I find this amazing - so open source doesn't submit itself well to a closed-doors 'expert review' where the experts are usually appointed through a political process rather than a skills one?
Do you have any evidence to back up this assertion? I've met plenty of people who do independent validation and verification (IV&V), and every one of them has been a tremendously clued up individual...
Open source's strength is that it's Darwinian. Yes, a program can start off full of holes, but the whole point is that these holes become evident through the development process, and get plugged.
That's all very nice, and I'm a tremendous supporter of the Open Source movement in general, but there are some systems where Darwinian evolution is simply an utterly inappropriate design methodology. If you need it to be right, first time, then you want your solution from mathematics, not biology.
There are a few good examples: safety critical systems are an obvious choice; the other, is trusted systems.
I am not saying that some 15 year old Linux hacker would have done better, but Closed Source systems which should have been better designed have quite often failed.
I think (and this seems to be a common thread being repeated throughout the responses to this article) that the closed source/open source issue is mostly orthogonal to the idea of trusted/not trusted.
I say mostly orthogonal, since I've never yet seen an open source project with what I would consider a sufficiently formal specification and so on, whereas I have seen closed source systems that do.
I suspect this is a cultural thing, more than a technical issue, but... hey, isn't that what people have been saying is great about open source?
Every function, every procedure has a well-defined set of pre-conditions and post-conditions. What goes in the middle, and how many people are involved in the process, is all irrelevent.
All very well for purely sequential programs that start at A and run straight through to B...
Unfortunately, most real world programs have loops, and proving things about even moderately complex loops is Quite Hard (anyone who has done anything involving the proof of loop invariants and termination conditions will know what I mean), most especially if these proofs are attempted 'after the fact'.
Even then, if you can do that, you run into the problem that many systems are not purely sequential, but have some concurrency involved in their operation. Reasoning about concurrency is also Quite Hard, as anyone who has played with CSP, pi-calculus or any of the other process calculi out there.
Finally, you suddenly butt up against the problem that any formal axiomatic system that is sufficiently powerful to do anything useful (say, arithmetic) is also incomplete, so there will be true propositions in your code that you cannot prove. Blame Godel.
Formal specification and verification is all very good, but it takes so long that it isn't used in any commercial companies, except in some kind of loose analogy.
That simply isn't true. It's true that most consumer software isn't developed to those standards, but just because you don't see it happening at Microsoft, doesn't mean it isn't happening...
An awful lot of safety/business critical software is developed with formal specifications, and even proof on an industrial scale. I've included a URL and a reference to a paper at the end of this post. That software is common in aerospace, rail, telecommunications and (as businesses realise that they are increasingly dependent on their computer systems) in finance.
If you're interested in reading about how formal specification and proof have been applied in real systems, see (for example) 'The Value of Verification: Positive Experience of Industrial Proof', FM'99 Vol II, LNCS 1709 (1999), p. 1527. Sorry for the paper reference; a good college library will have LNCS though.
What does the way something is developed have to do with the final product (or a given release), and the tests performed on it? You are testing the product, not the developement environment, surely?
Nope; that's not true actually.
Probably more than half of the work that goes into the design and implementation of trusted systems has nothing to do with 'code', or how the final product tests.
When you get to high levels of trust, you cease to regard testing as an adequate assurance. You want to see evidence that the system has been specified carefully and correctly, and that the code meets the specification. Needless to say, if you don't have a specification, you can't be trusted.
The most that testing can tell you about a program is that you haven't managed to make it Do The Wrong Thing. For high levels of trust, you want a proof that it can't. And, if Doing The Wrong Thing includes disclosing top secret data, missile launch codes or cooking a patient with gamma rays, then I'd bet you'd prefer the latter too!
My assertion is that open source challenges the notion that you need a formal spec to develop trusted software. Much like the submitter of this story, I would hold up OpenBSD as an example of a system that I consider trusted, yet was not developed under any formal spec. Perhaps it's time to realize that formal specs help to get things done correctly, and they certainly help get things done quickly (by preventing, in theory at least, feature-creep), but they certainly are a requirement.
I'm assuming you mean 'aren't' a requirement.
You may trust OpenBSD, but many people won't. The US Government, in particular, won't; nor will any company/agency/whatever that defines 'trusted' in a way that corresponds with TCSEC or ITSEC.
'Trusted' means a lot more than 'look, historically, it's got a great record' or 'we audit all our code'. Surely, these elements do form part of the equation, but there's a lot more to it than that: configuration management systems, proper specifications, and proofs of code against those specifications, a structured engineering process etc.
TCSEC and ITSEC do define themselves, at least partly, in terms of formalisms. The sames is true of DEFSTD 055 in the UK, and presumably similar standards in the US. Quite often, what is required of a trusted system is a proof of the security of that system.
Most of the systems that are developed for high levels of assurance under ITSEC/TCSEC are specified in highly mathematical notations that your typical UNIX hacker doesn't really have much interest in. The Certificate Authority for the Mondex smartcard system is designed to ITSEC E6 (which is roughly equivalent to TCSEC A1, for those more familiar with the Rainbow Books): the formal top level specification runs to 500 pages of Z.
Even once you've got a specification to work to, you still have to implement it. Now, if proof of source code against specification is required, you can throw away your C compiler right now, because proving properties of C programmers is a nightmare: you want a programming language with a simplified semantics, with dataflow annotations, and an associated toolset. Something like Spark ADA.
Some open source Unices may have a good record for security, but I doubt they'll ever meet the higher assurance levels. Most of the people who enjoy working on open source don't have the skill set or enthusiasm for the sort of work required here. How many of you wince when I say 'formal axiomatic semantics'?
Moreover, the customers for systems like these want to be able to hold someone accountable. I know that in the context of your typical company, this is an 'old hoary chestnut' and a much debunked myth, but the fact is that when the subject matter becomes sufficiently serious, support becomes a real issue, and the only way that companies _can_ sell is by standing behind their products.
I'm not saying that a trusted system (in the current context) could not be developed open-source, but that there are obstacles:
The open-source development model does directly contradict most of the software engineering principles that are called upon in the development of trusted systems.
The lack of skills and interest among open source developers to get involved in things like IV&V, code proof, development of formal specifications.
The need for an entity to sponsor and support the code (preferably one with deep pockets).
The unfortunate fact of the matter is that writing trusted code is quite hard, and often requires a different mindset from 'hacking'. OpenBSD may have neat features like encrypted swap, and an audited SSH component, but it doesn't have an FTLS, MAC, or (God forbid) object code MCDC testing.
MP3 ripping software will support a new standard, wherein the signature for each track is tagged onto the MP3 that's ripped from a CD.
tietokone-olmi wrote:
And how many seconds do you think it'll take before someone takes the cdparanoia source code and modifies it to clear the "no-copy" bit?
That would be a neat trick, seeing as how the no-copy bit would be inside an encrypted package...
OK, it would go something like this:
Artist generates public key pair; sends public key to Napster, keeps private key secret.
For each track, the artist encrypts a package containing the name of the track, their name, and details of distribution permission with their secret key ('signs' it, in PGP parlance).
Alternatively, artists make this package available via a service like CDDB, so it is downloaded from the Internet as part of the ripping process.
MP3 rippers will read the encrypted packages off the CD, and embed them into MP3s.
When MP3s are added to the DB at Napster, the Napster server checks that the MP3 track/artist name agrees with the encrypted package, and that Napster-style distribution is allowed. If not, it doesn't allow the MP3 into its database.
This works because:
You can't modify any data inside the encrypted package, since although you can decrypt it, you can't re-encrypt it again (you don't have the key).
Since the server checks that the filename agrees with the encrypted package, you can't attach a valid credential to a different MP3, so you can't rip a Metallica CD and use the encrypted package from an unknown band that allows Napster distribution.
The scheme is entirely voluntary, but record companies and artists see that it is a good idea, because it would give them more control over their music.
Digital music distributors like Napster have nothing to lose from this, since they don't want their users violating the wishes of artists by redistributing their music, right?
Users benefit, because MP3s could be properly categorised, filed correctly under artist and name of track.
It's technically quite simple to implement: I mean, I could write all the code needed to make it work in a week. Maybe even a weekend. It sounds like a win/win/win system to me. Apart from for the people who just use Napster to avoid having to pay for music.
As to the substance of your point about 'what stealing is', consider this small Gedankenexperiment, consider the man who breaks into your car whilst its parked outside the office, and takes it for a drive around the city, kindly returning it to the car park after he's finished with it, and before you come out of work. Theft, or not theft?
Lord Kano said:
Theft. Because they car has been altered while it was gone. It's not the same. There is more wear on the car. There is less "life" left in it, when it's returned.
OK, so assume he leaves you three bucks on the seat to cover the cost of the gas, the wear on the tyres, and the general depreciation of the vehicle whilst he was driving it.
Theft, or no theft? You've made no monetary loss here. All that's been taken away is control of your property, when you wouldn't notice the difference.
This whole Napster thing is getting out of hand, and it threatens to tar the entire digital software distribution industry with the sort of 'fuck-you-freebie-ism' that Napster seems to be about.
That's a pretty strong statement, but, let's face it, most every single song on Napster is from one copyrighted/protected source of another. At least, the ones that people use it for. For every one legitimate user of Napster, there are ten thousand who are just using it to get music for free (that they'd otherwise have to pay for).
I think Metallica made an interesting point in their Slashdot interview. I don't believe that it's controversial that artists should be able to say who can copy their work. If you don't agree with this, you can stop reading here, because we don't have a common basis for what follows. It's all about how to allow artists to have their say about what people do with their work.
Imagine a scheme whereby artists get this choice: each artist generates a public/private key pair. They 'sign' each of their tracks on each of their CDs: encrypting the name of the song, the name of the artist, and information on how/when the song can be distributed, in some agreed format. One flag might be 'no Napster-style distribution'.
MP3 ripping software will support a new standard, wherein the signature for each track is tagged onto the MP3 that's ripped from a CD.
Napster-like services that want to participate in the scheme have copies of the public key for every artist that participates. Before a track is listed on the database of the Napster-like service, the signature is checked. If it agrees, (i.e. filenames reflect contents, artist name etc) and the redistribution permission data allows this track to be redistributed in a Napster-like service, all is well. Otherwise, the service will refuse to list the file.
By making the permissions data that's signed with the track reasonably fine-grained, artists can enforce their rights. Napster-like services actually gain some measure of moral respectability, and digital distribution might actually survive the year without being legislated into oblivion.
Come to think of it, the artists don't even need to encode the data onto their CDs: it can be distributed from CDDB style servers. In fact, anyone should be allowed to add their public key to the Napster-like services' key database, so the 'struggling new artists' that these services allegedly support can allow their work to be freely distributed, whilst the Metallica's of this world can have the greater control that they want.
Stealing is when person A has object X. Person B comes along, and without permission from the rightful owner of object X, takes object X. Person B now has posession of object X and person A no longer has object X.
You might think that, and it certainly might not be an unreasonable position for a layman, but in many jurisdictions, theft is considerably more broadly defined than that.
For example, in the UK, theft has been interpreted to mean something along the lines of 'appropriating any of the bundle of rights of the legal owner of a thing, with intent permanently to deprive', in a decision based on the Theft Act 1968. Now the right to copy a work resides solely in the owner of a copyright, unless that right is otherwise given away/sold/whatever, according to the Copyright Designs and Patents Act 1988.
So, there's a reasonable argument that copyright theft really is theft, at least in the UK; at least insofar as the actus reus (that is to say, the actual wrong action).
As to the substance of your point about 'what stealing is', consider this small Gedankenexperiment, consider the man who breaks into your car whilst its parked outside the office, and takes it for a drive around the city, kindly returning it to the car park after he's finished with it, and before you come out of work. Theft, or not theft?
I have been perusing this thread briefly, and I'm astonished at how outraged some people appear to be at Netappliance's decision: I think they ought to take one step back at look at this from a more rational perspective:
The quoted $99 price is obviously a massive loss-leader, as I'm sure is the higher $199 price that they 'reduced' from. This is trivially obvious to anyone who has ever bought PC components (flat panel displays are not cheap; even mediocre quality 10" 800x600 versions). Even deep bulk discounts have to be played off against the system integration costs. In fact, even Netappliance acknowledge this fact in their S-1 filing with the SEC (page 3, under Risk Factors).
The business model is familiar: sell for a loss (or, indeed give it away), and then recoup from the recurring cost of the service. This model is at least as old as the disposable razor-blade, and will be familiar to many who read this forum as the same one used to sell cellular telephones, AOL (400 free hours! etc....), and so on.
So what's the problem? Well, so far as I can see, there are really two objections here, which I'd characterise as 'Naive' and 'Not So Naive'.
The Naive objection
The 'Naive' objection is 'I paid $100 for this, I own it, and if I don't want to use their internet service, I don't see why I should have to pay for it'. Usually, these objections include appeals to the illegality of the action. This is in line with the razor-blade model, where Gillette doesn't mind too much if you buy a single Sensor Excel razor and never buy another blade.
Of course, it's not illegal effectively to bundle a service contract with a purchase (at least, not in my jurisdiction, and I'm pretty certain it isn't in the USA either). If, at the time of purchase, you sign up for a years' worth of their ISP service at $21.95 a month, you've entered (of your own free will) a perfectly legally binding contract. This is the cellular phone model: if you don't pay for your service contract, Netpliance will chase you in the courts, and you will lose.
Summary: the Naive objector understands the razor business model, but not the cellular phone model.
The Not So Naive objection
The 'Not So Naive' objection is 'I paid my $99 for this, so I own the box. I'm quite happy to pay a few hundred bucks over the course of the year in ISP charges, it still works out a good deal, and it's a neat toy! Why would they want to stop me throwing NetBSD on it?'.
The reason why Netpliance don't want you to buy the box and not use their service is more subtle. Their business model doesn't just depend on recurring subscriptions (blades, airtime...) but also on their ability to attract advertisers, sponsors and other value-added services. Their ability to do this is predicated upon the ability to establish a large user base for their service.
As such, they're going to need to demonstrate that supporting their company is going to result in a significant number of imprints for their advertisers and so on. In their S-1 filing, they acknowledge that their success will depend almost entirely on branding and high-quality content.
Summary: the 'Not So Naive' objector hasn't read Netpliance's business plan...
What does this all add up to? Well, it's all quite obvious: Netpliance doesn't want you just to buy an i-Opener, they want you to use it, and with their services. If the product, as was previously shipping, was going to compromise their business model in some way (and the weight of the evidence here is that it probably was!) then they have a common-sense responsibility to emend it.
Yes, it sucks that we can't have our cake and eat it, but I don't think it's fair to rag on Netpliance for doing right by their shareholders. If I were them, I would do the same thing.
Meanwhile, on a far more important note, I spent several minutes trying to figure out your Latin.sig line. Google brought me to the Aeneid in Latin (no translation), but - get this - it also brought me to several Slashdot articles you've written. (Same with Yahoo and Find.com.) In the end, the best I could come up with was from the Perseus Project, a line about how Dido never dreamed that love like that she shared with Aeneas could ever die. Is that about right?
The quotation is, indeed, from the Aeneid; Book IV to be precise... I'm not sure where the translation you've got has come from, but it doesn't seem to be from quite the right part of the book...
As I remember it, Williams' translation goes something like: O relentless love, to what mad courses may not mortal hearts by thee be driven!. It refers in main to the panic into which Dido is thrown when Aeneas begins his preparations to depart from Carthage, having been informed by the gods that he is abandoning his fated purpose by lingering their with Dido.
PS. I would've emailed this, but you don't appear to have an email address on file...
Collecting economic intelligence is completely understandable - after all, economic crises are an incredible threat to the U.S. Collecting economic intelligence makes perfect sense; it can help us prepare for and manage economic catastrophe long before it happens.
It think the part of this that people find disturbing is not so much that economic intelligence is gathered, but that it is subsequently divulged for what appears to be commercial gain, rather than in the interests of national security.
And on that basis:
Keep in mind that most of the information is OSINT (open source intelligence), and not intelligence obtained by spying. To quote the article: "Whether economic or military, most US intelligence data came from open sources, [Woolsey] said. But 'five percent is essentially secrets that we steal. We steal secrets with espionage, with communications, with reconnaissance satellites.'
Even if it is the case that 95% of intelligence is gathered from open sources (and I've no reason to doubt that), the fact still remains that it has been collated, assessed for reliability, digested and disseminated with money that is supposed to be spent on providing national security.
Market intelligence is a tremendously valuable commodity; there are certainly companies the livelihoods of which depend on selling it. To provide it 'free of charge' is a tremendous boon to the companies involved, and a subsidy which effectively comes out of a large (and largely opaquely accounted) intelligence gathering budget.
I have to disagree. If someone broadcasts sensitive information and it gets intercepted, I wouldn't call that theft. If the information is sensitive, it should be encrypted and/or routed over hard line.
So, by analogy, if you're so lax as to leave your bike unsecured, I should be entitled to steal it?
Moreover, given that the NSA (etc.) doesn't make it common knowledge exactly what its capabilities actually are in the field of cryptanalysis, what level of paranoia should companies (or, indeed, individuals) be forced to adopt in order to secure themselves?
The laws of a country apply only on that country's soil. If you break them, that country prosecutes you by their laws. Simple.
Simply wrong. Many states choose to exercise their jurisdiction over their citizens when they are abroad. For example, in England, we have laws that have been used successfully to prosecute 'sex tourists' who have sexually abused minors whilst on holiday in Thailand.
And who says a country shouldn't be able to break laws if it is willing to accept the penalties when caught? I break the law every day, speeding to work, and am willing to pay the ticket when caught.
I rather fail to see the parallel. Many countries have the doctrine of 'act of state', wherein the foreign policy actions of the government are not susceptible to any form of judicial review. There is no 'penalty' for 'breaking the rules', as such.
On the other hand, it does weaken the democratic mandate of a government which is alleged to operate constitutionally under the rule of law.
I expect my government to heed the principle that it, too, operates under the rule of law; including being contained by the boundaries that the legislature has set for it: anything else is an executive usurption of the role of the legislature, and a violation of the core notion of the separation of powers.
I bet you wouldn't speed to work every day if you thought that the traffic cop that stopped you might decide to put a bullet in your brain rather than give you a ticket...
On 100 Mbit ethernet, a crossover cable will usually only give you 10Mbit. I assume the same will be true with gigabit. You probably won't get full speed out of a crossover cable.
I'm not sure what you're talking about; there's no good reason why a crossover cable wouldn't give a full speed connection between two 100Mbit/s NICs.
I've managed networks with plenty of 100BaseFX inter-switch links which are not much more than glorified cross-over cables, and had no problems at all.
All that a hub does (well, this isn't strictly true on newer hubs, but...) is repeat the signal; if anything, you should get faster speeds out of crossover cables, as you can run them full-duplex.
In fact, using a crossover cable should be even faster than using a switch in pure performance terms, as there's no switching delay.
Sure, you can get a fairly inexpensive gigabit ethernet card, but how much is the hub gonna cost. You can only connect 2 computers through a Null Cable (cross over).
You're not going to get hubs for this stuff, you're only going to get switches.
As far as I know, no vendor currently has a 1000BaseT product out there, so it's difficult to say exactly what the cost will be. But, for comparison's sake, the SuperStack II 9000SX, which is an 8-port 1000BaseSX (short haul multimode fibre gigabit) switch, retails for about £10,000, which is approximately $16,000.
Which means that this stuff isn't going to be 'string it around the bedroom for the Quake deathmatch' fodder for a few years to come.
I remember that a lot of problems cropped up when trying to do 100Mbit Ethernet on existing wiring, which only barely could manage 10Mbps. What will happen to most of the wiring already laid out. Will it have to be thrown out? I remember hearing about a Cat-6 cable. Will we have to upgrade our networks?
It's my understanding that the 802.3ab gigabit over copper standard is intended to work on standard Cat-5 cabling, so there shouldn't be any need to replacing your existing cables. On the other hand, it does use all four pairs of the cable, so faults that may not have been evident beforehand might turn up...
Cat-6 cable certainly exists, and I believe there's also a Cat-7 standard (with individual routing channels through the cable for the individual pairs?), not to mention Cat-5e. I think quite a lot of the demand for this cable is drummed up by the vendors and installers of cable plant.
Also, anybody got information on how collision handling is done on this new architecture? I would suppose that, being a gigabit ethernet, it would surely see much more usage than a 100Mbps one, and being also much higher speed, there should be more collisions.
Collision handling in gigabit ethernets is a functional irrelevancy; although the 802.3z standard does have provision for shared-media networks, the last time I checked there were no products (nor any scheduled) that supported it.
Basically, if you're looking at gigabit ethernet, you're looking at a full duplex, switched network.
For what it's worth, from a technical perspective, I seem to remember that the collision detecting version uses a carrier extension to allow the network to have a useful radius (i.e. in order to avoid late collisions). The carrier extension was for some moderately significant number of bit-times, which could (theoretically) lead to pretty trashy performance with small packet, high load networks.
But, as I said before, it's not like you care, as your gigabit ethernet network is all going to be switched.
This is not the first American Express smartcard, I don't think.
There is the so-called Charter Card, which is black, and comes with a pocket smartcard reader which is designed to access some of the data stored on the smartcard chip - details of foreign exchange rates, cardmember discounts, insurance, benefits and so on.
Just in case any of you think that I'm making this up, I happen to have a photo of one right here.
The Computing Laboratory at Oxford University does an MSc course in Computation that has a software engineering strand.
If you're interested in the more theoretical end of software engineering (formal methods, Z notation, abstraction machine notation/B method, automated proof checking...) then you could certainly do a LOT worse. see Oxford Univ. Computing Lab home page.
The Comlab is also strong on reconfigurable hardware and hardware compilation, distributed/parallel computing etc.
Other problems: Charges a fee for "free speech"- nuff said.
Oh, there's a bit of an irony here.
I think the poster may be making a mistake common to many who do not understand the concept of 'freedom' as opposed to 'cost-free'.
Usually, in free software, we call this the 'free speech vs. free beer' argument. However, the poster has evidently failed to grasp even this distinction.
If the paradigmatic alternative to 'free beer' is 'free speech', then I suggest free software should change its name to something else, like 'Bob', in order to reduce the confusion caused.
The spec page claims that the display consists of 832 by 624 pixels. But on the same time line it says 155M dots. Now, 832*624=519168. This says they use roughly 300 dots per pixel
I suspect that there's a decimal point missing somewhere in there, and they actually mean 1.55M. That's tantalizingly closer to 519K multiplied by 3 (for red/green/blue elements).
Slashdot Mirror
I find this amazing - so open source doesn't submit itself well to a closed-doors 'expert review' where the experts are usually appointed through a political process rather than a skills one?
Do you have any evidence to back up this assertion? I've met plenty of people who do independent validation and verification (IV&V), and every one of them has been a tremendously clued up individual...
Open source's strength is that it's Darwinian. Yes, a program can start off full of holes, but the whole point is that these holes become evident through the development process, and get plugged.
That's all very nice, and I'm a tremendous supporter of the Open Source movement in general, but there are some systems where Darwinian evolution is simply an utterly inappropriate design methodology. If you need it to be right, first time, then you want your solution from mathematics, not biology.
There are a few good examples: safety critical systems are an obvious choice; the other, is trusted systems.
Cheers, Nick.
I am not saying that some 15 year old Linux hacker would have done better, but Closed Source systems which should have been better designed have quite often failed.
I think (and this seems to be a common thread being repeated throughout the responses to this article) that the closed source/open source issue is mostly orthogonal to the idea of trusted/not trusted.
I say mostly orthogonal, since I've never yet seen an open source project with what I would consider a sufficiently formal specification and so on, whereas I have seen closed source systems that do.
I suspect this is a cultural thing, more than a technical issue, but ... hey, isn't that what people have been saying is great about open source?
Cheers, Nick.
Every function, every procedure has a well-defined set of pre-conditions and post-conditions. What goes in the middle, and how many people are involved in the process, is all irrelevent.
All very well for purely sequential programs that start at A and run straight through to B...
Unfortunately, most real world programs have loops, and proving things about even moderately complex loops is Quite Hard (anyone who has done anything involving the proof of loop invariants and termination conditions will know what I mean), most especially if these proofs are attempted 'after the fact'.
Even then, if you can do that, you run into the problem that many systems are not purely sequential, but have some concurrency involved in their operation. Reasoning about concurrency is also Quite Hard, as anyone who has played with CSP, pi-calculus or any of the other process calculi out there.
Finally, you suddenly butt up against the problem that any formal axiomatic system that is sufficiently powerful to do anything useful (say, arithmetic) is also incomplete, so there will be true propositions in your code that you cannot prove. Blame Godel.
Cheers, Nick.
Formal specification and verification is all very good, but it takes so long that it isn't used in any commercial companies, except in some kind of loose analogy.
That simply isn't true. It's true that most consumer software isn't developed to those standards, but just because you don't see it happening at Microsoft, doesn't mean it isn't happening...
An awful lot of safety/business critical software is developed with formal specifications, and even proof on an industrial scale. I've included a URL and a reference to a paper at the end of this post. That software is common in aerospace, rail, telecommunications and (as businesses realise that they are increasingly dependent on their computer systems) in finance.
For examples of products developed with a high level of formalism, including mathematical specifications, see: Praxis Critical Systems' SPARK projects page.
If you're interested in reading about how formal specification and proof have been applied in real systems, see (for example) 'The Value of Verification: Positive Experience of Industrial Proof', FM'99 Vol II, LNCS 1709 (1999), p. 1527. Sorry for the paper reference; a good college library will have LNCS though.
Cheers, Nick.
What does the way something is developed have to do with the final product (or a given release), and the tests performed on it? You are testing the product, not the developement environment, surely?
Nope; that's not true actually.
Probably more than half of the work that goes into the design and implementation of trusted systems has nothing to do with 'code', or how the final product tests.
When you get to high levels of trust, you cease to regard testing as an adequate assurance. You want to see evidence that the system has been specified carefully and correctly, and that the code meets the specification. Needless to say, if you don't have a specification, you can't be trusted.
The most that testing can tell you about a program is that you haven't managed to make it Do The Wrong Thing. For high levels of trust, you want a proof that it can't. And, if Doing The Wrong Thing includes disclosing top secret data, missile launch codes or cooking a patient with gamma rays, then I'd bet you'd prefer the latter too!
Cheers, Nick.
My assertion is that open source challenges the notion that you need a formal spec to develop trusted software. Much like the submitter of this story, I would hold up OpenBSD as an example of a system that I consider trusted, yet was not developed under any formal spec. Perhaps it's time to realize that formal specs help to get things done correctly, and they certainly help get things done quickly (by preventing, in theory at least, feature-creep), but they certainly are a requirement.
I'm assuming you mean 'aren't' a requirement.
You may trust OpenBSD, but many people won't. The US Government, in particular, won't; nor will any company/agency/whatever that defines 'trusted' in a way that corresponds with TCSEC or ITSEC.
'Trusted' means a lot more than 'look, historically, it's got a great record' or 'we audit all our code'. Surely, these elements do form part of the equation, but there's a lot more to it than that: configuration management systems, proper specifications, and proofs of code against those specifications, a structured engineering process etc.
TCSEC and ITSEC do define themselves, at least partly, in terms of formalisms. The sames is true of DEFSTD 055 in the UK, and presumably similar standards in the US. Quite often, what is required of a trusted system is a proof of the security of that system.
Most of the systems that are developed for high levels of assurance under ITSEC/TCSEC are specified in highly mathematical notations that your typical UNIX hacker doesn't really have much interest in. The Certificate Authority for the Mondex smartcard system is designed to ITSEC E6 (which is roughly equivalent to TCSEC A1, for those more familiar with the Rainbow Books): the formal top level specification runs to 500 pages of Z.
Even once you've got a specification to work to, you still have to implement it. Now, if proof of source code against specification is required, you can throw away your C compiler right now, because proving properties of C programmers is a nightmare: you want a programming language with a simplified semantics, with dataflow annotations, and an associated toolset. Something like Spark ADA.
Some open source Unices may have a good record for security, but I doubt they'll ever meet the higher assurance levels. Most of the people who enjoy working on open source don't have the skill set or enthusiasm for the sort of work required here. How many of you wince when I say 'formal axiomatic semantics'?
Moreover, the customers for systems like these want to be able to hold someone accountable. I know that in the context of your typical company, this is an 'old hoary chestnut' and a much debunked myth, but the fact is that when the subject matter becomes sufficiently serious, support becomes a real issue, and the only way that companies _can_ sell is by standing behind their products.
I'm not saying that a trusted system (in the current context) could not be developed open-source, but that there are obstacles:
The unfortunate fact of the matter is that writing trusted code is quite hard, and often requires a different mindset from 'hacking'. OpenBSD may have neat features like encrypted swap, and an audited SSH component, but it doesn't have an FTLS, MAC, or (God forbid) object code MCDC testing.
Cheers, Nick.
I wrote:
MP3 ripping software will support a new standard, wherein the signature for each track is tagged onto the MP3 that's ripped from a CD.
tietokone-olmi wrote:
And how many seconds do you think it'll take before someone takes the cdparanoia source code and modifies it to clear the "no-copy" bit?
That would be a neat trick, seeing as how the no-copy bit would be inside an encrypted package...
OK, it would go something like this:
This works because:
It's technically quite simple to implement: I mean, I could write all the code needed to make it work in a week. Maybe even a weekend. It sounds like a win/win/win system to me. Apart from for the people who just use Napster to avoid having to pay for music.
I said:
As to the substance of your point about 'what stealing is', consider this small Gedankenexperiment, consider the man who breaks into your car whilst its parked outside the office, and takes it for a drive around the city, kindly returning it to the car park after he's finished with it, and before you come out of work. Theft, or not theft?
Lord Kano said:
Theft. Because they car has been altered while it was gone. It's not the same. There is more wear on the car. There is less "life" left in it, when it's returned.
OK, so assume he leaves you three bucks on the seat to cover the cost of the gas, the wear on the tyres, and the general depreciation of the vehicle whilst he was driving it.
Theft, or no theft? You've made no monetary loss here. All that's been taken away is control of your property, when you wouldn't notice the difference.
This whole Napster thing is getting out of hand, and it threatens to tar the entire digital software distribution industry with the sort of 'fuck-you-freebie-ism' that Napster seems to be about.
That's a pretty strong statement, but, let's face it, most every single song on Napster is from one copyrighted/protected source of another. At least, the ones that people use it for. For every one legitimate user of Napster, there are ten thousand who are just using it to get music for free (that they'd otherwise have to pay for).
I think Metallica made an interesting point in their Slashdot interview. I don't believe that it's controversial that artists should be able to say who can copy their work. If you don't agree with this, you can stop reading here, because we don't have a common basis for what follows. It's all about how to allow artists to have their say about what people do with their work.
Imagine a scheme whereby artists get this choice: each artist generates a public/private key pair. They 'sign' each of their tracks on each of their CDs: encrypting the name of the song, the name of the artist, and information on how/when the song can be distributed, in some agreed format. One flag might be 'no Napster-style distribution'.
MP3 ripping software will support a new standard, wherein the signature for each track is tagged onto the MP3 that's ripped from a CD.
Napster-like services that want to participate in the scheme have copies of the public key for every artist that participates. Before a track is listed on the database of the Napster-like service, the signature is checked. If it agrees, (i.e. filenames reflect contents, artist name etc) and the redistribution permission data allows this track to be redistributed in a Napster-like service, all is well. Otherwise, the service will refuse to list the file.
By making the permissions data that's signed with the track reasonably fine-grained, artists can enforce their rights. Napster-like services actually gain some measure of moral respectability, and digital distribution might actually survive the year without being legislated into oblivion.
Come to think of it, the artists don't even need to encode the data onto their CDs: it can be distributed from CDDB style servers. In fact, anyone should be allowed to add their public key to the Napster-like services' key database, so the 'struggling new artists' that these services allegedly support can allow their work to be freely distributed, whilst the Metallica's of this world can have the greater control that they want.
What do you guys think?
Stealing is when person A has object X. Person B comes along, and without permission from the rightful owner of object X, takes object X. Person B now has posession of object X and person A no longer has object X.
You might think that, and it certainly might not be an unreasonable position for a layman, but in many jurisdictions, theft is considerably more broadly defined than that.
For example, in the UK, theft has been interpreted to mean something along the lines of 'appropriating any of the bundle of rights of the legal owner of a thing, with intent permanently to deprive', in a decision based on the Theft Act 1968. Now the right to copy a work resides solely in the owner of a copyright, unless that right is otherwise given away/sold/whatever, according to the Copyright Designs and Patents Act 1988.
So, there's a reasonable argument that copyright theft really is theft, at least in the UK; at least insofar as the actus reus (that is to say, the actual wrong action).
As to the substance of your point about 'what stealing is', consider this small Gedankenexperiment, consider the man who breaks into your car whilst its parked outside the office, and takes it for a drive around the city, kindly returning it to the car park after he's finished with it, and before you come out of work. Theft, or not theft?
I have been perusing this thread briefly, and I'm astonished at how outraged some people appear to be at Netappliance's decision: I think they ought to take one step back at look at this from a more rational perspective:
The quoted $99 price is obviously a massive loss-leader, as I'm sure is the higher $199 price that they 'reduced' from. This is trivially obvious to anyone who has ever bought PC components (flat panel displays are not cheap; even mediocre quality 10" 800x600 versions). Even deep bulk discounts have to be played off against the system integration costs. In fact, even Netappliance acknowledge this fact in their S-1 filing with the SEC (page 3, under Risk Factors).
The business model is familiar: sell for a loss (or, indeed give it away), and then recoup from the recurring cost of the service. This model is at least as old as the disposable razor-blade, and will be familiar to many who read this forum as the same one used to sell cellular telephones, AOL (400 free hours! etc....), and so on.
So what's the problem? Well, so far as I can see, there are really two objections here, which I'd characterise as 'Naive' and 'Not So Naive'.
The Naive objection
The 'Naive' objection is 'I paid $100 for this, I own it, and if I don't want to use their internet service, I don't see why I should have to pay for it'. Usually, these objections include appeals to the illegality of the action. This is in line with the razor-blade model, where Gillette doesn't mind too much if you buy a single Sensor Excel razor and never buy another blade.
Of course, it's not illegal effectively to bundle a service contract with a purchase (at least, not in my jurisdiction, and I'm pretty certain it isn't in the USA either). If, at the time of purchase, you sign up for a years' worth of their ISP service at $21.95 a month, you've entered (of your own free will) a perfectly legally binding contract. This is the cellular phone model: if you don't pay for your service contract, Netpliance will chase you in the courts, and you will lose.
Summary: the Naive objector understands the razor business model, but not the cellular phone model.
The Not So Naive objection
The 'Not So Naive' objection is 'I paid my $99 for this, so I own the box. I'm quite happy to pay a few hundred bucks over the course of the year in ISP charges, it still works out a good deal, and it's a neat toy! Why would they want to stop me throwing NetBSD on it?'.
The reason why Netpliance don't want you to buy the box and not use their service is more subtle. Their business model doesn't just depend on recurring subscriptions (blades, airtime...) but also on their ability to attract advertisers, sponsors and other value-added services. Their ability to do this is predicated upon the ability to establish a large user base for their service.
As such, they're going to need to demonstrate that supporting their company is going to result in a significant number of imprints for their advertisers and so on. In their S-1 filing, they acknowledge that their success will depend almost entirely on branding and high-quality content.
Summary: the 'Not So Naive' objector hasn't read Netpliance's business plan...
What does this all add up to? Well, it's all quite obvious: Netpliance doesn't want you just to buy an i-Opener, they want you to use it, and with their services. If the product, as was previously shipping, was going to compromise their business model in some way (and the weight of the evidence here is that it probably was!) then they have a common-sense responsibility to emend it.
Yes, it sucks that we can't have our cake and eat it, but I don't think it's fair to rag on Netpliance for doing right by their shareholders. If I were them, I would do the same thing.
Potentially Interesting Resources:
Meanwhile, on a far more important note, I spent several minutes trying to figure out your Latin .sig line. Google brought me to the Aeneid in Latin (no translation), but - get this - it also brought me to several Slashdot articles you've written. (Same with Yahoo and Find.com.) In the end, the best I could come up with was from the Perseus Project, a line about how Dido never dreamed that love like that she shared with Aeneas could ever die. Is that about right?
The quotation is, indeed, from the Aeneid; Book IV to be precise... I'm not sure where the translation you've got has come from, but it doesn't seem to be from quite the right part of the book...
As I remember it, Williams' translation goes something like: O relentless love, to what mad courses may not mortal hearts by thee be driven!. It refers in main to the panic into which Dido is thrown when Aeneas begins his preparations to depart from Carthage, having been informed by the gods that he is abandoning his fated purpose by lingering their with Dido.
PS. I would've emailed this, but you don't appear to have an email address on file...
Collecting economic intelligence is completely understandable - after all, economic crises are an incredible threat to the U.S. Collecting economic intelligence makes perfect sense; it can help us prepare for and manage economic catastrophe long before it happens.
It think the part of this that people find disturbing is not so much that economic intelligence is gathered, but that it is subsequently divulged for what appears to be commercial gain, rather than in the interests of national security.
And on that basis:
Keep in mind that most of the information is OSINT (open source intelligence), and not intelligence obtained by spying. To quote the article: "Whether economic or military, most US intelligence data came from open sources, [Woolsey] said. But 'five percent is essentially secrets that we steal. We steal secrets with espionage, with communications, with reconnaissance satellites.'
Even if it is the case that 95% of intelligence is gathered from open sources (and I've no reason to doubt that), the fact still remains that it has been collated, assessed for reliability, digested and disseminated with money that is supposed to be spent on providing national security.
Market intelligence is a tremendously valuable commodity; there are certainly companies the livelihoods of which depend on selling it. To provide it 'free of charge' is a tremendous boon to the companies involved, and a subsidy which effectively comes out of a large (and largely opaquely accounted) intelligence gathering budget.
I have to disagree. If someone broadcasts sensitive information and it gets intercepted, I wouldn't call that theft. If the information is sensitive, it should be encrypted and/or routed over hard line.
So, by analogy, if you're so lax as to leave your bike unsecured, I should be entitled to steal it?
Moreover, given that the NSA (etc.) doesn't make it common knowledge exactly what its capabilities actually are in the field of cryptanalysis, what level of paranoia should companies (or, indeed, individuals) be forced to adopt in order to secure themselves?
The laws of a country apply only on that country's soil. If you break them, that country prosecutes you by their laws. Simple.
Simply wrong. Many states choose to exercise their jurisdiction over their citizens when they are abroad. For example, in England, we have laws that have been used successfully to prosecute 'sex tourists' who have sexually abused minors whilst on holiday in Thailand.
And who says a country shouldn't be able to break laws if it is willing to accept the penalties when caught? I break the law every day, speeding to work, and am willing to pay the ticket when caught.
I rather fail to see the parallel. Many countries have the doctrine of 'act of state', wherein the foreign policy actions of the government are not susceptible to any form of judicial review. There is no 'penalty' for 'breaking the rules', as such.
On the other hand, it does weaken the democratic mandate of a government which is alleged to operate constitutionally under the rule of law.
I expect my government to heed the principle that it, too, operates under the rule of law; including being contained by the boundaries that the legislature has set for it: anything else is an executive usurption of the role of the legislature, and a violation of the core notion of the separation of powers.
I bet you wouldn't speed to work every day if you thought that the traffic cop that stopped you might decide to put a bullet in your brain rather than give you a ticket...
On 100 Mbit ethernet, a crossover cable will usually only give you 10Mbit. I assume the same will be true with gigabit. You probably won't get full speed out of a crossover cable.
I'm not sure what you're talking about; there's no good reason why a crossover cable wouldn't give a full speed connection between two 100Mbit/s NICs.
I've managed networks with plenty of 100BaseFX inter-switch links which are not much more than glorified cross-over cables, and had no problems at all.
All that a hub does (well, this isn't strictly true on newer hubs, but...) is repeat the signal; if anything, you should get faster speeds out of crossover cables, as you can run them full-duplex.
In fact, using a crossover cable should be even faster than using a switch in pure performance terms, as there's no switching delay.
What's the technical basis of your assertion?
Sure, you can get a fairly inexpensive gigabit ethernet card, but how much is the hub gonna cost. You can only connect 2 computers through a Null Cable (cross over).
You're not going to get hubs for this stuff, you're only going to get switches.
As far as I know, no vendor currently has a 1000BaseT product out there, so it's difficult to say exactly what the cost will be. But, for comparison's sake, the SuperStack II 9000SX, which is an 8-port 1000BaseSX (short haul multimode fibre gigabit) switch, retails for about £10,000, which is approximately $16,000.
Which means that this stuff isn't going to be 'string it around the bedroom for the Quake deathmatch' fodder for a few years to come.
If you want a nice whitepaper/technical document on gigabit over copper/802.3ab you could do a lot worse than to check this out.
I remember that a lot of problems cropped up when trying to do 100Mbit Ethernet on existing wiring, which only barely could manage 10Mbps. What will happen to most of the wiring already laid out. Will it have to be thrown out? I remember hearing about a Cat-6 cable. Will we have to upgrade our networks?
It's my understanding that the 802.3ab gigabit over copper standard is intended to work on standard Cat-5 cabling, so there shouldn't be any need to replacing your existing cables. On the other hand, it does use all four pairs of the cable, so faults that may not have been evident beforehand might turn up...
Cat-6 cable certainly exists, and I believe there's also a Cat-7 standard (with individual routing channels through the cable for the individual pairs?), not to mention Cat-5e. I think quite a lot of the demand for this cable is drummed up by the vendors and installers of cable plant.
Also, anybody got information on how collision handling is done on this new architecture? I would suppose that, being a gigabit ethernet, it would surely see much more usage than a 100Mbps one, and being also much higher speed, there should be more collisions.
Collision handling in gigabit ethernets is a functional irrelevancy; although the 802.3z standard does have provision for shared-media networks, the last time I checked there were no products (nor any scheduled) that supported it.
Basically, if you're looking at gigabit ethernet, you're looking at a full duplex, switched network.
For what it's worth, from a technical perspective, I seem to remember that the collision detecting version uses a carrier extension to allow the network to have a useful radius (i.e. in order to avoid late collisions). The carrier extension was for some moderately significant number of bit-times, which could (theoretically) lead to pretty trashy performance with small packet, high load networks.
But, as I said before, it's not like you care, as your gigabit ethernet network is all going to be switched.
Well, no, actually...
Gigabit ethernet actually runs at 10^9 bits per second, so it would still be gigabit ethernet.
Actually, I did blank out the last five...
If you can figure what those are, you're in luck!
Nick.
This is not the first American Express smartcard, I don't think.
There is the so-called Charter Card, which is black, and comes with a pocket smartcard reader which is designed to access some of the data stored on the smartcard chip - details of foreign exchange rates, cardmember discounts, insurance, benefits and so on.
Just in case any of you think that I'm making this up, I happen to have a photo of one right here.
American Express Charter Member card.
Cool, huh?
> Software Engineering
[list of schools snipped - all US based]
The Computing Laboratory at Oxford University does an MSc course in Computation that has a software engineering strand.
If you're interested in the more theoretical end of software engineering (formal methods, Z notation, abstraction machine notation/B method, automated proof checking...) then you could certainly do a LOT worse. see Oxford Univ. Computing Lab home page.
The Comlab is also strong on reconfigurable hardware and hardware compilation, distributed/parallel computing etc.
Other problems:
Charges a fee for "free speech"- nuff said.
Oh, there's a bit of an irony here.
I think the poster may be making a mistake common to many who do not understand the concept of 'freedom' as opposed to 'cost-free'.
Usually, in free software, we call this the 'free speech vs. free beer' argument. However, the poster has evidently failed to grasp even this distinction.
If the paradigmatic alternative to 'free beer' is 'free speech', then I suggest free software should change its name to something else, like 'Bob', in order to reduce the confusion caused.
Cheers.
Nick.
The spec page claims that the display consists of 832 by 624 pixels. But on the same time line it says 155M dots. Now, 832*624=519168. This says they use roughly 300 dots per pixel
I suspect that there's a decimal point missing somewhere in there, and they actually mean 1.55M. That's tantalizingly closer to 519K multiplied by 3 (for red/green/blue elements).
155M is waaaaaaay too many.