I'm not a tmux user, so I may be completely wrong, but I think what they are talking about is that in tmux you can share one window in a session without also sharing all your other windows in that session. You can also easily move tmux windows between sessions, which you can't do in screen. In addition, sharing a tmux window to another user with a different login account is a lot easier in tmux than in screen. There are also forks of tmux that allow two people to use one window with two independent cursors.
Basically, tmux is a lot more flexible and easier to hack than screen. I've never bothered with tmux though, screen is good enough for me.
wiziwig.tv does a pretty good job of pirating most live sports, albeit only in standard definition quality.
I think HD quality is overrated. Yes, I can tell the difference. Yes, I appreciate HD quality. But up until 2003 or so, I happily watched live sports in standard definition quality without feeling in the least bit cheated. So I see no reason why high quality is mandatory today.
This is quite old news, why is slashdot only picking up on it now?
The impact of this bug does not compare to the goto fail bug. Most Linux distributions use OpenSSL for TLS. Even if a program links to GnuTLS, it may not use GnuTLS for certificate validation, and if it doesn't, then it's not affected by this bug (one example is Google Chrome). It's not like iOS where everything is required (by App Store rules) to use SecureTransport.
There's a lot of GPL software in Ubuntu, starting with the Linux kernel. Does Tesla distribute the source code to Model S owners that ask?
The source disclosure requirements of the GPL are often misunderstood. To comply with the GPL, it is not enough to distribute the source code to Model S owners that ask.
The GPL provides three options for distributing binaries (Sections 3a, 3b, and 3c), and anybody distributing Linux source code must comply with at least one of these options. Tesla cannot use Section 3c, since Section 3c states that only non-commercial distributors can use Section 3c. Section 3a requires Tesla to distribute the source code to all Model S owners, not just those who ask. Section 3b requires Tesla to distribute the source code to anybody who asks, not just Model S owners who ask.
Therefore, Tesla is required to distribute the Linux source code that they use either:
To every Model S owner, regardless of whether the owner asks or not, or
To every legal entity that asks for the source code, regardless of whether the entity is a Model S owner or not.
Another point that you missed completely is that your targeting assumption is wrong. If you're doing a MITM against a banking site, you DON'T need to target them. Not with SSL. You can compromise instead any one of the thousands of certificate authorities in the world. Any single successful compromise of any of these unrelated third parties gives you free rein to MITM any banking site in the world. From the point of view of the server administrator, this is absolutely insane. No matter how good my own security is, an attacker can MITM me by compromising any single one of any of thousands of unrelated CAs, 99.99% of which I as a server administrator have never done business with. At least with SSH if my own server keys get compromised it's my own damn fault. Not so with SSL.
Your argument remains completely nonsensical for one very basic and unavoidable reason: SSL is also equally vulnerable to stolen keys. There is no way in which SSH is worse than SSL.
Of the MITM attacks against SSL actually deployed in the wild, what proportion rely on stolen keys compared to compromised certs? Answer that question, and you'll see that my "most attacks" claim is fully valid.
Yeah great. This kind of SSH compromise requires a targeted attack, and will only work on that one server. By contrast, with SSL, a single DigiNotar stunt allows you to attack thousands of servers and millions of users all at once. See the difference? SSL is great in theory, horrible in practice. Anyone claiming otherwise is willfully blind of real-world considerations. This includes most cryptography researchers.
Mobile apps can and do use key pinning, but certificates are not necessary for that. They can just pin individual self-signed public keys. For that matter, they don't even need SSL; they could just use SSH.
It's possible, but useless, to implemet public-key TOFU in web browsers. Almost all web sites rotate keys too fast for the pin to be useful.
If you don't trust your CA chain then do cert pinning. Either way you need to know you're talking to the right server, pretending that's impossible so it's not worth trying is a cop out.
Certificate pinning is not possible in any real-world scenario. The problem is that certificates change too often. Certificate authorities are part of the problem: they encourage high turnover, because it increases their profits. Certificate pinning only works in situations where you have inside knowledge of a company's certificate policies. Google implements certificate pinning on their own Google properties in Chrome in this way. There is nothing in SSL that technically prevents certificate pinning, but the design of SSL has inevitably led to non-technical economic incentives that indirectly make certificate pinning impossible.
SSH essentially relies exclusively on key pinning (not certificate pinning) for authentication, and it works beautifully. SSH has no certificates, and yet has a higher market share in the shell connection market than SSL has in the http connection market. SSL should become more like SSH, but this is impossible to achieve, because CAs are already economically entrenched.
True MITMs are reasonably rare in large part because of SSL.
WRONG. Provably wrong.
There exists an extremely widely-used crypto protocol which uses no certificate validation and yet prevents almost all MITM attacks. It's called SSH. In fact SSH has done something that SSL will never do: it has completely replaced the corresponding unencrypted protocol, to the point where no one, I mean no one, uses telnet anymore.
How does this magic work? SSH performs key validation. It performs this validation without requiring certificates. The validation model is very simple: trust on first use (TOFU). Although TOFU on paper is theoretically inferior to CA validation in every way, real life does not take place on paper. In the real world, TOFU is far superior to CA validation. It prevents the kinds of attacks that actually matter, while ignoring the kinds of attacks that look great on paper but aren't really a big deal in practice.
Oh good! A substantive response for once. Let's discuss the points you raised.
I admit I made up the 1% figure, but I believe it is a reasonable estimate. Would you like to challenge the accuracy of the number? If anything, I am convinced that closer scrutiny would reveal it to be too high of an estimate. 2013 US GDP was 17 trillion dollars. Microsoft's 2013 revenue was 77 billion dollars, about 0.5% of GDP. Of course, Microsoft is not a pure software company; some portion of that revenue is hardware, services, and so on. There are other software companies, of course. I have never heard anyone reasonably justify a much higher cost than 1%.
It is true that the benefits of commercial software far exceed its costs, but from a public policy perspective that's completely irrelevant. The cost of producing this software is ~1% of the economy. If commercial software did not exist, the government or any public body could (provably) replicate the exact same benefits at the exact same cost. Government support for something on this scale is not a ridiculous idea; it's exactly how most basic research in science is actually done in the US. Hence 1% (or less, if I'm overestimating the cost) is the correct figure to use for policy prescrptions.
Right, attack the messenger. Do you have any substantive arguments? Didn't think so.
In a world lacking music, the human species can survive. In a world lacking free sharing of knowledge, the human species is doomed to die. Take your pick.
Yes, absolutely. Commercial software represents about 1% of our economy, even under the current copyright regime which artificially tilts the market in favor of the software sector. It's absolutely, criminally insane from a policy perspective to hold the other 99% of our economy hostage to this special interest. Lifting the artificial technological restrictions imposed by copyright would grow our economy by much more than 1%, every single year.
To take just one example, if not for copyright restrictions, Google Books would provably be willing to make available for free to every human on the planet the entire contents of the Library of Congress. You're telling me that the future potential growth from making this knowledge available isn't worth trading 1% of our economy on a one-time basis?
Restrictions on computing or copying are unacceptable. Full stop. This is not negotiable. Copying is as natural as breathing in the digital age. Everything else, without exception, has to start from this premise and work around it. Nothing else is compatible with technological progress. Nothing else is compatible with free society.
If artists cannot sustainably produce music under this constraint, then so be it. Better to have no music at all than no freedom of computing.
If you invoke GPLv3 for your copy of the code, then you can stop other people from using your copy under LGPLv2. If you made modifications to your copy, then GPLv3 applies to your modifications. Of course, other copies of the code are licensed independently of your copy. I never claimed otherwise.
If you like the GPLv3 so much, no problem. Any copy of LGPLv2 software can be converted to GPLv3 at will. The text of the LGPL itself states:
3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.)
Free tools are an absolute must. No matter what you think of Microsoft, or how much you like their products, nothing beats open source for learning. I mean, this is almost a tautology: to learn about computers, programming, or anything related, you're far, far better off learning from something where you have access to source code.
The free tools have more rough edges than the Microsoft software you're used to. For learning purposes, this is an advantage. By the time you master sendmail configuration or mod_rewrite rules, you'll also have learned the m4 programming language and regular expressions. Clicking on graphical configuration wizards does not make you learn anything like what you naturally have to learn just to set up a Unix server.
Microsoft certainly makes some world-class software. Visual Studio is unmatched by anything in the open source world. But Visual Studio is not really that useful until you've actually learned how to code. Open source and free software will get you there.
The people behind Mt. Gox might kill him just to save their business from bankruptcy. It would nicely cover the bitcoins that they lost. There are many ways to make use of bitcoins without cashing them.
I agree, OS X is a unix, as much as Android is Linux. There are still some differences between the two; as pointed out in another reply, you can install Google Play Services on top of an AOSP-built Android, but there is no way to install the OS X UI on top of an open-source build of Darwin.
However, if you compare iOS and Android, which is the proper comparison, then there is one other major important difference: Lots of Android hardware is capable of running open-source Android builds, but there is no iOS hardware at all that can run open-source builds of Darwin. I don't consider iOS "open" if you can't run it on any actual hardware.
Google Voice support ends on May 15. You can't pay to continue using it; the XMPP service (which Obihai requires) is simply being discontinued.
http://blog.obihai.com/2013/10...
I expect that the cost and scarcity of spectrum, not infrastructure hardware, will be the main driver of economic costs. It makes sense to leverage the most efficient technology even if the hardware costs are higher.
Traditional voice service simply has to die. VoIP over LTE provides equivalent functionality. That means Skype, Google Hangouts, SIP, or whatever. I'm sure a company like Verizon can easily implement transparent VoIP over their own networks to emulate traditional phone service.
The solution is simple. We should move everything over to LTE. It's far more efficient than any other alternatives, often by several orders of magnitude. Deactivate the old legacy networks and switch to LTE for everything.
https://en.wikipedia.org/wiki/...
You mention his teammates several times. The thing is, many of his important teammates did cheat, in the sense of either they got caught with a drug test or they admitted to doping afterwards. Among these teammates are Hamilton, Heras, Andreu, and Landis. So a big part of the "help" that he got in races was probably the beneficiary of drug assistance, whether or not he himself used drugs.
There is no sales ban. The injunction in Germany has not yet taken effect and cannot take effect until the US trial concludes. In stark contrast with Apple's injuctions, which not only did come into effect but in some cases are currently still in effect, the XBox/Windows 7 "sales ban" was never in effect at any point in time. And this is the way it should be! Of course we all agree (I hope) that a trial is the appropriate legal apparatus to settle patent claims.
Slashdot Mirror
Basically, tmux is a lot more flexible and easier to hack than screen. I've never bothered with tmux though, screen is good enough for me.
You missed one major technical rule: all browsers on iOS that support local rendering are required to use the system rendering engine.
I think HD quality is overrated. Yes, I can tell the difference. Yes, I appreciate HD quality. But up until 2003 or so, I happily watched live sports in standard definition quality without feeling in the least bit cheated. So I see no reason why high quality is mandatory today.
The impact of this bug does not compare to the goto fail bug. Most Linux distributions use OpenSSL for TLS. Even if a program links to GnuTLS, it may not use GnuTLS for certificate validation, and if it doesn't, then it's not affected by this bug (one example is Google Chrome). It's not like iOS where everything is required (by App Store rules) to use SecureTransport.
There's a lot of GPL software in Ubuntu, starting with the Linux kernel. Does Tesla distribute the source code to Model S owners that ask?
The source disclosure requirements of the GPL are often misunderstood. To comply with the GPL, it is not enough to distribute the source code to Model S owners that ask.
The GPL provides three options for distributing binaries (Sections 3a, 3b, and 3c), and anybody distributing Linux source code must comply with at least one of these options. Tesla cannot use Section 3c, since Section 3c states that only non-commercial distributors can use Section 3c. Section 3a requires Tesla to distribute the source code to all Model S owners, not just those who ask. Section 3b requires Tesla to distribute the source code to anybody who asks, not just Model S owners who ask.
Therefore, Tesla is required to distribute the Linux source code that they use either:
Another point that you missed completely is that your targeting assumption is wrong. If you're doing a MITM against a banking site, you DON'T need to target them. Not with SSL. You can compromise instead any one of the thousands of certificate authorities in the world. Any single successful compromise of any of these unrelated third parties gives you free rein to MITM any banking site in the world. From the point of view of the server administrator, this is absolutely insane. No matter how good my own security is, an attacker can MITM me by compromising any single one of any of thousands of unrelated CAs, 99.99% of which I as a server administrator have never done business with. At least with SSH if my own server keys get compromised it's my own damn fault. Not so with SSL.
Of the MITM attacks against SSL actually deployed in the wild, what proportion rely on stolen keys compared to compromised certs? Answer that question, and you'll see that my "most attacks" claim is fully valid.
Yeah great. This kind of SSH compromise requires a targeted attack, and will only work on that one server. By contrast, with SSL, a single DigiNotar stunt allows you to attack thousands of servers and millions of users all at once. See the difference? SSL is great in theory, horrible in practice. Anyone claiming otherwise is willfully blind of real-world considerations. This includes most cryptography researchers.
It's possible, but useless, to implemet public-key TOFU in web browsers. Almost all web sites rotate keys too fast for the pin to be useful.
If you don't trust your CA chain then do cert pinning. Either way you need to know you're talking to the right server, pretending that's impossible so it's not worth trying is a cop out.
Certificate pinning is not possible in any real-world scenario. The problem is that certificates change too often. Certificate authorities are part of the problem: they encourage high turnover, because it increases their profits. Certificate pinning only works in situations where you have inside knowledge of a company's certificate policies. Google implements certificate pinning on their own Google properties in Chrome in this way. There is nothing in SSL that technically prevents certificate pinning, but the design of SSL has inevitably led to non-technical economic incentives that indirectly make certificate pinning impossible.
SSH essentially relies exclusively on key pinning (not certificate pinning) for authentication, and it works beautifully. SSH has no certificates, and yet has a higher market share in the shell connection market than SSL has in the http connection market. SSL should become more like SSH, but this is impossible to achieve, because CAs are already economically entrenched.
True MITMs are reasonably rare in large part because of SSL.
WRONG. Provably wrong.
There exists an extremely widely-used crypto protocol which uses no certificate validation and yet prevents almost all MITM attacks. It's called SSH. In fact SSH has done something that SSL will never do: it has completely replaced the corresponding unencrypted protocol, to the point where no one, I mean no one, uses telnet anymore.
How does this magic work? SSH performs key validation. It performs this validation without requiring certificates. The validation model is very simple: trust on first use (TOFU). Although TOFU on paper is theoretically inferior to CA validation in every way, real life does not take place on paper. In the real world, TOFU is far superior to CA validation. It prevents the kinds of attacks that actually matter, while ignoring the kinds of attacks that look great on paper but aren't really a big deal in practice.
I admit I made up the 1% figure, but I believe it is a reasonable estimate. Would you like to challenge the accuracy of the number? If anything, I am convinced that closer scrutiny would reveal it to be too high of an estimate. 2013 US GDP was 17 trillion dollars. Microsoft's 2013 revenue was 77 billion dollars, about 0.5% of GDP. Of course, Microsoft is not a pure software company; some portion of that revenue is hardware, services, and so on. There are other software companies, of course. I have never heard anyone reasonably justify a much higher cost than 1%.
It is true that the benefits of commercial software far exceed its costs, but from a public policy perspective that's completely irrelevant. The cost of producing this software is ~1% of the economy. If commercial software did not exist, the government or any public body could (provably) replicate the exact same benefits at the exact same cost. Government support for something on this scale is not a ridiculous idea; it's exactly how most basic research in science is actually done in the US. Hence 1% (or less, if I'm overestimating the cost) is the correct figure to use for policy prescrptions.
In a world lacking music, the human species can survive. In a world lacking free sharing of knowledge, the human species is doomed to die. Take your pick.
To take just one example, if not for copyright restrictions, Google Books would provably be willing to make available for free to every human on the planet the entire contents of the Library of Congress. You're telling me that the future potential growth from making this knowledge available isn't worth trading 1% of our economy on a one-time basis?
Restrictions on computing or copying are unacceptable. Full stop. This is not negotiable. Copying is as natural as breathing in the digital age. Everything else, without exception, has to start from this premise and work around it. Nothing else is compatible with technological progress. Nothing else is compatible with free society.
If artists cannot sustainably produce music under this constraint, then so be it. Better to have no music at all than no freedom of computing.
If you invoke GPLv3 for your copy of the code, then you can stop other people from using your copy under LGPLv2. If you made modifications to your copy, then GPLv3 applies to your modifications. Of course, other copies of the code are licensed independently of your copy. I never claimed otherwise.
3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.)
The free tools have more rough edges than the Microsoft software you're used to. For learning purposes, this is an advantage. By the time you master sendmail configuration or mod_rewrite rules, you'll also have learned the m4 programming language and regular expressions. Clicking on graphical configuration wizards does not make you learn anything like what you naturally have to learn just to set up a Unix server.
Microsoft certainly makes some world-class software. Visual Studio is unmatched by anything in the open source world. But Visual Studio is not really that useful until you've actually learned how to code. Open source and free software will get you there.
The people behind Mt. Gox might kill him just to save their business from bankruptcy. It would nicely cover the bitcoins that they lost. There are many ways to make use of bitcoins without cashing them.
However, if you compare iOS and Android, which is the proper comparison, then there is one other major important difference: Lots of Android hardware is capable of running open-source Android builds, but there is no iOS hardware at all that can run open-source builds of Darwin. I don't consider iOS "open" if you can't run it on any actual hardware.
Google Voice support ends on May 15. You can't pay to continue using it; the XMPP service (which Obihai requires) is simply being discontinued. http://blog.obihai.com/2013/10...
I expect that the cost and scarcity of spectrum, not infrastructure hardware, will be the main driver of economic costs. It makes sense to leverage the most efficient technology even if the hardware costs are higher. Traditional voice service simply has to die. VoIP over LTE provides equivalent functionality. That means Skype, Google Hangouts, SIP, or whatever. I'm sure a company like Verizon can easily implement transparent VoIP over their own networks to emulate traditional phone service.
The solution is simple. We should move everything over to LTE. It's far more efficient than any other alternatives, often by several orders of magnitude. Deactivate the old legacy networks and switch to LTE for everything. https://en.wikipedia.org/wiki/...
You mention his teammates several times. The thing is, many of his important teammates did cheat, in the sense of either they got caught with a drug test or they admitted to doping afterwards. Among these teammates are Hamilton, Heras, Andreu, and Landis. So a big part of the "help" that he got in races was probably the beneficiary of drug assistance, whether or not he himself used drugs.
There is no sales ban. The injunction in Germany has not yet taken effect and cannot take effect until the US trial concludes. In stark contrast with Apple's injuctions, which not only did come into effect but in some cases are currently still in effect, the XBox/Windows 7 "sales ban" was never in effect at any point in time. And this is the way it should be! Of course we all agree (I hope) that a trial is the appropriate legal apparatus to settle patent claims.