There's already a few posts mentionning that, sadly for their writers, MS isn't in there. Besides the obvious comment that you shouldn't try and see MS everywhere, I'll bite and enlighten you:
MS had revenues last year of 24.64 Bil (U.S.) with income of 10.07 Bil (U.S.).
That, revenu wise, would place it 154th in this survey...
Surprising no? You'd figure they'd have incredible revenues... it's actually less then Dell, Intel, most of the car manufacturers, etc...
This survey/study doesn't mention the market capital value of these companies. A spot where MS would probably rank close to first. But size or sales wise, there's worse then MS.
"So now they have code 99.999% funded by the taxpayer but the taxpayer cannot even use it without paying again for the ever so slightly changed player and for the encryupted music files and in higher prices to the OS maker who pays Microsteal to allow them to compile the code on their platform."
But the original one is still in the public domain... Thus it remains your right to start from there and build whatever you feel is missing to make it a competing solution to this 'Microsteal' solution. And, if you feel like putting these changes of yours under the GPL, nobody can/will stop you...
However, put your changes under the GPL and somebody else can make another fork of the original 99.999%, rebuild your functionalities or 'Microsteal''s functionalities and place this changes in the public domain (thus bypassing your GPLed code)...
The claim Balmer is making is that when government money is used to write GPLed code it makes it impossible for companies to build on it (and make money of of the modifications). Were the work in the public domain instead, companies could build on it and make money of of those modifications... Considering the state of WallStreet, it is yet unclear how many investors would agree to a company writing code that would have to be GPLed and from which it is unlikely money could be obtained from a sell.
Thus, companies are likely to stay away from any existing codebase that has a GPLed part in it (even if it is the result of a publicly funded project; i.e. government money). This, in itself, prevents whatever innovation the company could have brought to this codebase unless the company is willing to start from scratch.
Whether or not you believe MS innovates is irrelevant; the statement applies to any company trying to make a profit from selling its product (and not selling support for the product like Red Hat).
Anyways, I seem to have left my original reply: In your scenario of a big consortium building on some publicly funded work and adding little functionality to it before repackaging everything, you seem to have forgotten that the 99.999% that is the original public domain code is still available and still in the public domain. The 'big' consortium can't take that away from you...
Looks like a pretty complete answer to your question.
Re:PKI and other issues, Interlock protocol
on
SSH v. SRP
·
· Score: 3
The algorithm you're suggesting is mostly a precursor of the current PKIs (I haven't read its reference paper, and don't really have the time to find it, but I wouldn't be surprised to find that it dates back ~RSA publication times).
By definition, at it's worst, a man-in-the-middle attack cannot be blocked/prevented: if A has never met B, there is no way for A to be convinced that she is really talking to B and not to C. If B is in the same situation (having never met A) and is also really speaking with C then although their communication may get from one to the other, it will always be possible for C to see all of it (since C can simply pretend to each of them to be the other player and then decrypt/reencrypt the message).
For trust to be achieved perfectly you will always need an additional piece of information (or mean of identification) in which you can trust... PKI's are one of the possible solutions. In the case of the Rivest-Shamir you're describing both parties must have common knowledge of the message's content prior to starting the algorithm otherwise a middleman could switch messages for it's own. In essence the protocol becomes dependant on the messages's nature and the fact that both players must know it... Two complete strangers could not use it.
But then again, there can't exist a protocol for two complete strangers to identify themselves to one another...
I usually don't take the time to reply to posts on/., however yours is so blatantly inaccurect that I can't stop myself from replying:
MacOS's interface largely uses that ugly 'Chicago' font (an insult to Chicago). I presume (or hope) that you can change this, but how many of MacOS's tech-savvy users (if there are any?::grin::) are going to do this?
- It's been changed to charcoal since MacOS 8.5 which came out more then a year ago...
- As to whether or not it's a good thing that you be limited in your choice of font for the U.I., well isn't that a question of standardization? I mean, I know people that use large fonts of unknown origin on windows (fonts which I personnaly find very ugly). Sure, Windows will let them make that choice; however it won't properly resize the dialog boxes afterwards... Doesn't it make more sense to limit the user's choice to fonts for which you can guarantee uniformity of the U.I.?
When a message box comes with up with Yes and No buttons, you can't just press Y or N. You have to click.
-Nope, you can most usually click Command-y and Command-n or Esc for cancel. It's been there for a while. Of course if the program makes its own dialog box, the OS can't really do much.
You can't just enter to select a button on a message box which has the focus. Again, you have to click.
-With almost no exception, all dialog boxes always have one button in evidence (represented by a different larger button contour). Pressing the Enter key is the equivalent of activating that button. This has been in the system at least since the Mac Plus era...
You can't move between the buttons a message box with the arrow keys. How un-intuitive.
-I suppose that's more a design decision then anything else. Why would you want to move from button to button if you can activate then using the command-keys ? Redundancy, in my opinion, is mostly a very good way of losing beginner users...
The menus don't have access keys. This is a really annoying feature. Again, you have to click. Admittedly some menu items do have shortcut keys, but you can't access all the items this way, as you can with access keys.
-I'm not sure I see why this would be annoying. If the user is supposed to have and use a mouse, why would he need to be able to do everything by keyboard? Moreover, to do so you'd have to show which key activates which menu, isn't that more information to overload your user with? Finally, to assign a command to all menus and sub-menus always brings up problems; do you really feel that the keys associated with the menu activation or the sub-menu activation on windows are intuitive. In my opinion, the letters often (but not always) have no intuitive relation with the option I'm trying to activate.
-As I look at my netscape, on Linux, I realize that these menus also don't offer keyboard activation (at least if it's feasible, it's not written on the screen). But I know that Alt-F will activate the Find option and Alt-N will bring up a new window. I'm not sure if I need much more from the keyboard but what I am sure about is that I can live with an OS that feels I'll know how to use a mouse to reach the other options/commands.
-For what it's worth, Connectix has been offering what your looking for (all menus, all sub-menus by keyboard) as an option since Speed Doubler 2. Used to work pretty well on my PB190 for those rare times when I didn't want to use the trackpad (which I just didn't like).
Give me a Windows 95/98/2000/NT theme any day. I admit that macs are generally more user friendly (albeit at the expensive of processing power) but some of the points of the interface are just so terrible!
-Although I'm probably just being really picky, I don't believe that you can just make the claim that macs offer a more user friendly U.I at the expense of processing power; remember that Win98 is the OS that allows to have a web page as a background...
As for whether or not the interface is so terrible; I hope, given all the unfounded statements you made and which I tried by the preceding to correct, that you'll change your mind or at least take the time to go back and try a mac before restating anything on an open forum...
The impression I most often get whenever I hear about the Y2K bugs that'll bring the end of the world is that whoever is talking has no idea what they're talking about (or, even worse, they have no idea what their sources are talking about).
Still, as a CS grad, I have a pretty good idea how it must feel trying to convince someone, and oneself, that a complete (to be defined) system will behave exactly as it should in less then 2 months. I mean, if I spend hours debugging code I write because it's behavior is erratic, I'm not sure I'd like to prove (to be defined) that someone else's code will not display a behavior I can't predict (this is probably a NP problem:-))...
Generally, I think the world will keep on spinning and most people will encounter, over the next few months (if not years), a few instances of the problem (be it a VCR not working or a credit card refused). But in no way will humanity crash. Worst case, there'll be a few extreme cases with serious consequences (say a plane crashing or my town lacking electricity in the middle of winter for two weeks, which some will remember living through a few years back) on which all the medias will be glued for 1~2 weeks before everybody agrees it was a sad and predictable thing; and then forgets about it.
I strongly doubt that statistically speaking the Y2K will have a major impact on the number of deaths in 2000 or cost more to any government then recent natural disasters (be it flood, hurricanes, earthquakes).
Remember that this year we've had a few hurricanes in north america and in Asia, major earthquakes in Turkey, Greece and Taiwan, incredible floods in south america and Asia,... Good luck convincing me that the Y2K bug can cause more damage (financially, emotionnaly, etc. ) then any of these.
However, no matter my rambling, we'll only know for sure in a few months (say a year or two at max for all major repercussions to show up).
P.S. #1: This is of course only my opinion. There are probably some readers who actually made a living out of fixing such problems. I'd be very interested in reading their opinions.
P.S. #2: Of course, I won't be able to live with myself if Slashdot doesn't load up at midnight...:-)
Zero-Knowledge proofs were discovered/invented over 15 years ago and are now usually covered in most studies of this science (Although I, unfortunately, haven't had time to go through your book).
Considering that now a days we implicitely trust ATMs or resellers not to tinker with credit card readers or not remember our PIN numbers, since this relatively new field offers incomparable advantages for identification protocols (such as the inability to replicate a session) that could be used in these situations and that the litterature is, by now, relatively well developped (with work from Jacques Stern for example),
a) Would you tend to agree that this would be an interesting addition to the privacy protection of customers ?
b) Do you know of any real world implementation for the general customer ?
c) What do you believe it would take for large banks and Credit Card compagnies to decide to implement these schemes ?
I must admit that I enjoy (if not love) it when people take me to my words: I believe you (or at least most people) would agree that my comment was made in a certain context; that Apple is reversing an already reversed decision concerning its shipping of pre-ordered product and even cancelling of orders for this product. This is, if true, major news : it would represent a flagrant example of really, really bad apple PR, incredibly awful management and a general lack of respect towards the consumer. These are not light things. In this context, considering that ZDNet cites an unnamed source and that other Apple-related web sites have different stories, wouldn't it be a good idea to wait for an official statement from the company in question ? It's not like they can hope to swipe this under a rug or anything, they'll have to make this policy known officially really soon if they want it to be enforced.
As for your accusations towards Microsoft; If ZDNet cited an unnamed internal Microsoft (to keep to your example) source as saying that the company had decided to cancel development of Windows 2000 (which I would be happy at hearing) or decided to force users to pay an incredible fee for said Windows 2000 simply because they have a monopoly and can, wouldn't you tend to argue that maybe ZDNet is pushing it a bit and maybe we should wait for the next business day (tomorrow) and hope to see some statement from the company ?
My PERSONNAL (yup, that's in uppercase) point of view is that the company should be considered innocent until proven guilty. ZDNet hasn't brought many facts to back its accusation.
It is sad to see the lynching of Apple by/.ers under these conditions.
P.S. : For what its worth, if I ever learn, beyond any doubt, that this is true then I will be one of the first to bash on Apple. However, if this turns out to be false, then I do believe ZDNet should at least apologize (and said apology should show up on/., with yours:-) ) Web sites like MacOsRumors (whose quality has declined recently, in my opinion) at least take care to place big "rumors" disclaimers in their articles...
In conclusion, never ignore the context in which a comment is made...
Is it me or wouldn't it be a good thing to simply wait for a formal Apple announcement as to their decision.
Moreover, if a message on ZDNet had been posted about anything of usual interest to/. most of the post I've read in this post would not have been made. There's no reason to give more credibility to ZDNet because they're talking about Apple and citing an unnamed source then if they had been talking about the latest Kernel upgrade and quoting also an unnamed source.
Anyways, www.macintouch.com seems to offer an interesting spin on the ZDNet story; one which makes more sense and one which satisfies my curiosity until the next press release from Apple.
Every time I see an article about a statistical study of something created by man, I get a flash back to Asimov's second foundation : how mathematics can generally describe man, events, history,... Sure the second foundation was a lot more then that but the mathematical aspect was what I loved most about the concept.
This study has some distant similarities to it. Statisticians studying the average distance between two ramdomly chosen internet site. The catch is that the entire structure is created by man, there really isn't much ramdomness in it : Compared to the Bacon thing were you may have met someone, that knew someone, at one point or another walking down the street; having a link from your web page to another web page is a completely conscious action.
Which brings me to the counter-argument that news site such has slashdot or c|net have their content (and thus their links) influenced by random events of the outside world such has tornadoes or floods.
Which now brings me to a conclusion before I back home, how long will it be before someone attemps to make a measure of the amount of randomness in the web, that is the influence of events that cannot be predicted (to some extent or other, to be determined later) by man. Is the web something that could over time become completely predictable?
Because the efficiency of software running on one of these computers would still not equate that of a massively parallel computer of chips designed specifically to crack DES...
I doubt any such stunt, if there are been any, would be publicly acknowledged by the NSA. After all, it is definitively in there own interest not to announce publicly their abilities...
However, one must keep in mind that they are the biggest employer of mathematicians in the U.S. (probably the entire world...), that whatever research in the field of cryptography they make is only published internally but that they benefit (like anyone else) of all the research done in universities. Moreoever, their budget is much larger than that of any other organisation. Finally, recent stories have hinted at agreements with similar organisations of other nations.
Although they don't seem to publish many papers annually, we have to admit that they definitively have a lot on their side...
"Two boxes, say a sender and a receiver, each have a pair of RSA keys (pulic & private). To send something, a client makes up a string of random garbage (say 1024 bits in length) and encrypts outgoing data with it (so, in effect this is the key). The receiver decrypts the incoming data using the same string. RSA encryption is used to exchange the actual keys. "
I'm not sure what it is you're proposing exactly...
is the 1024 bit thingy use for a one-time pad, for a DES scheme (somehow using 1024 bits...) or also for RSA algorithm...
Which ever you use, the basis of this approach is what is typically used in the industry. For example, the SSL3.0 protocol uses one of three key exchange algorithm, the first is Diffie-Hellman (the precursor of RSA in terms of public-key cryptography), the second is Fortezza (a technique developped by the NSA for crypto-cards whose formal description I could never found, probably because its a national secret) and a third whose name/nature I forget, possibly an ElGamal scheme.
Once the exchange has been done, both sides usually fall back on the best symmetric algorithm implemented on both side, worst case is DES. I have the paper in one of the drawers next to me, somewhere, but I do believe RSA is an acceptable algorithm however the speed probably drops to an unacceptable level.
Anyways, which ever scheme you use, the security ultimately falls back on the key-exchange algorithm and nobody, nobody, would want to have a client wait for a key exchange with a 1024 bit prime numbers... So although the 56 bit of DES make it the prime target, the key exchange it also a fair target for other algorithms.
Hope this clarifies all of this a bit.
P.S. No encryption is ever "virtually bullet-proof".
last time I checked. The latest bunch of cryptanalysis attacks on 3DES brough its security down to a key space of about 80 bits (which is better then the original 56 of DES). 3DES was|is an original idea by the industry to spare it the works of reworking most of its infrastrucure with the "death" of DES. 3DES has never been considered seriously by anyone on the theory side of cryptography.
3DES is not the best solution presently available. If one is to redesign their chip to use this algorithm then they should do their homework and consider other potentially much more appropriate algorithm. Moreover, choosing an algorithm that has been well studied by the field would/should make more sense.
I can understand that this, euh hmmm, "news" will generate a very interesting discution among slashdot readers but, c'mon..., obviously nobody gives it any credance in the short term. So, if you didn't post it to bring back the usual {Mac GUI - OS X} vs {Linux and familly} feud and possibly the Slashdot Overload mode, why did you post this lame attempt at a news article ?
I am an avid fan of the mac platform, as well of my Debian distribution. Yet I still don't understand what could motivate someone to see anything interesting in this article.
P.S. : I got it, maybe ZD needed the money generated by all the ads it will get to load to all the slashdot readers...
I mean, calling myself a part-time hacker is something that every body could potentially understand. I part-time wizard seems a bit too similar to "god" or "All powerful"...
Ever tried Navigator 4.x > 4.5 recently. Mine crashed 1/5 times when loading slashdot. I'm not sure if the windows version is better but I am certain that 20% failure rate isn't good.
Although I can agree with the argument that 10,000$ can be a little incentive for real professionals, I must disagree with the analogy to cryptoanalysis contests. These contests are usually used to attempt to demonstrate the robustess of new algorithms, algorithms that have yet to be fully accepted by the cryptography community. In reality, they mostly only serve to convince the general public of the supposed difficulty in breaking such algorithm. Most attempts, such as those of distributed.com, simplify the problem as much as possible to limit the set of possible keys before attempting to go through this entire set and finding this key. There really isn't anything very brilliant about trying every possible key... even if you've reduced the problem previously... and from a cryptographic point of view, the only thing it shows is that you have access to a large amount of computing power, not that you weakened the algorithm. More subtil contests that really require cryptoanalysis are usually not attempted by the general public.
Anyways, in all of these contests the basis is that the security of the algorithm as not been demonstrated and that a contest would "prove" it. However, contests such as the one done with the AppleshareIP, by a neutral organisation with no sponsership from Apple (if I remember well), only aim to prove that the implementation of the different web protocols was done properly. Now if you can crack a system that properly implements all the RFCs then you do deserve to win since you've found a weakspot in what was considered by all secure and have shown that other computers will probably also be affected by the same problem (that or they aren't implementing the RFCs properly).
After all this, I still admit however that the real professionals may not be interested in cracking your system and that the contest only showed that a certain group of "crackers" couldn't do the job.
They had a contest a few years back about trying to hack into a MacOS appleshareIP web server. The contest offered 10.000$ cash to whomever could crack the system, prove it and explain the process. Anything affecting only that one machine was allowed. Downing the server was not considered a crack, content had to change. There were no winner to the first run of the contest. However, and this led to a crack on the second contest, the server was only running the web server. Nothing more. I'm not even sure CGIs were allowed... The admins would update the server through a local appletalk network. Although in the end, if I remember properly, in the second contest, about one year after the initial one, someone cracked one of the new plugins added for additional functionalities; the real http server was never cracked. I'm not trying to argue that appleshareIP is a better product, nor even a good product, this was back at the beginning of ASIP 5. The product has evolved since then and its security features may have fallen a bit. However this does show that if there's no point of entry, except the strict minimum, on your server, then there is nothing to hack... But if you're trying to run all the latest web gizmos then you shouldn't be looking at security, just good backups. Hope this helps.
Slashdot Mirror
[Flame suit on]
There's already a few posts mentionning that, sadly for their writers, MS isn't in there. Besides the obvious comment that you shouldn't try and see MS everywhere, I'll bite and enlighten you:
MS had revenues last year of 24.64 Bil (U.S.) with income of 10.07 Bil (U.S.).
That, revenu wise, would place it 154th in this survey...
Surprising no? You'd figure they'd have incredible revenues... it's actually less then Dell, Intel, most of the car manufacturers, etc...
This survey/study doesn't mention the market capital value of these companies. A spot where MS would probably rank close to first. But size or sales wise, there's worse then MS.
Now back to some non-MS relevant posts...
"So now they have code 99.999% funded by the taxpayer but the taxpayer cannot even use it without paying again for the ever so slightly changed player and for the encryupted music files and in higher prices to the OS maker who pays Microsteal to allow them to compile the code on their platform."
But the original one is still in the public domain... Thus it remains your right to start from there and build whatever you feel is missing to make it a competing solution to this 'Microsteal' solution. And, if you feel like putting these changes of yours under the GPL, nobody can/will stop you...
However, put your changes under the GPL and somebody else can make another fork of the original 99.999%, rebuild your functionalities or 'Microsteal''s functionalities and place this changes in the public domain (thus bypassing your GPLed code)...
The claim Balmer is making is that when government money is used to write GPLed code it makes it impossible for companies to build on it (and make money of of the modifications). Were the work in the public domain instead, companies could build on it and make money of of those modifications... Considering the state of WallStreet, it is yet unclear how many investors would agree to a company writing code that would have to be GPLed and from which it is unlikely money could be obtained from a sell.
Thus, companies are likely to stay away from any existing codebase that has a GPLed part in it (even if it is the result of a publicly funded project; i.e. government money). This, in itself, prevents whatever innovation the company could have brought to this codebase unless the company is willing to start from scratch.
Whether or not you believe MS innovates is irrelevant; the statement applies to any company trying to make a profit from selling its product (and not selling support for the product like Red Hat).
Anyways, I seem to have left my original reply: In your scenario of a big consortium building on some publicly funded work and adding little functionality to it before repackaging everything, you seem to have forgotten that the 99.999% that is the original public domain code is still available and still in the public domain. The 'big' consortium can't take that away from you...
http://128.83.50.167/~thecap/spam/eighties.htm
Looks like a pretty complete answer to your question.
The algorithm you're suggesting is mostly a precursor of the current PKIs (I haven't read its reference paper, and don't really have the time to find it, but I wouldn't be surprised to find that it dates back ~RSA publication times).
By definition, at it's worst, a man-in-the-middle attack cannot be blocked/prevented: if A has never met B, there is no way for A to be convinced that she is really talking to B and not to C. If B is in the same situation (having never met A) and is also really speaking with C then although their communication may get from one to the other, it will always be possible for C to see all of it (since C can simply pretend to each of them to be the other player and then decrypt/reencrypt the message).
For trust to be achieved perfectly you will always need an additional piece of information (or mean of identification) in which you can trust... PKI's are one of the possible solutions. In the case of the Rivest-Shamir you're describing both parties must have common knowledge of the message's content prior to starting the algorithm otherwise a middleman could switch messages for it's own. In essence the protocol becomes dependant on the messages's nature and the fact that both players must know it... Two complete strangers could not use it.
But then again, there can't exist a protocol for two complete strangers to identify themselves to one another...
I usually don't take the time to reply to posts on /., however yours is so blatantly inaccurect that I can't stop myself from replying:
MacOS's interface largely uses that ugly 'Chicago' font (an insult to Chicago). I presume (or hope) that you can change this, but how many of MacOS's tech-savvy users (if there are any? ::grin::) are going to do this?
- It's been changed to charcoal since MacOS 8.5 which came out more then a year ago...
- As to whether or not it's a good thing that you be limited in your choice of font for the U.I., well isn't that a question of standardization? I mean, I know people that use large fonts of unknown origin on windows (fonts which I personnaly find very ugly). Sure, Windows will let them make that choice; however it won't properly resize the dialog boxes afterwards... Doesn't it make more sense to limit the user's choice to fonts for which you can guarantee uniformity of the U.I.?
When a message box comes with up with Yes and No buttons, you can't just press Y or N. You have to click.
-Nope, you can most usually click Command-y and Command-n or Esc for cancel. It's been there for a while. Of course if the program makes its own dialog box, the OS can't really do much.
You can't just enter to select a button on a message box which has the focus. Again, you have to click.
-With almost no exception, all dialog boxes always have one button in evidence (represented by a different larger button contour). Pressing the Enter key is the equivalent of activating that button. This has been in the system at least since the Mac Plus era...
You can't move between the buttons a message box with the arrow keys. How un-intuitive.
-I suppose that's more a design decision then anything else. Why would you want to move from button to button if you can activate then using the command-keys ? Redundancy, in my opinion, is mostly a very good way of losing beginner users...
The menus don't have access keys. This is a really annoying feature. Again, you have to click. Admittedly some menu items do have shortcut keys, but you can't access all the items this way, as you can with access keys.
-I'm not sure I see why this would be annoying. If the user is supposed to have and use a mouse, why would he need to be able to do everything by keyboard? Moreover, to do so you'd have to show which key activates which menu, isn't that more information to overload your user with? Finally, to assign a command to all menus and sub-menus always brings up problems; do you really feel that the keys associated with the menu activation or the sub-menu activation on windows are intuitive. In my opinion, the letters often (but not always) have no intuitive relation with the option I'm trying to activate.
-As I look at my netscape, on Linux, I realize that these menus also don't offer keyboard activation (at least if it's feasible, it's not written on the screen). But I know that Alt-F will activate the Find option and Alt-N will bring up a new window. I'm not sure if I need much more from the keyboard but what I am sure about is that I can live with an OS that feels I'll know how to use a mouse to reach the other options/commands.
-For what it's worth, Connectix has been offering what your looking for (all menus, all sub-menus by keyboard) as an option since Speed Doubler 2. Used to work pretty well on my PB190 for those rare times when I didn't want to use the trackpad (which I just didn't like).
Give me a Windows 95/98/2000/NT theme any day. I admit that macs are generally more user friendly (albeit at the expensive of processing power) but some of the points of the interface are just so terrible!
-Although I'm probably just being really picky, I don't believe that you can just make the claim that macs offer a more user friendly U.I at the expense of processing power; remember that Win98 is the OS that allows to have a web page as a background...
As for whether or not the interface is so terrible; I hope, given all the unfounded statements you made and which I tried by the preceding to correct, that you'll change your mind or at least take the time to go back and try a mac before restating anything on an open forum...
The impression I most often get whenever I hear about the Y2K bugs that'll bring the end of the world is that whoever is talking has no idea what they're talking about (or, even worse, they have no idea what their sources are talking about).
:-)) ...
... Good luck convincing me that the Y2K bug can cause more damage (financially, emotionnaly, etc. ) then any of these.
:-)
Still, as a CS grad, I have a pretty good idea how it must feel trying to convince someone, and oneself, that a complete (to be defined) system will behave exactly as it should in less then 2 months. I mean, if I spend hours debugging code I write because it's behavior is erratic, I'm not sure I'd like to prove (to be defined) that someone else's code will not display a behavior I can't predict (this is probably a NP problem
Generally, I think the world will keep on spinning and most people will encounter, over the next few months (if not years), a few instances of the problem (be it a VCR not working or a credit card refused). But in no way will humanity crash. Worst case, there'll be a few extreme cases with serious consequences (say a plane crashing or my town lacking electricity in the middle of winter for two weeks, which some will remember living through a few years back) on which all the medias will be glued for 1~2 weeks before everybody agrees it was a sad and predictable thing; and then forgets about it.
I strongly doubt that statistically speaking the Y2K will have a major impact on the number of deaths in 2000 or cost more to any government then recent natural disasters (be it flood, hurricanes, earthquakes).
Remember that this year we've had a few hurricanes in north america and in Asia, major earthquakes in Turkey, Greece and Taiwan, incredible floods in south america and Asia,
However, no matter my rambling, we'll only know for sure in a few months (say a year or two at max for all major repercussions to show up).
P.S. #1: This is of course only my opinion. There are probably some readers who actually made a living out of fixing such problems. I'd be very interested in reading their opinions.
P.S. #2: Of course, I won't be able to live with myself if Slashdot doesn't load up at midnight...
Zero-Knowledge proofs were discovered/invented over 15 years ago and are now usually covered in most studies of this science (Although I, unfortunately, haven't had time to go through your book).
Considering that now a days we implicitely trust ATMs or resellers not to tinker with credit card readers or not remember our PIN numbers, since this relatively new field offers incomparable advantages for identification protocols (such as the inability to replicate a session) that could be used in these situations and that the litterature is, by now, relatively well developped (with work from Jacques Stern for example),
a) Would you tend to agree that this would be an interesting addition to the privacy protection of customers ?
b) Do you know of any real world implementation for the general customer ?
c) What do you believe it would take for large banks and Credit Card compagnies to decide to implement these schemes ?
In my defense:
/.ers under these conditions.
/., with yours :-) ) Web sites like MacOsRumors (whose quality has declined recently, in my opinion) at least take care to place big "rumors" disclaimers in their articles...
:-)
I must admit that I enjoy (if not love) it when people take me to my words: I believe you (or at least most people) would agree that my comment was made in a certain context; that Apple is reversing an already reversed decision concerning its shipping of pre-ordered product and even cancelling of orders for this product. This is, if true, major news : it would represent a flagrant example of really, really bad apple PR, incredibly awful management and a general lack of respect towards the consumer. These are not light things. In this context, considering that ZDNet cites an unnamed source and that other Apple-related web sites have different stories, wouldn't it be a good idea to wait for an official statement from the company in question ? It's not like they can hope to swipe this under a rug or anything, they'll have to make this policy known officially really soon if they want it to be enforced.
As for your accusations towards Microsoft; If ZDNet cited an unnamed internal Microsoft (to keep to your example) source as saying that the company had decided to cancel development of Windows 2000 (which I would be happy at hearing) or decided to force users to pay an incredible fee for said Windows 2000 simply because they have a monopoly and can, wouldn't you tend to argue that maybe ZDNet is pushing it a bit and maybe we should wait for the next business day (tomorrow) and hope to see some statement from the company ?
My PERSONNAL (yup, that's in uppercase) point of view is that the company should be considered innocent until proven guilty. ZDNet hasn't brought many facts to back its accusation.
It is sad to see the lynching of Apple by
P.S. : For what its worth, if I ever learn, beyond any doubt, that this is true then I will be one of the first to bash on Apple. However, if this turns out to be false, then I do believe ZDNet should at least apologize (and said apology should show up on
In conclusion, never ignore the context in which a comment is made...
P.S. #2: This venting feels good...
Is it me or wouldn't it be a good thing to simply wait for a formal Apple announcement as to their decision.
/. most of the post I've read in this post would not have been made. There's no reason to give more credibility to ZDNet because they're talking about Apple and citing an unnamed source then if they had been talking about the latest Kernel upgrade and quoting also an unnamed source.
Moreover, if a message on ZDNet had been posted about anything of usual interest to
Anyways, www.macintouch.com seems to offer an interesting spin on the ZDNet story; one which makes more sense and one which satisfies my curiosity until the next press release from Apple.
heck, maybe this is out of line...
... Sure the second foundation was a lot more then that but the mathematical aspect was what I loved most about the concept.
Every time I see an article about a statistical study of something created by man, I get a flash back to Asimov's second foundation : how mathematics can generally describe man, events, history,
This study has some distant similarities to it. Statisticians studying the average distance between two ramdomly chosen internet site. The catch is that the entire structure is created by man, there really isn't much ramdomness in it : Compared to the Bacon thing were you may have met someone, that knew someone, at one point or another walking down the street; having a link from your web page to another web page is a completely conscious action.
Which brings me to the counter-argument that news site such has slashdot or c|net have their content (and thus their links) influenced by random events of the outside world such has tornadoes or floods.
Which now brings me to a conclusion before I back home, how long will it be before someone attemps to make a measure of the amount of randomness in the web, that is the influence of events that cannot be predicted (to some extent or other, to be determined later) by man. Is the web something that could over time become completely predictable?
I really should reread these Asimov books.
Because the efficiency of software running on one of these computers would still not equate that of a massively parallel computer of chips designed specifically to crack DES...
I doubt any such stunt, if there are been any, would be publicly acknowledged by the NSA. After all, it is definitively in there own interest not to announce publicly their abilities...
However, one must keep in mind that they are the biggest employer of mathematicians in the U.S. (probably the entire world...), that whatever research in the field of cryptography they make is only published internally but that they benefit (like anyone else) of all the research done in universities. Moreoever, their budget is much larger than that of any other organisation. Finally, recent stories have hinted at agreements with similar organisations of other nations.
Although they don't seem to publish many papers annually, we have to admit that they definitively have a lot on their side...
The article :
/sec
10 Gbits
8 bits / byte
10 Gbytes => 8 secs.
"Two boxes, say a sender and a receiver, each have a pair of RSA keys (pulic & private). To send something, a client makes up a string of random garbage (say 1024 bits in length) and encrypts outgoing data with it (so, in effect this is the key). The receiver decrypts the incoming data using the same string. RSA encryption is used to exchange the actual keys. "
I'm not sure what it is you're proposing exactly...
is the 1024 bit thingy use for a one-time pad, for a DES scheme (somehow using 1024 bits...) or also for RSA algorithm...
Which ever you use, the basis of this approach is what is typically used in the industry. For example, the SSL3.0 protocol uses one of three key exchange algorithm, the first is Diffie-Hellman (the precursor of RSA in terms of public-key cryptography), the second is Fortezza (a technique developped by the NSA for crypto-cards whose formal description I could never found, probably because its a national secret) and a third whose name/nature I forget, possibly an ElGamal scheme.
Once the exchange has been done, both sides usually fall back on the best symmetric algorithm implemented on both side, worst case is DES. I have the paper in one of the drawers next to me, somewhere, but I do believe RSA is an acceptable algorithm however the speed probably drops to an unacceptable level.
Anyways, which ever scheme you use, the security ultimately falls back on the key-exchange algorithm and nobody, nobody, would want to have a client wait for a key exchange with a 1024 bit prime numbers... So although the 56 bit of DES make it the prime target, the key exchange it also a fair target for other algorithms.
Hope this clarifies all of this a bit.
P.S. No encryption is ever "virtually bullet-proof".
As a second aside,
last time I checked. The latest bunch of cryptanalysis attacks on 3DES brough its security down to a key space of about 80 bits (which is better then the original 56 of DES). 3DES was|is an original idea by the industry to spare it the works of reworking most of its infrastrucure with the "death" of DES. 3DES has never been considered seriously by anyone on the theory side of cryptography.
3DES is not the best solution presently available. If one is to redesign their chip to use this algorithm then they should do their homework and consider other potentially much more appropriate algorithm. Moreover, choosing an algorithm that has been well studied by the field would/should make more sense.
"Sure DES can be broken, but if you are using Diffie-Hellman key exchange then your keys are cycled every 8 hours."
euh ?
You probably meant to add a bit more info : Diffie-Hellman is simply a key-exchange protocol. Its got no relation to any kind of timing notion.
Anyways, no bashing needed, you probably meant something else.
I can understand that this, euh hmmm, "news" will generate a very interesting discution among slashdot readers but, c'mon..., obviously nobody gives it any credance in the short term. So, if you didn't post it to bring back the usual {Mac GUI - OS X} vs {Linux and familly} feud and possibly the Slashdot Overload mode, why did you post this lame attempt at a news article ?
I am an avid fan of the mac platform, as well of my Debian distribution. Yet I still don't understand what could motivate someone to see anything interesting in this article.
P.S. : I got it, maybe ZD needed the money generated by all the ads it will get to load to all the slashdot readers...
doesn't that sound a tab bit arrogant ?
I mean, calling myself a part-time hacker is something that every body could potentially understand. I part-time wizard seems a bit too similar to "god" or "All powerful"...
Ever tried Navigator 4.x > 4.5 recently. Mine crashed 1/5 times when loading slashdot. I'm not sure if the windows version is better but I am certain that 20% failure rate isn't good.
Although I can agree with the argument that 10,000$ can be a little incentive for real professionals, I must disagree with the analogy to cryptoanalysis contests. These contests are usually used to attempt to demonstrate the robustess of new algorithms, algorithms that have yet to be fully accepted by the cryptography community. In reality, they mostly only serve to convince the general public of the supposed difficulty in breaking such algorithm. Most attempts, such as those of distributed.com, simplify the problem as much as possible to limit the set of possible keys before attempting to go through this entire set and finding this key. There really isn't anything very brilliant about trying every possible key... even if you've reduced the problem previously... and from a cryptographic point of view, the only thing it shows is that you have access to a large amount of computing power, not that you weakened the algorithm. More subtil contests that really require cryptoanalysis are usually not attempted by the general public.
Anyways, in all of these contests the basis is that the security of the algorithm as not been demonstrated and that a contest would "prove" it. However, contests such as the one done with the AppleshareIP, by a neutral organisation with no sponsership from Apple (if I remember well), only aim to prove that the implementation of the different web protocols was done properly. Now if you can crack a system that properly implements all the RFCs then you do deserve to win since you've found a weakspot in what was considered by all secure and have shown that other computers will probably also be affected by the same problem (that or they aren't implementing the RFCs properly).
After all this, I still admit however that the real professionals may not be interested in cracking your system and that the contest only showed that a certain group of "crackers" couldn't do the job.
They had a contest a few years back about trying to hack into a MacOS appleshareIP web server. The contest offered 10.000$ cash to whomever could crack the system, prove it and explain the process. Anything affecting only that one machine was allowed. Downing the server was not considered a crack, content had to change. There were no winner to the first run of the contest. However, and this led to a crack on the second contest, the server was only running the web server. Nothing more. I'm not even sure CGIs were allowed... The admins would update the server through a local appletalk network. Although in the end, if I remember properly, in the second contest, about one year after the initial one, someone cracked one of the new plugins added for additional functionalities; the real http server was never cracked. I'm not trying to argue that appleshareIP is a better product, nor even a good product, this was back at the beginning of ASIP 5. The product has evolved since then and its security features may have fallen a bit. However this does show that if there's no point of entry, except the strict minimum, on your server, then there is nothing to hack... But if you're trying to run all the latest web gizmos then you shouldn't be looking at security, just good backups. Hope this helps.