It wasn't RSA. They trusted the NSA, with good reason. The NSA had earned the trust of just about everybody in the community by improving DES with changes nobody understood until fifteen years later.
Then someone figured out that the way this new RNG is set up, the constants the NSA chose *could be* the public half of an asymmetric key, and if so the RNG's state could be read with very little effort by anyone in possession of the private half. There is no mathematical way at all to tell whether this is the case, but apparently something in the Snowden documents at least strongly suggests the NSA did know about it and did use it.
It's important to highlight that this isn't the kind of weakness anyone _else_ can take advantage of; a blackhat would still have to discover their private key, the exact same problem he was facing before. The NSA are apparently not dumb enough to rely on keeping math a secret.
But it seems every successful security service forgets the basic lesson: set up a system with unchecked power, the scum of the earth will eventually take notice. From that moment they'll dedicate their lives to getting control of it. They'll eventually succeed.. Snowden took advantage of criminally slack security in the NSA. Just the the fact that he could reveal the documents he revealed is proof the NSA have already gotten arrogant and sloppy, never mind what's in them.
Because we as a species are still developing our technical chops. What's the alternative, the war machine? Go ahead, show the world anything that produced the human race can be proud of, then go get yourself to high altitude or deep desert or far enough offshore and look at the night sky. We've got a toehold in _that_.
Please don't make the ridiculous assumption that there was EVER some uniform spoken language that people were supposed to understand.
ALL people are unique and interpret language according to their own experiences and their own characteristics. There was never a situation where two people shared a common language. so please don't propagate this myth that writers are supposed to target a common standard. There will never be a common standard since all readers will be different.
Authors should always target your work for individual audiences, since every browser is different, and will be forever.
Pro-tip: It is fine to ignore 80% of the browser audience if that means 20% are going to have an increased loyalty to your product because you did something extra for them. The worst thing is for 100% of the audience to find your words merely ok.
If you want to know why they shouldn't present honest results, it looks like you;'re going to have to ask them, because it seems they didn't. Until they explain why, the usual reason people put their thumb on the scale is that they know they can't win honestly.
There are decades of case law on fair use. In a field where clearly satisfying even two criteria has been enough to establish fair use, OP's suggested use nails every criterion. it's a work only valuable as part of an ongoing enterprise, not being put to anything remotely similar to that use, depriving no one of any legal valuable interest, using only enough of it to establish actual authorship, in private, to someone with no interest at all in the work itself, who furthermore does not retain a copy. I doubt it's possible to even imagine stronger case.
The notion that copyright is some sort of "property" was only recently insinuated into the public consciousness, when the rent-seekers finally managed to snooker a body new enough and naive enough not to reject it as centuries of actual governments have done, viz. the United Nations. That success has been leveraged shamelessly.
Microsoft has a very long history of doing exactly that, when given the chance. Why do you think this time it'd be different? Be specific.
They're not even remotely alone in this. How best (most ethically, least damaging pick any reasonable metric) to proceed in the face of wagon-circling, timewasting defensiveness has been hotly debated in whitehat circles for many years now. Ormandy's behaving as if his considered conclusion is that they will stall and deny and ignore again, leaving this vulnerability unpatched for the entire duration.
Asymmetric keys are merely *better* obscurity than most other means
Secrets that cost substantially less to discover than the value of whatever they're protecting are merely "obscured". That's the difference between a quantitative difference and a qualitative one, when different words apply. An atmospheric vortex that's too weak to damage anything of value is a dust devil. A vortex strong enough to rip houses apart is a tornado. See? A large enough quantitative difference becomes qualitative. "Large enough" generally involves orders of magnitude. Just hoping nobody deciphers your corporate login's minified.js or throws a fuzzer at your kernel isn't going to cut it.
"Shoot the messenger" actually works when the messenger and the miscreant are the same, or the miscreant cares and know you'll shoot. They're a team -- and if they're supposed to be on your team, then you've got a right to be angry. But when a white hat tells you about a breach, he's the messenger, but the messenger is not the miscreant. Him telling you rather than selling it to the highest bidder actually does put him on your team... unless what you're trying to protect isn't what the actual system is ostensibly there to protect, but is instead your image.
The atrocities that took place in the last few hundred years were almost all non-sectarian. Blaming religion for human evil is raw scapegoating, no different in kind than blaming videogames or blacks or gays or rock and roll or women. ~Oh, the bad things in the world come from people NOT LIKE ME~. Here's a tip for you: the bad things in the world almost all come from people who think exactly like that.
To convict him of this crime, the government has to satisfy a jury beyond reasonable doubt that (roughly) he has it, he knows he has it, he went and got it, and (unless it's been ruled a "strict liability" crime, I dunno) that he knows it's wrong. He is not obligated to tell them that any part of this is true. Suppose the files, instead of being encrypted on his hard drive, were just sealed in his safe deposit box. The government could compel production because they don't have to prove he can get them. Suppose it were someone else's safe deposit box? Then they'd have to prove he has access to it. That's what they have to prove here: he has access. He's not obligated to tell them he does.
An efficient method for me to make a profit off you is to put a gun to your head and demand your money. I risk nothing but a two-dollar bullet I won't have to use, and I get whatever I want. That's efficient. It's also widely regarded as criminal, and legally regarded as felony. Standard Oil's business practices were certainly efficient. They were also widely regarded as criminal, and legally regarded as felony.
#1 I miss too. #2 is `open() { xdg-open "$@"; }`. #3 is `xclip`.
Also I miss rewrapping output (that maybe more than the dnd, having to reissue a command because of truncated output is just a waste of my time) and the kerning.
erk. yes, going on just what I wrote I'd have to agree with you; in my defense I have to point out that I was writing in the context of this border stop and the documented consultation with people tracking travel patterns and such.
Are you seriously arguing that it's unreasonable to suspect someone with seven convictions for various flavors of child molestation of involvement with child porn?
Volokh's great, but techdirt embedded the full summary and opinion, which volokh merely excerpted (and imho they missed the best part, where the 9th bypassed both parties' arguments and re-addressed the limits on reasonable suspicion of their own accord.
The TECS hit indicated that
Cotterman was a sex offender--he had a 1992 conviction for
two counts of use of a minor in sexual conduct, two counts of
lewd and lascivious conduct upon a child, and three counts of
child molestation
Almost every word or symbol in any language ever has multiple related context dependent meanings, physics and math not (and far from it) excluded.
You're arguing that there's something special about these particular symbols, that they must never ever have any context-specific meaning.
Yet 4Kmol K at 4K is almost instantly comprehensible: it's a small truckload of of either ridiculously cold or ridiculously cheap potassium. And you're insisting we mustn't use binary K to count binary bytes but must instead use decimal K to count binary bytes because context haaard.
We use base 10 when counting most things, base 60 for seconds, and base 2 for bytes.
Are SI devotees struggling with some urge to force base 10 on us when counting seconds? We don't have pedants running around telling people to wait 0.6cs. With seconds they could argue seconds are an SI unit and 60's arbitrary — but bytes aren't, and 2 isn't.
When the exact count matters, it's binary. Base-10 quantifiers in this field are no better than sloppy approximations we tolerate to avoid forcing marketers to admit to themselves what they are.
"Google reads your personal emails" relies on equivocation to leave the uncritical believing falsehoods. "Uncritical" has multilpe meanings, but only one of them produces a sensible meaning here: uncritical as in not employing critical thought. It takes no conscious effort to discard the other meanings as senseless, therefore unintended, so not worth considering.
Both "Google" and "reads" have multiple meanings, but more than one combination of those meanings produces a sensible meaning.
Very, very few people in this world have any real idea what "reads" means when discussing computer programs. People who have no understanding of computers understand "read" only in the human sense, and so "Google" in "Google reads" will be understood only to refer to people in cubicles doing the reading: for them, that's the only sensible construction.
To whatever extent Microsoft's usage is true, 99+% of the world won't understand it; and whatever understanding that part of the world will construct from it is false -- and even those who do understand it correctly will have some little difficulty rejecting the emotional response associated with the statement while considering and rejecting its false meaning.
People who have been paying attention will be neither surprised nor delighted to that this came from a Microsoft mouth.
Slashdot Mirror
It wasn't RSA. They trusted the NSA, with good reason. The NSA had earned the trust of just about everybody in the community by improving DES with changes nobody understood until fifteen years later.
Then someone figured out that the way this new RNG is set up, the constants the NSA chose *could be* the public half of an asymmetric key, and if so the RNG's state could be read with very little effort by anyone in possession of the private half. There is no mathematical way at all to tell whether this is the case, but apparently something in the Snowden documents at least strongly suggests the NSA did know about it and did use it.
It's important to highlight that this isn't the kind of weakness anyone _else_ can take advantage of; a blackhat would still have to discover their private key, the exact same problem he was facing before. The NSA are apparently not dumb enough to rely on keeping math a secret.
But it seems every successful security service forgets the basic lesson: set up a system with unchecked power, the scum of the earth will eventually take notice. From that moment they'll dedicate their lives to getting control of it. They'll eventually succeed.. Snowden took advantage of criminally slack security in the NSA. Just the the fact that he could reveal the documents he revealed is proof the NSA have already gotten arrogant and sloppy, never mind what's in them.
Because we as a species are still developing our technical chops. What's the alternative, the war machine? Go ahead, show the world anything that produced the human race can be proud of, then go get yourself to high altitude or deep desert or far enough offshore and look at the night sky. We've got a toehold in _that_.
Mueller? Really? That's not even laughable.
Microsoft's previous attempts at selling tablets with those millions of legacy apps all failed.
Please don't make the ridiculous assumption that there was EVER some uniform spoken language that people were supposed to understand.
ALL people are unique and interpret language according to their own experiences and their own characteristics. There was never a situation where two people shared a common language. so please don't propagate this myth that writers are supposed to target a common standard. There will never be a common standard since all readers will be different.
Authors should always target your work for individual audiences, since every browser is different, and will be forever.
Pro-tip: It is fine to ignore 80% of the browser audience if that means 20% are going to have an increased loyalty to your product because you did something extra for them. The worst thing is for 100% of the audience to find your words merely ok.
If you want to know why they shouldn't present honest results, it looks like you;'re going to have to ask them, because it seems they didn't. Until they explain why, the usual reason people put their thumb on the scale is that they know they can't win honestly.
What exactly is "stupid" about Russian Roulette aside from potential trephination?
There are decades of case law on fair use. In a field where clearly satisfying even two criteria has been enough to establish fair use, OP's suggested use nails every criterion. it's a work only valuable as part of an ongoing enterprise, not being put to anything remotely similar to that use, depriving no one of any legal valuable interest, using only enough of it to establish actual authorship, in private, to someone with no interest at all in the work itself, who furthermore does not retain a copy. I doubt it's possible to even imagine stronger case.
The notion that copyright is some sort of "property" was only recently insinuated into the public consciousness, when the rent-seekers finally managed to snooker a body new enough and naive enough not to reject it as centuries of actual governments have done, viz. the United Nations. That success has been leveraged shamelessly.
Sure - but MS isn't doing that
Microsoft has a very long history of doing exactly that, when given the chance. Why do you think this time it'd be different? Be specific.
They're not even remotely alone in this. How best (most ethically, least damaging pick any reasonable metric) to proceed in the face of wagon-circling, timewasting defensiveness has been hotly debated in whitehat circles for many years now. Ormandy's behaving as if his considered conclusion is that they will stall and deny and ignore again, leaving this vulnerability unpatched for the entire duration.
Asymmetric keys are merely *better* obscurity than most other means
Secrets that cost substantially less to discover than the value of whatever they're protecting are merely "obscured". That's the difference between a quantitative difference and a qualitative one, when different words apply. An atmospheric vortex that's too weak to damage anything of value is a dust devil. A vortex strong enough to rip houses apart is a tornado. See? A large enough quantitative difference becomes qualitative. "Large enough" generally involves orders of magnitude. Just hoping nobody deciphers your corporate login's minified .js or throws a fuzzer at your kernel isn't going to cut it.
"Shoot the messenger" actually works when the messenger and the miscreant are the same, or the miscreant cares and know you'll shoot. They're a team -- and if they're supposed to be on your team, then you've got a right to be angry. But when a white hat tells you about a breach, he's the messenger, but the messenger is not the miscreant. Him telling you rather than selling it to the highest bidder actually does put him on your team ... unless what you're trying to protect isn't what the actual system is ostensibly there to protect, but is instead your image.
Some genetic algorithms adapted to escape local minima display an extremely close analog of "boredom".
The atrocities that took place in the last few hundred years were almost all non-sectarian. Blaming religion for human evil is raw scapegoating, no different in kind than blaming videogames or blacks or gays or rock and roll or women. ~Oh, the bad things in the world come from people NOT LIKE ME~. Here's a tip for you: the bad things in the world almost all come from people who think exactly like that.
To convict him of this crime, the government has to satisfy a jury beyond reasonable doubt that (roughly) he has it, he knows he has it, he went and got it, and (unless it's been ruled a "strict liability" crime, I dunno) that he knows it's wrong. He is not obligated to tell them that any part of this is true. Suppose the files, instead of being encrypted on his hard drive, were just sealed in his safe deposit box. The government could compel production because they don't have to prove he can get them. Suppose it were someone else's safe deposit box? Then they'd have to prove he has access to it. That's what they have to prove here: he has access. He's not obligated to tell them he does.
Given their other errors, it's reasonable to wonder just what kind of AI could be expected to find any discrepancy at all here.
An efficient method for me to make a profit off you is to put a gun to your head and demand your money. I risk nothing but a two-dollar bullet I won't have to use, and I get whatever I want. That's efficient. It's also widely regarded as criminal, and legally regarded as felony. Standard Oil's business practices were certainly efficient. They were also widely regarded as criminal, and legally regarded as felony.
Also I miss rewrapping output (that maybe more than the dnd, having to reissue a command because of truncated output is just a waste of my time) and the kerning.
I don't remember any front panel ever using hickory switches.
erk. yes, going on just what I wrote I'd have to agree with you; in my defense I have to point out that I was writing in the context of this border stop and the documented consultation with people tracking travel patterns and such.
Are you seriously arguing that it's unreasonable to suspect someone with seven convictions for various flavors of child molestation of involvement with child porn?
Volokh's great, but techdirt embedded the full summary and opinion, which volokh merely excerpted (and imho they missed the best part, where the 9th bypassed both parties' arguments and re-addressed the limits on reasonable suspicion of their own accord.
The TECS hit indicated that Cotterman was a sex offender--he had a 1992 conviction for two counts of use of a minor in sexual conduct, two counts of lewd and lascivious conduct upon a child, and three counts of child molestation
Almost every word or symbol in any language ever has multiple related context dependent meanings, physics and math not (and far from it) excluded.
You're arguing that there's something special about these particular symbols, that they must never ever have any context-specific meaning.
Yet 4Kmol K at 4K is almost instantly comprehensible: it's a small truckload of of either ridiculously cold or ridiculously cheap potassium. And you're insisting we mustn't use binary K to count binary bytes but must instead use decimal K to count binary bytes because context haaard.
So, the marketers' argument is that quantifiers are somehow holy symbols that cannot abide context-dependent meanings? Mathematicians don't insist on a single meaning regardless of context. Nor do physicists.
We use base 10 when counting most things, base 60 for seconds, and base 2 for bytes.
Are SI devotees struggling with some urge to force base 10 on us when counting seconds? We don't have pedants running around telling people to wait 0.6cs. With seconds they could argue seconds are an SI unit and 60's arbitrary — but bytes aren't, and 2 isn't.
When the exact count matters, it's binary. Base-10 quantifiers in this field are no better than sloppy approximations we tolerate to avoid forcing marketers to admit to themselves what they are.
"Google reads your personal emails" relies on equivocation to leave the uncritical believing falsehoods. "Uncritical" has multilpe meanings, but only one of them produces a sensible meaning here: uncritical as in not employing critical thought. It takes no conscious effort to discard the other meanings as senseless, therefore unintended, so not worth considering.
Both "Google" and "reads" have multiple meanings, but more than one combination of those meanings produces a sensible meaning.
Very, very few people in this world have any real idea what "reads" means when discussing computer programs. People who have no understanding of computers understand "read" only in the human sense, and so "Google" in "Google reads" will be understood only to refer to people in cubicles doing the reading: for them, that's the only sensible construction.
To whatever extent Microsoft's usage is true, 99+% of the world won't understand it; and whatever understanding that part of the world will construct from it is false -- and even those who do understand it correctly will have some little difficulty rejecting the emotional response associated with the statement while considering and rejecting its false meaning.
People who have been paying attention will be neither surprised nor delighted to that this came from a Microsoft mouth.
Thiey're just greasing the slope.