How the heck is rinnestam's mirror of the image any less legitimate than NYUD's mirror?
And it makes for horrible public interactions.
on
Joel Test Updated
·
· Score: 1
I have seen this all the time with open source software with public bug databases: * User files bug with vague description and no steps to reproduce. * Project manager lumps a bunch of vague bugs together as "duplicates". * Programmer fixes bugs that sound similar to the vague descriptions and marks as fixed. Then all holy hell breaks loose on the forums as people bitch about you closing their bugs when the problem still exists, and post on slashdot about "bugs" that have been open for 5 years but no one will fix. In reality the "bug" has morphed into an ever changing thing that means something different to each person involved and which is thus impossible to ever truly "fix".
Bugzilla in particular is horrible to use as an outward facing webapp (I don't even like using it internally).
Some people might perform a ritual for my relatives that makes them feel better and doesn't hurt anyone? That must be stopped! Seriously, how is that any different from christian relatives praying that I will go return to the church, or the Navajo folks performing a traditional blessing to protect our school group from harm when we went out of town? It is harmless.
Explain to me how exactly LTE and Wimax don't count as technological improvements over UMTS and EVDO? They are both a switch over to a pure IP based network rather than tunneling it through GPRS. They both offer better speeds than 3G technologies. And they are a much bigger step forward than the switch from LTE to LTE Advanced or WiMax to WiMax 2 will be. This move by ITU just recognizes reality and chooses to draw the line between 3G and 4G to match where the fundamental tech changes are actually occurring rather than just when the speed increases past an arbitrary limit.
For proprietary software, rulings have always come down to what the implementation allows you to do and whether there are substantial non-infringing uses. So software that only lets you view the video stream, and not make copies are considered legal. Software that does allow you to copy video(even if primarily for backup purposes), has been found to be illegal.
Open source software is tricky because the license allows the user to do whatever they want with it. You could modify the software with less than 10 lines of code to allow recording of the stream. You definitely could not implement the DRM as a reusable library, as that would have too many infringing uses. Whether you could get away with a monolithic application is an unresolved question.
Finally, another big issue when it comes to DRM is patents. This is how DRM on mainstream media formats is primarily enforced. The format is patented and they will not license it to anyone who does not implement the DRM as they demand. They sue people who make unlicensed implementations. Furthermore, this licensing is per copy and non-transferable making it untenable for an open source program. I assume Microsoft has also taken out patents on the DRM for Silverlight, and since they have not licensed them to Novel to use in Moonlight I doubt they would license them to any open source implementation.
The Netflix streams are all have proprietary DRM protection. To write our own client we would have to reverse engineer this proprietary protocol (which is legal, but can be difficult), and then worse, we would have hack the authorized players, and to get the DRM keys out of them. This implementation would constitute a circumvention device, and using or distributing it would be illegal under the DMCA.
Asking open source customers to break the law to use your service isn't exactly friendly to open source.
Yeah, for the most part this will apply to distributors, not individuals, but there are some sticky areas where it could affect individuals.
Say your grandpa bought a watch while on vacation, and then he dies and it is sold at an estate sale. According to the ninth circuit this is illegal. Of course the chances of the law being enforced in at a garage sale are rare. However suppose that it was a controversial collectors item which was put up for auction at Christie's, but which the copyright holder would like to see buried. If you are blocked from selling it in that case, are you also blocked from inheriting it?
Or what if it was for sale on Ebay? This was another issue that was brought up earlier in the trial, however, since then the courts have ruled that Ebay isn't even responsible for counterfeit products sold on the site, so it probably wouldn't be responsible for tracking unauthorized redistribution either.
The main thing I don't like is that it is applying copyright law to things like watches. I can understand having laws about importing and redistributing products. But saying this is a copyright issue is really stretching it and could be a stepping stone to even more inappropriate applications of copyright law. Another amusing aspect about using copyright to come to this decision is that fashion/clothes are not covered by copyright, so resale of a bracelet wouldn't be restricted by this ruling but a watch is.
So what I'm asking is whether or not Wal-Mart signs agreements with Vietnamese companies that say they can bring them into the United States and did CostCo, like, drop the ball on that one?
Yes, normally authorized distributors do have a contract with the company who they are importing from that authorizes them to import those goods into another country. Retailers will either buy from an authorized distributor, or will buy directly from the company, again with a contract allowing them to resell in the US. CostCo bought them from an unauthorized distributor.
Are you telling me that CostCo was making money by purchasing Omega watches at MSRP in Switzerland and then reselling them below MSRP in the United States? I'm not an economist but something sounds really strange in that case.
That is close to what happened, but they didn't them in for MSRP in Switzerland; they bought them at wholesale prices in poorer countries, where they were being sold for less money. It is extremely common for companies to sell products for different prices in different countries, and is one of the main reasons that we have crap like country codes on DVDs and video consoles. By doing this CostCo was undercutting all the US retailers that were buying Omega watches through authorized channels, which would naturally piss them off.
The summary is written is misleading. The distinction made by the Ninth Circuit depends both on where an item was made as well as where it was sold. If you legally purchase a foreign made product in the US (ie from an authorized reseller like Walmart), then the right of first sale still applies. However, you can't buy foreign products in a foreign country and then resell them in the US without permission.
I still think it's a bad decision but the summary makes it out to be even worse.
In this case it is obvious that the beans are out of the can and it is too late to do anything about it, however that isn't always true. There are many times where information is leaked, but there is uncertainty about the reliability of the source. In those situations it makes sense to continue to treat the information as classified, and not to comment on it. Given that, someone has to make a decision as to whether there is value in keeping the information classified, or to admit any further attempts to contain it are futile. If you left that decision up to the personal judgment of each individual person who has a clearance, then you would almost always be able to find someone who would blab about it without thinking about (or even knowing) the full implications of what they are saying. It has to be done by the classifying authority who has the full picture, and can judge the impact of the decision.
Furthermore, with a leak this large, it will take a while to process. Until that decision is made, people a security clearance have to continue treating it as classified. Does it look stupid in this case? Yes. Any set of processes and rules you can make will have exceptions where they just don't make sense (I imagine Godel would have something to say about this). It is a balancing act between complicating the rules to cover all the exceptions (and thus making them harder to understand) having simplistic rules that err on the side of caution (where people will have to break them to get any work done), and simplifying the other way and not satisfying your security goals.
For linux users only 2 of the 5 games were available before the bundle. It's good timing for me as I have been to busy with work/school to play games, and thus haven't tried any of them, but will over the break.
I have good news for you. I don't see anywhere AT&T's Terms of Service or Acceptable Use Policy where they forbid running a server from your home. While they aren't as explicit as Qwest in stating that you have the right to run servers they come pretty close:
The dynamic IP address is a single Internet address intended for use with a single Member Account and any associated Sub Accounts. The static IP address or multiple static IP address is intended for use with a single computer or a network of computer/servers. You may not use the Service in a manner that is inconsistent with these intended uses.
Furthermore, AT&T will configure reverse DNS for your residential home service (with a static IP), although they may require you to transfer your forward DNS to them to avoid confusion with a split record. They wouldn't do this if they forbid running servers.
I live in New Mexico, and I know what you mean about not having many options. The town where I grew up didn't have broadband until around 2002, and I think Comcast is still the only option. The town where I went to college, the only options were dial up or a wireless WAN where you pointed a directional dish toward the tower and lost connection when the wind picked up:) Most places here have both cable and DSL now though. Comcast and Time Warner are both pretty hostile to home servers, insisting you upgrade to their business package, but most DSL providers will work with you.
I run a mail server from my home. My ISP, Qwest, explicitly allows you to run servers from a home account:
Service may be used to host a server, personal or commercial, as long as server is used pursuant to the terms and conditions of this Agreement applicable to Service and not for any malicious purposes.
Furthermore, while they may filter port 25, they will open it at your request. Finally, you are right that you need to have reverse DNS configured correctly to avoid being filtered. Qwest will do this for anyone who pays for a static IP, which you need anyway if you are running a home server, and only costs $5 a month. It took me 5 minutes on the phone to get all this setup with them (after spending half a day learning that it was needed).
Finally as far a reliability goes, the various Dynamic DNS services also offer inexpensive SMTP store and forward, so you can list them as a backup mailhost in case your home service is down. I use changeip, but have also heard good things about DynDNS.
Running your own servers from home is a good learning experience and does improve your privacy. I hate to see DIY jobs discouraged on slashdot of all places.
I can think of a couple of reasons: * Because he frames his speech in a manner similar to other extremist activist groups (like PETA, and Green Peace), and people have been habituated to writing off those who talk like that as wackos, because they usually are. * There is a strong desire to ignore the naysayers when doing so is convenient, but listening to them is not: Java was a nice programming language, Facebook and Tivo are useful tools. Boycotting those things in favor of more free alternatives is a pain.
Which is scenarios is more likely: Customers 1) Recognize that this is a problem with Comcast not Netflix 2) Have another option for broadband connectivity 3) And choose to switch solely over this issue.
or 1) The customers blame Netflix for the problem 2) Netflix realizes that L3-the-CDN isn't providing the level of service they wanted. 3) Netflix switches to any number of high quality CDNs that do have peering agreements with Comcast.
Comcast has the stronger negotiating position here, which is why L3 gave in.
Comcast claims that a good network maintains a 1:1 with them, but that's simply not possible unless you had Comcast and another broadband access network talking to each other. In the attached graphs you can see the ratio is more along the lines of 5:1, which Comcast was complaining about with Level (3). The reality is that the ratio argument is bogus.
Comcast claims that free peering arrangements should have close to 1:1 ratio. And if you don't maintain that ratio, then you should pay for transit, just like Comcast is doing with TATA. So this is entirely consistent with what Comcast is saying and if anything supports their argument, not undercut it like Backdoor Santa is claiming. His argument about saturating transit to force other to peer with Comcast is valid though.
I personally think it is garbage to apply Tier-1 peering standards to (what should be) a CDN-ISP peering arrangement as they are completely different situations with different economics. It would save Comcast money and improve their customer experience if they were to enter into a free peering relationship with L3-the-CDN, because without the peering agreement Comcast-the-ISP would have to pay someone transit to access this data.
But to play devils advocate, here is the issue from another perspective. Comcast actually has a it's own Tier 1 network now, in addition to the last-mile network that we normally associate them with. This includes many business customers who are content providers not consumers. Comcast is using this CDN issue to force L3-the-Tier 1 to start treating them like a Tier 1. L3 wants a traditional CDN-ISP peering agreement where they to route their CDN data over their backbone network and connect with Comcast at the closest possible location to the customer, with only data intended for those customers. Comcast wants a Tier 1 peering agreement where their networks connect at a smaller number of points, and more data would be routed over their Tier 1 network, and then they balance the ratio by sending more traffic L3's way for free. Think about it; if Comcast was paying any other Tier 1 for transit, then L3-the-Tier 1 would have no issue peering with them. So if Comcast builds out their own Tier 1, why shouldn't L3 treat them the same?
L3 is trying to use it's backbone capability as an advantage to support it's CDN, and Comcast is trying to leverage it's position as a huge ISP to push it's Tier 1 network. In the end, because there is a lot of competition between CDNs and not so much between ISPs, Comcast has the upper hand.
Judges aren't supposed to rule on their personal opinion of logic and fairness. They are supposed to rule according to the law. We have two laws, the constitution and the healthcare bill, which many intelligent legal experts consider to be in conflict, in which case the constitution overrides. Others disagree, but we won't have a final answer until this goes to the Supreme Court. The faster than happens the better, as it will remove any doubt, and let us either move forward implementing the bill, or craft a new one that is on firm legal foundations.
But it is illegal to sell insurance across state lines! How can the government possibly say that this has an effect on interstate commerce when they themselves have banned interstate trade in the product.
Yeah, certainly nothing to celebrate over. But is this common? I would have expected a company founded for the sole purpose of licensing and litigating patents to know more about what is needed for a successful patent lawsuit.
Here is a collection of real world implementations of a collision attacks in which two legitimate executable binaries were created to have the same MD5 hash and size.
Here is the post script collision attack that Omnifarious was referring to. Both files are the same length and have the same MD5 hash. Furthermore, postscript is a turing complete programing language, with as picky of a syntax as C.
All the collision attacks I have seen used fixed length blocks in both files which are modified. Inserting a fixed length comment block into a piece of code is not hard.
Preimage attacks (where you only modify one file not both) are harder, and to date, not even MD5 has any known practical preimage attacks. But if it did, it would be trivial to implement it by tweaking a block comment in a source code file, or a data segment in a binary file. There is no challenge there whatsoever.
It took me less than a minute to find those on Google. I don't expect people to know everything, but if you are going to run around insulting people and being an asshole, you better know what the fuck you are talking about.
Needing to match the length of the original object doesn't make the problem that much harder (unless the desired code is already close in length to the original code). In fact many collision attacks are designed for fixed size inputs, because it makes things easier.
Requiring valid formatting of the file is not a hard problem compared to the much more fundamental problem of finding a practical preimage attack in general. If SHA-1 were broken (it isn't yet), then it would certainly be plausible to attack git in the manner that the AC described.
That isn't an issue at all. Most collision generating attacks append filler data to the end of the desired file to get the desired hash. For source code you just insert the filler data in comment at the end of the file. It is a trivial modification to the existing algorithms.
Slashdot Mirror
How the heck is rinnestam's mirror of the image any less legitimate than NYUD's mirror?
I have seen this all the time with open source software with public bug databases:
* User files bug with vague description and no steps to reproduce.
* Project manager lumps a bunch of vague bugs together as "duplicates".
* Programmer fixes bugs that sound similar to the vague descriptions and marks as fixed.
Then all holy hell breaks loose on the forums as people bitch about you closing their bugs when the problem still exists, and post on slashdot about "bugs" that have been open for 5 years but no one will fix. In reality the "bug" has morphed into an ever changing thing that means something different to each person involved and which is thus impossible to ever truly "fix".
Bugzilla in particular is horrible to use as an outward facing webapp (I don't even like using it internally).
Some people might perform a ritual for my relatives that makes them feel better and doesn't hurt anyone? That must be stopped! Seriously, how is that any different from christian relatives praying that I will go return to the church, or the Navajo folks performing a traditional blessing to protect our school group from harm when we went out of town? It is harmless.
Explain to me how exactly LTE and Wimax don't count as technological improvements over UMTS and EVDO? They are both a switch over to a pure IP based network rather than tunneling it through GPRS. They both offer better speeds than 3G technologies. And they are a much bigger step forward than the switch from LTE to LTE Advanced or WiMax to WiMax 2 will be. This move by ITU just recognizes reality and chooses to draw the line between 3G and 4G to match where the fundamental tech changes are actually occurring rather than just when the speed increases past an arbitrary limit.
For proprietary software, rulings have always come down to what the implementation allows you to do and whether there are substantial non-infringing uses. So software that only lets you view the video stream, and not make copies are considered legal. Software that does allow you to copy video(even if primarily for backup purposes), has been found to be illegal.
Open source software is tricky because the license allows the user to do whatever they want with it. You could modify the software with less than 10 lines of code to allow recording of the stream. You definitely could not implement the DRM as a reusable library, as that would have too many infringing uses. Whether you could get away with a monolithic application is an unresolved question.
Finally, another big issue when it comes to DRM is patents. This is how DRM on mainstream media formats is primarily enforced. The format is patented and they will not license it to anyone who does not implement the DRM as they demand. They sue people who make unlicensed implementations. Furthermore, this licensing is per copy and non-transferable making it untenable for an open source program. I assume Microsoft has also taken out patents on the DRM for Silverlight, and since they have not licensed them to Novel to use in Moonlight I doubt they would license them to any open source implementation.
The Netflix streams are all have proprietary DRM protection. To write our own client we would have to reverse engineer this proprietary protocol (which is legal, but can be difficult), and then worse, we would have hack the authorized players, and to get the DRM keys out of them. This implementation would constitute a circumvention device, and using or distributing it would be illegal under the DMCA.
Asking open source customers to break the law to use your service isn't exactly friendly to open source.
Yeah, for the most part this will apply to distributors, not individuals, but there are some sticky areas where it could affect individuals.
Say your grandpa bought a watch while on vacation, and then he dies and it is sold at an estate sale. According to the ninth circuit this is illegal. Of course the chances of the law being enforced in at a garage sale are rare. However suppose that it was a controversial collectors item which was put up for auction at Christie's, but which the copyright holder would like to see buried. If you are blocked from selling it in that case, are you also blocked from inheriting it?
Or what if it was for sale on Ebay? This was another issue that was brought up earlier in the trial, however, since then the courts have ruled that Ebay isn't even responsible for counterfeit products sold on the site, so it probably wouldn't be responsible for tracking unauthorized redistribution either.
The main thing I don't like is that it is applying copyright law to things like watches. I can understand having laws about importing and redistributing products. But saying this is a copyright issue is really stretching it and could be a stepping stone to even more inappropriate applications of copyright law. Another amusing aspect about using copyright to come to this decision is that fashion/clothes are not covered by copyright, so resale of a bracelet wouldn't be restricted by this ruling but a watch is.
So what I'm asking is whether or not Wal-Mart signs agreements with Vietnamese companies that say they can bring them into the United States and did CostCo, like, drop the ball on that one?
Yes, normally authorized distributors do have a contract with the company who they are importing from that authorizes them to import those goods into another country. Retailers will either buy from an authorized distributor, or will buy directly from the company, again with a contract allowing them to resell in the US. CostCo bought them from an unauthorized distributor.
Are you telling me that CostCo was making money by purchasing Omega watches at MSRP in Switzerland and then reselling them below MSRP in the United States? I'm not an economist but something sounds really strange in that case.
That is close to what happened, but they didn't them in for MSRP in Switzerland; they bought them at wholesale prices in poorer countries, where they were being sold for less money. It is extremely common for companies to sell products for different prices in different countries, and is one of the main reasons that we have crap like country codes on DVDs and video consoles. By doing this CostCo was undercutting all the US retailers that were buying Omega watches through authorized channels, which would naturally piss them off.
So... a retailer purchasing a product from a (foreign) distributor/manufacturer is treated differently from an individual buying from a retailer?
Yeah, but the difference isn't just between retailers and individuals, it is between authorized distributors and everyone else.
And here is the original 9th circuit ruling which does have precedent in that circuit, and will likely be referenced in other circuits.
The summary is written is misleading. The distinction made by the Ninth Circuit depends both on where an item was made as well as where it was sold. If you legally purchase a foreign made product in the US (ie from an authorized reseller like Walmart), then the right of first sale still applies. However, you can't buy foreign products in a foreign country and then resell them in the US without permission.
I still think it's a bad decision but the summary makes it out to be even worse.
In this case it is obvious that the beans are out of the can and it is too late to do anything about it, however that isn't always true. There are many times where information is leaked, but there is uncertainty about the reliability of the source. In those situations it makes sense to continue to treat the information as classified, and not to comment on it. Given that, someone has to make a decision as to whether there is value in keeping the information classified, or to admit any further attempts to contain it are futile. If you left that decision up to the personal judgment of each individual person who has a clearance, then you would almost always be able to find someone who would blab about it without thinking about (or even knowing) the full implications of what they are saying. It has to be done by the classifying authority who has the full picture, and can judge the impact of the decision.
Furthermore, with a leak this large, it will take a while to process. Until that decision is made, people a security clearance have to continue treating it as classified. Does it look stupid in this case? Yes. Any set of processes and rules you can make will have exceptions where they just don't make sense (I imagine Godel would have something to say about this). It is a balancing act between complicating the rules to cover all the exceptions (and thus making them harder to understand) having simplistic rules that err on the side of caution (where people will have to break them to get any work done), and simplifying the other way and not satisfying your security goals.
For linux users only 2 of the 5 games were available before the bundle. It's good timing for me as I have been to busy with work/school to play games, and thus haven't tried any of them, but will over the break.
I have good news for you. I don't see anywhere AT&T's Terms of Service or Acceptable Use Policy where they forbid running a server from your home. While they aren't as explicit as Qwest in stating that you have the right to run servers they come pretty close:
The dynamic IP address is a single Internet address intended for use with a single Member Account and any associated Sub Accounts. The static IP address or multiple static IP address is intended for use with a single computer or a network of computer/servers. You may not use the Service in a manner that is inconsistent with these intended uses.
Furthermore, AT&T will configure reverse DNS for your residential home service (with a static IP), although they may require you to transfer your forward DNS to them to avoid confusion with a split record. They wouldn't do this if they forbid running servers.
I live in New Mexico, and I know what you mean about not having many options. The town where I grew up didn't have broadband until around 2002, and I think Comcast is still the only option. The town where I went to college, the only options were dial up or a wireless WAN where you pointed a directional dish toward the tower and lost connection when the wind picked up :) Most places here have both cable and DSL now though. Comcast and Time Warner are both pretty hostile to home servers, insisting you upgrade to their business package, but most DSL providers will work with you.
Doh, I was thinking backwards there for a bit :) Thanks for correcting me.
I run a mail server from my home. My ISP, Qwest, explicitly allows you to run servers from a home account:
Service may be used to host a server, personal or commercial, as long as server is used pursuant to the terms and conditions of this Agreement applicable to Service and not for any malicious purposes.
Furthermore, while they may filter port 25, they will open it at your request. Finally, you are right that you need to have reverse DNS configured correctly to avoid being filtered. Qwest will do this for anyone who pays for a static IP, which you need anyway if you are running a home server, and only costs $5 a month. It took me 5 minutes on the phone to get all this setup with them (after spending half a day learning that it was needed).
Finally as far a reliability goes, the various Dynamic DNS services also offer inexpensive SMTP store and forward, so you can list them as a backup mailhost in case your home service is down. I use changeip, but have also heard good things about DynDNS.
Running your own servers from home is a good learning experience and does improve your privacy. I hate to see DIY jobs discouraged on slashdot of all places.
I can think of a couple of reasons:
* Because he frames his speech in a manner similar to other extremist activist groups (like PETA, and Green Peace), and people have been habituated to writing off those who talk like that as wackos, because they usually are.
* There is a strong desire to ignore the naysayers when doing so is convenient, but listening to them is not: Java was a nice programming language, Facebook and Tivo are useful tools. Boycotting those things in favor of more free alternatives is a pain.
Which is scenarios is more likely: Customers
1) Recognize that this is a problem with Comcast not Netflix
2) Have another option for broadband connectivity
3) And choose to switch solely over this issue.
or
1) The customers blame Netflix for the problem
2) Netflix realizes that L3-the-CDN isn't providing the level of service they wanted.
3) Netflix switches to any number of high quality CDNs that do have peering agreements with Comcast.
Comcast has the stronger negotiating position here, which is why L3 gave in.
Comcast claims that a good network maintains a 1:1 with them, but that's simply not possible unless you had Comcast and another broadband access network talking to each other. In the attached graphs you can see the ratio is more along the lines of 5:1, which Comcast was complaining about with Level (3). The reality is that the ratio argument is bogus.
Comcast claims that free peering arrangements should have close to 1:1 ratio. And if you don't maintain that ratio, then you should pay for transit, just like Comcast is doing with TATA. So this is entirely consistent with what Comcast is saying and if anything supports their argument, not undercut it like Backdoor Santa is claiming. His argument about saturating transit to force other to peer with Comcast is valid though.
I personally think it is garbage to apply Tier-1 peering standards to (what should be) a CDN-ISP peering arrangement as they are completely different situations with different economics. It would save Comcast money and improve their customer experience if they were to enter into a free peering relationship with L3-the-CDN, because without the peering agreement Comcast-the-ISP would have to pay someone transit to access this data.
But to play devils advocate, here is the issue from another perspective. Comcast actually has a it's own Tier 1 network now, in addition to the last-mile network that we normally associate them with. This includes many business customers who are content providers not consumers. Comcast is using this CDN issue to force L3-the-Tier 1 to start treating them like a Tier 1. L3 wants a traditional CDN-ISP peering agreement where they to route their CDN data over their backbone network and connect with Comcast at the closest possible location to the customer, with only data intended for those customers. Comcast wants a Tier 1 peering agreement where their networks connect at a smaller number of points, and more data would be routed over their Tier 1 network, and then they balance the ratio by sending more traffic L3's way for free. Think about it; if Comcast was paying any other Tier 1 for transit, then L3-the-Tier 1 would have no issue peering with them. So if Comcast builds out their own Tier 1, why shouldn't L3 treat them the same?
L3 is trying to use it's backbone capability as an advantage to support it's CDN, and Comcast is trying to leverage it's position as a huge ISP to push it's Tier 1 network. In the end, because there is a lot of competition between CDNs and not so much between ISPs, Comcast has the upper hand.
Judges aren't supposed to rule on their personal opinion of logic and fairness. They are supposed to rule according to the law. We have two laws, the constitution and the healthcare bill, which many intelligent legal experts consider to be in conflict, in which case the constitution overrides. Others disagree, but we won't have a final answer until this goes to the Supreme Court. The faster than happens the better, as it will remove any doubt, and let us either move forward implementing the bill, or craft a new one that is on firm legal foundations.
But it is illegal to sell insurance across state lines! How can the government possibly say that this has an effect on interstate commerce when they themselves have banned interstate trade in the product.
Yeah, certainly nothing to celebrate over. But is this common? I would have expected a company founded for the sole purpose of licensing and litigating patents to know more about what is needed for a successful patent lawsuit.
Here is a collection of real world implementations of a collision attacks in which two legitimate executable binaries were created to have the same MD5 hash and size.
Here is the post script collision attack that Omnifarious was referring to. Both files are the same length and have the same MD5 hash. Furthermore, postscript is a turing complete programing language, with as picky of a syntax as C.
All the collision attacks I have seen used fixed length blocks in both files which are modified. Inserting a fixed length comment block into a piece of code is not hard.
Preimage attacks (where you only modify one file not both) are harder, and to date, not even MD5 has any known practical preimage attacks. But if it did, it would be trivial to implement it by tweaking a block comment in a source code file, or a data segment in a binary file. There is no challenge there whatsoever.
It took me less than a minute to find those on Google. I don't expect people to know everything, but if you are going to run around insulting people and being an asshole, you better know what the fuck you are talking about.
Needing to match the length of the original object doesn't make the problem that much harder (unless the desired code is already close in length to the original code). In fact many collision attacks are designed for fixed size inputs, because it makes things easier.
Requiring valid formatting of the file is not a hard problem compared to the much more fundamental problem of finding a practical preimage attack in general. If SHA-1 were broken (it isn't yet), then it would certainly be plausible to attack git in the manner that the AC described.
That isn't an issue at all. Most collision generating attacks append filler data to the end of the desired file to get the desired hash. For source code you just insert the filler data in comment at the end of the file. It is a trivial modification to the existing algorithms.