others).
Try that with Best Buy some time. Seriously. I've actually gone online, searched for an item, found it and its price, called ahead and confirmed the price and asked them to hold it. They said they would, but when I showed up less than 1/2 hour later they had it, but only with a pre-installed Geek Squad markup of $50 (or thereabouts) over the online price. It's BS. You simply cannot expect to call ahead and then go pick up an item at the price their web site lists.
That's a good thing. The problem is that Americans are conditioned to think manufacturing jobs = good, service jobs = bad. In reality that's not the case; pure manufacturing are the most brainless, automatable jobs ever. It would make zero sense to keep paying a person to use a pair of scissors to mow the lawn when you've invented the lawnmower, and likewise it makes no sense today to pay someone to put screws into the car frame when that's trivial to automate
Yet we mourn the loss of manufacturing jobs--truly the shittiest and easiest to replace jobs out there. That''s mainly because of a historic stigma where all of the good service jobs get relabelled to something else.
When it comes down to what you're actually doing, being a doctor, lawyer, engineer, or computer programmer are in actuality service jobs. So is being an artist or home designer or anything else where you're tailoring your service to the customer's needs. The burger industry paper hat stigma has made those jobs lobby to be called "professional" (as though manufacturing jobs or working the line at McDonalds somehow are amateur) or similar.
But as the century progresses, it's the service jobs that are going to be the ones people want to have, and the loss of today's manufacturing jobs will eventually be viewed as just as good as losing all the coal-shoveling, cotton-picking, textile mill-working shitty jobs that machines replaced 100 years ago is today.
That's the wrong comparison for part 1, though. The Siri query is replacing the typical query, and the typical google/bing _query_ is still tiny (certainly less than 4KB and probably less than 1KB).
How big the page you wind up looking at is falls into part 2 (how big are queries as a percentage of overall web use?).
People who do no more than 10-15 searches a day aren't on the radar when it comes to worrying about bandwidth hogs. The real question is how much does each Siri search use compared to an old-style web search (I suspect the answer is "a lot more", probably more than 10 times as much) and whether for heavy users that approaches a significant percentage of overall use (I suspect the answer is "no, when you're listening to a couple of podcasts and watching a vid or two and surfing the web heavily, a few dozen Siri searches doesn't mean all that much).
But mentioning the light users is totally disingenuous--light users aren't where bandwidth concerns are met.
An article that's predicated on using the search 2-3 times a day is seriously supposed to be a rebuttal? I don't doubt that the original numbers are overblown and could easily be disputed, but come on--two or three searches a day doesn't pass the smell test.
That's fine and all, and what I was going to suggest, but what happens when it's intermittent? What the hell exactly do you log? Do you have access to core dumps?
You log every single exception or, from a core dump, stack trace, and all the local variables at the time it happens. And as you accumulate them, you get a sense for what more global info you need (in OP's case he mentions URLs--if it's a web app, the complete incoming request, including form variables and cookies and session info, is a no-brainer).
Then you delete old info yourself on your end, but keep a lot more than you think you'll need.
Bugs that don't result in a crash are the harder ones; ideally you have some way to flag a user so that they get traced pretty fully, so if someone calls in a bug report you can turn on tracing for them and log a ton of crap. And it's often worth having the logs generally be a lot huger than you'd anticipate (even for general users who you haven't flagged for special debugging). But it's tougher than debugging the crashes, for sure.
But you cannot get entropy that is there but estimated as zero out of the pool! When reading speed from /dev/random is concerned, this does exactly nothing. Also it does exactly nothing for the amount of other entropy you have to get. So, even though it is hard to understand, you can drop it with no adverse effects and a reduction in code complexity on the plus side.
Entropy gathering is not a guessing game, if the quality needs to be high. There is no "hedging" involved when this is done right. The estimates have to be hard, reliable lower bounds.
That's not how it works in practice. In practice, entropy gathering _is_ a guessing game. Things like timing between keystrokes are added to the pool, with guesses as to the amount of entropy they add. If an attacker has, say, a microphone in the room then those guesses can be off--sometimes dramatically. In real life, it's always possible that any source is compromised. Consequently, very conservative estimates are made with the belief that if one entropy source is compromised, the margins for error built in other places will compensate and keep the random device secure.
In fact, several OSes have moved to using cryptographic PRNGs instead of straight entropy-pool based systems for /dev/random (FreeBSD, for instance, uses Yarrow and /dev/urandom is a symlink to /dev/random) precisely because entropy gathering is a guessing game
Something like the timing of network packets is certainly a potentially useful hedge (and, as noted upthread, even OpenBSD does indeed use such information, with a non-zero entropy estimate).
It's also the only thing that makes the /dev/random behaviour (where any user can add arbitrary information to the pool) make sense: adding stuff to the pool can only help security, not hurt it.
the only valid assumption is an entropy content of exactly zero, so you can drop it from entropy gathering.
This is the part that's nonsensical. The usual course of action with something that's relatively high volume and probably contributes entropy but possibly is under attacker control is to lower the estimated entropy count to zero but continue mixing the source into the pool. The worst-case scenario is no gain (but no loss), but it's likely you get some gain and it hedges against accidental overestimates of other entropy sources.
And we're talking about Theo de Radt here... it doesn't have to be a RATIONAL threat, it just has to be a theoretical one.
But that's the point, as long as you set its entropy count to zero it's not even a theoretical threat. It could potentially improve randomness and can't possibly hurt. That's how entropy pools are designed.
The OpenBSD kernel uses the mouse interrupt timing, network data interrupt latency, inter-keypress timing and disk IO information to fill an entropy pool.
That makes more sense than ignoring the network entirely.
As I remember, OpenBSD used network details to produce entropy, but later stopped, because it allowed a remote attacker the ability to potentially poison the entropy source by carefully sending just the right packets at the right time. Cryptographically secure randomness for Theo de Radt was only satisfactory when it required physical access to the machine to manipulate.
Something's wrong or lost in communication here. The entropy pool in a /dev/random implementation is designed so that even if an attacker can add a known source of numbers to it, it still doesn't decrease the real entropy in the pool. As long as my entropy estimates are correct, I could let you pick half the bits (or 99% of the bits) going into /dev/random's entropy pool and that still wouldn't help you guess the output. Lowering the entropy count on network traffic (even to zero) makes sense, but so long as you do that there's no reason not to include it as a potential source of bonus entropy.
In fact, most /dev/random implementations let any user add bits to the pool. Only the root user can increase the entropy estimate, but any bozo can "echo '0000000000000000' > /dev/random"--adding additional stuff to the pool can never hurt, and might help.
Exactly. Netscape held out and got $4.2 billion from AOL; it seems like they held out pretty well and sold nearer to high than they would have by selling in 1994.