I'm just wondering why it would matter to legal if a wholely owned affiliate has the same rights to the code they use as their mother company. It's not like any third party would have the rights to the code, even the original author - using the "written offer" option is not mandatory.
How can the documents be created at different points in time? They consist of the following parts (if you check the postscript source, which is waht is hashed):
Postscript header junk postscript "if" using the junk as selector first message postscript "else" second message postscript "endif"
The only difference between the two documents is the junk part.
Creating a faked document after the fact is another kind of attack.
It is actually not entirely true, that md5 (and sha1) does not account for the size of the file. Both md5 and sha1 use the same Merkle-Damgård structure, where the same function is applied to a running "total", initially an initialization vector, and a fixed-size block of the input. For both hashes, the blocks are 512 bits long, and the last block is padded and ends with the length of the file, as a 64-bit integer. So unless one of your files is extremely long, size is taken into account. Doesn't mean that size-altering is impossible, but the linked attack for one does not alter the size.
Well, the combination I was contemplating, was concatenating the hashes, as you are absolutely right that md5(sha1(x)) is not a good idea. But (md5(x)<<160)+sha1(x), which is exactly what you end up getting, if you calculate both hashes and store the results, is as I said 288 bits of hash. And while md5 and sha1 are different, they are not that different. I'm not enough of a cryptohead to discuss the internals, but one observation is that both use the same Merkle-Damgård structure, with 512-bit blocks, padded in the same way. This means that unless you define some non-trivial transformation for the input to one of the hashes, the attack of the article will work, as long as you can find a collision for concat(md5,sha1). Finding that collision will, at most, be as difficult as any other 288-bit hash, but it might be easier (I have no idea, but the collision attacks on either function may be combinable, or some other weakness may come out this way) than with a hash-function _designed_ to utilize 288 bits. And just to point out something, this attack is not padding the files in the end to fix the hash. The payload of the document comes after the hash-collision. So if just one collision is found in a hash-function, an endless series of postscript document-pairs can be created.
No, it's not impossible. It's at most as difficult as colliding a 288-bit (MD5 being 128-bit and SHA1 being 160-bit) hash-function, assuming that the combination of the two does not have any weaknesses. Do you have any references to analysis of the MD5+SHA1 function? Are you sure that the combination is significantly better than either of the two functions?
If all that is needed is continuity, how about speeding up the process? Would you remain the same person, if every part of your body was replaced over the span of a year? A month? A week? A day? An hour? If it is done piece by piece, one can argue continuity, regardless of the speed of the replacement (to some limit anyways, I'd say that a new piece (however you define that) needs to be in the body long enough to be able to interact with it to count (but interact how much?)).
How about connecting your brain to a big pile of simulated neurons, or whatever we might develop to "run" uploads on. Once your brain integrates with the system, one might expect the brain to be "running" on the combined system. And if done correctly, the "real" brain might then be decommissioned, bit by bit, while making sure that the artificial replacements can fill in the gaps.
All of this assumes that there is nothing "special" about the mind, that it is just the result of a lot of processing on an extremely powerfull biological computer.
If you want to, you can create packages with few external dependencies, you can. Just compile libraries in statically, or package them with the binary like on windows. At most you need a wrapper script to setup library paths. But as some have allready commented, this leads to dll hell: Lots of libraries strewn all over the system, updates/fixes not applying to all packages using the libraries (so an exploit against say libpng might not be fixed in all your apps at the same time (if ever)), and filling up memory with unneeded copies of the same code.
Well, AFAIK you do not have to agree to the GPL to _download_ and _use_ Free software. The GPL is a copyright license, which provides you with the right to distribute the software. Assume that I sell or give you a GPL'ed program (and that I include the source and the license) - you are now in possesion of a legal licensed copy of the program, which you may install and use on your computer as much as you like (copyright/fair use allows the internal copying needed to use the software). If you choose to accept the GPL, you are granted additional rights, above and beyond what copyright/fair use gives you, to copy, distribute, and modify the program, as long as you distribute under the terms of the GPL. If you don't believe me, check the GPL (http://www.gnu.org/copyleft/gpl.html) yourself. Term 0 spells out what activities are governed by the GPL.
Well, as far as I understand, one developer, contracted by the OSDL, was reverse engineering BitKeeper. I've not heard anything about him having agreed to the bitkeeper license. Maybe OSDL should have stopped paying him (for work that was not related to his source control work), but that would depend on the specifics of their relationship (if he is an independant contractor for OSDL, and Linus as an employee of OSDL has a bitkeeper license, what who exactly is bound by the license to what degree? Legally). BitMover is certainly entitled to take their ball and leave, but if the developer in question had actually been legally bound by the bitkeeper license, why not just file for an injunction against him? Or can you provide a a reference to somebody who both signed/agreed to the bitkeeper license and worked on source control systems? I would really like to know, because it looks like somebody, who was legally free to do so, tried to implement bitkeeper, and BitMover/Larry wanted OSDL to prevent that.
My point is that somebody was clearly doing something BitMover was against, but I think it sounds like that somebody was not legally bound to not do so, and BitMover elected to punish the Linux kernel team instead.
dossen@leela ~ $ perl -w use strict 'vars'; $foo=42; print "$foo\n"; Global symbol "$foo" requires explicit package name at - line 2. Global symbol "$foo" requires explicit package name at - line 3. Execution of - aborted due to compilation errors.
dossen@leela ~ $ perl -w use strict 'vars'; my $foo=42; print "$foo\n"; 42
Not saying that perl is perfect, but for the kind of language that perl is, it seems like a good idea to make requirements like declaration of variable scope optional.
On ethernet it gets even better, since RFC 2464 (page 3) defines a way to derive a globally unique interface identifier from the MAC adress. The great thing about Ipv6, implicit in your post, is that multiple adresses on the same interface and in the same network works a lot better than with IPv4. That combined with the larger adressspace allows much more flexibility to put organisational and geographical structures into the routing topology (I seem to recall that the suggested prefix size for organisations/customers of ISPs is/48, leaving 16 bits of prefix to be used internally by that "user").
Actually operator overloading shouldn't be too much of a problem, since the obvious way to implement it would be as syntactic sugar - constructs that compile into code already writable in java.
Say something like:
public Class Foo { public Foo operator+(Foo f) { return <The result of adding this and f>; } } ... Foo foo = foo1+foo2;
Into:
public Class Foo { public Foo operator_plus(Foo f) { return <The result of adding this and f>; } } ... Foo foo = foo1.operator_plus(foo2);
Sprinkle some of that around, choose a good way to mangle the names, and possibly add some casts and stuff to insure the correct semantics - there you have a java compiler that does operator overloading - without changing the VM.
Might still make people want to use this compiler, but all it breaks is source compatibility. Incompatible libraries might be worse (incompatible bugs, need to do lots of runtime checking and branching), but that can sorta already happen with third party packages and newer JRE's (I think Sun tries hard to avoid it).
I'm not trying to bypass security. I'm simply looking for a way to make a program that runs with my userid behave in a way that is optimal to my use. If that can violate the sitewide security, the sitewide security needs fixing.
Thanks, I guess I'll have to find time study the gconf docs one of these days. btw, it seems you can actually do it the "right" way, if root allows you to do corba over tcp. Maybe I'll try that one of these days (at home where root == me).
Well... changing the gconf config in/etc is really out of the question, since I'm just a user on the system. Is this doable in a way, that allows config changes to be explicitly committed to ~/.gconf on demand (I do occasionally want to change stuff), and does not require root?
Or just enough support to allow me to run the gnome desktop on two or more machines with shared (nfs) homedirectory simultaneously, without complaining.
If anybody have achieved that, I would love to know how.
Since I do not wish to enter a pissing contest about experience, I might as well admit that I do not have 10-20 years of experience (although I've worked on a decent size codebase). But I still would like to know why on earth you want to use comments to document where functions and variables are defined? If it is objectoriented code, there ought to be at least one IDE, which will allow you to jump directly to the _correct_ definition of functions and variables, without having to keep updated comments, manually opening the right fiel, and finding the right line. For other things, I've never needed more than ctags or similar tools. I'm _not_ saying that it should be hard to find stuff, but why on earth would you keep a record by hand, when it is perfectly possible to do it automatically (after all, the compiler must do it anyway)? Or is your code so dynamic that you never know where a function is from or something? I'm really having a hard time figuring out how this kind of comment could be a net gain (time spent keeping comments current vs. time saved following comments to code vs. just using automatic tools to search/crossreference/hyperlink the code)?
Well, while I think most of us agree that such an URL is just plain fugly, there is nothing in the _URL_ to suggest that ebay does not validate the input, track suspicious behaviour etc. But I agree that putting a mod_rewrite or something in front makes it not only nicer but also a bit more difficult for a random surfer to construct "attack" URLs (As I implied, if they validate the input, properly, any CGI can be safe).
I'm not saying that I believe them, but arguing wavelength by compating to the size of atoms sounds a bit dodgy to me. For reference, 5 to 10 microns is in the wavelength band of infrared radiation, quite close to visible light (REF: http://www.krysstal.com/spectrum.html). Granted, they are claiming electron emission, not foton, but I just think there are much better arguments against this tech.
You mighy very well like to take your works with you to the grave. How will you in practice achieve this? Either you need to keep them secret (drm, whatever) and thus you do not need the protection of copyright, or you have to rely on society to protect your rights for you, via copyright. If you choose copyright as your protection, then for it to work society needs to enforce your will. That means (in some small way) that _I_ have to pay to have your rights protected. The majority of society has decided that we are not willing to pay for your protection in all eternity, but we have decided that it is in our best interest to grant it to you for a limited time. If you don't like it, you can stop publishing, nobody is forcing you. If you can invent some way to enforce an "eternal copyright" that does not burden society, by all means tell us about it, but as information can be copied non-destructively and normal crypto does not work (drm is not about keeping secrets, it's about sharing them (with a limited group), implying that the user needs to be able to access the information, leading to society needing to back it up with dmca-like laws) I say "good luck".
One simple problem could be, if the files were scanned, but not (perfectly) OCR'ed. Maybe the budgets do not permit reentry of the data in (fulltext) searchable form. Maybe all that is possible is scans and keywords. Just thinking out loud.
I'm only guessing here, but since it's "cascading stylesheets", maybe a renderer (browser or whatever) should allow one to apply a suitable stylesheet, if printing options differ from those in the provided stylesheet? Another option would be to fit pages like pdfreaders does (pdfs also usually (always?) have pagesize hardcoded).
Not just "...some bittorrent clients...". The whole idea of bittorrent is that everybody uploads the pieces of the torrented data they have. You will get lousy preformance if you don't.
Slashdot Mirror
I'm just wondering why it would matter to legal if a wholely owned affiliate has the same rights to the code they use as their mother company. It's not like any third party would have the rights to the code, even the original author - using the "written offer" option is not mandatory.
How can the documents be created at different points in time? They consist of the following parts (if you check the postscript source, which is waht is hashed):
Postscript header
junk
postscript "if" using the junk as selector
first message
postscript "else"
second message
postscript "endif"
The only difference between the two documents is the junk part.
Creating a faked document after the fact is another kind of attack.
It is actually not entirely true, that md5 (and sha1) does not account for the size of the file. Both md5 and sha1 use the same Merkle-Damgård structure, where the same function is applied to a running "total", initially an initialization vector, and a fixed-size block of the input. For both hashes, the blocks are 512 bits long, and the last block is padded and ends with the length of the file, as a 64-bit integer. So unless one of your files is extremely long, size is taken into account. Doesn't mean that size-altering is impossible, but the linked attack for one does not alter the size.
Well, the combination I was contemplating, was concatenating the hashes, as you are absolutely right that md5(sha1(x)) is not a good idea. But (md5(x)<<160)+sha1(x), which is exactly what you end up getting, if you calculate both hashes and store the results, is as I said 288 bits of hash. And while md5 and sha1 are different, they are not that different. I'm not enough of a cryptohead to discuss the internals, but one observation is that both use the same Merkle-Damgård structure, with 512-bit blocks, padded in the same way. This means that unless you define some non-trivial transformation for the input to one of the hashes, the attack of the article will work, as long as you can find a collision for concat(md5,sha1). Finding that collision will, at most, be as difficult as any other 288-bit hash, but it might be easier (I have no idea, but the collision attacks on either function may be combinable, or some other weakness may come out this way) than with a hash-function _designed_ to utilize 288 bits. And just to point out something, this attack is not padding the files in the end to fix the hash. The payload of the document comes after the hash-collision. So if just one collision is found in a hash-function, an endless series of postscript document-pairs can be created.
No, it's not impossible. It's at most as difficult as colliding a 288-bit (MD5 being 128-bit and SHA1 being 160-bit) hash-function, assuming that the combination of the two does not have any weaknesses. Do you have any references to analysis of the MD5+SHA1 function? Are you sure that the combination is significantly better than either of the two functions?
If all that is needed is continuity, how about speeding up the process? Would you remain the same person, if every part of your body was replaced over the span of a year? A month? A week? A day? An hour? If it is done piece by piece, one can argue continuity, regardless of the speed of the replacement (to some limit anyways, I'd say that a new piece (however you define that) needs to be in the body long enough to be able to interact with it to count (but interact how much?)).
How about connecting your brain to a big pile of simulated neurons, or whatever we might develop to "run" uploads on. Once your brain integrates with the system, one might expect the brain to be "running" on the combined system. And if done correctly, the "real" brain might then be decommissioned, bit by bit, while making sure that the artificial replacements can fill in the gaps.
All of this assumes that there is nothing "special" about the mind, that it is just the result of a lot of processing on an extremely powerfull biological computer.
On what grounds? As far as I can recall, you guys haven't overturned the betamax decission yet.
If you want to, you can create packages with few external dependencies, you can. Just compile libraries in statically, or package them with the binary like on windows. At most you need a wrapper script to setup library paths. But as some have allready commented, this leads to dll hell: Lots of libraries strewn all over the system, updates/fixes not applying to all packages using the libraries (so an exploit against say libpng might not be fixed in all your apps at the same time (if ever)), and filling up memory with unneeded copies of the same code.
Well, AFAIK you do not have to agree to the GPL to _download_ and _use_ Free software. The GPL is a copyright license, which provides you with the right to distribute the software. Assume that I sell or give you a GPL'ed program (and that I include the source and the license) - you are now in possesion of a legal licensed copy of the program, which you may install and use on your computer as much as you like (copyright/fair use allows the internal copying needed to use the software). If you choose to accept the GPL, you are granted additional rights, above and beyond what copyright/fair use gives you, to copy, distribute, and modify the program, as long as you distribute under the terms of the GPL. If you don't believe me, check the GPL (http://www.gnu.org/copyleft/gpl.html) yourself. Term 0 spells out what activities are governed by the GPL.
My point is that somebody was clearly doing something BitMover was against, but I think it sounds like that somebody was not legally bound to not do so, and BitMover elected to punish the Linux kernel team instead.
On ethernet it gets even better, since RFC 2464 (page 3) defines a way to derive a globally unique interface identifier from the MAC adress. The great thing about Ipv6, implicit in your post, is that multiple adresses on the same interface and in the same network works a lot better than with IPv4. That combined with the larger adressspace allows much more flexibility to put organisational and geographical structures into the routing topology (I seem to recall that the suggested prefix size for organisations/customers of ISPs is /48, leaving 16 bits of prefix to be used internally by that "user").
Actually operator overloading shouldn't be too much of a problem, since the obvious way to implement it would be as syntactic sugar - constructs that compile into code already writable in java.
Say something like:
public Class Foo {
public Foo operator+(Foo f) {
return <The result of adding this and f>;
}
}
...
Foo foo = foo1+foo2;
Into:
public Class Foo {
public Foo operator_plus(Foo f) {
return <The result of adding this and f>;
}
}
...
Foo foo = foo1.operator_plus(foo2);
Sprinkle some of that around, choose a good way to mangle the names, and possibly add some casts and stuff to insure the correct semantics - there you have a java compiler that does operator overloading - without changing the VM.
Might still make people want to use this compiler, but all it breaks is source compatibility. Incompatible libraries might be worse (incompatible bugs, need to do lots of runtime checking and branching), but that can sorta already happen with third party packages and newer JRE's (I think Sun tries hard to avoid it).
I'm not trying to bypass security. I'm simply looking for a way to make a program that runs with my userid behave in a way that is optimal to my use. If that can violate the sitewide security, the sitewide security needs fixing.
Thanks, I guess I'll have to find time study the gconf docs one of these days. btw, it seems you can actually do it the "right" way, if root allows you to do corba over tcp. Maybe I'll try that one of these days (at home where root == me).
Well... changing the gconf config in /etc is really out of the question, since I'm just a user on the system. Is this doable in a way, that allows config changes to be explicitly committed to ~/.gconf on demand (I do occasionally want to change stuff), and does not require root?
Or just enough support to allow me to run the gnome desktop on two or more machines with shared (nfs) homedirectory simultaneously, without complaining.
If anybody have achieved that, I would love to know how.
Since I do not wish to enter a pissing contest about experience, I might as well admit that I do not have 10-20 years of experience (although I've worked on a decent size codebase). But I still would like to know why on earth you want to use comments to document where functions and variables are defined? If it is objectoriented code, there ought to be at least one IDE, which will allow you to jump directly to the _correct_ definition of functions and variables, without having to keep updated comments, manually opening the right fiel, and finding the right line. For other things, I've never needed more than ctags or similar tools. I'm _not_ saying that it should be hard to find stuff, but why on earth would you keep a record by hand, when it is perfectly possible to do it automatically (after all, the compiler must do it anyway)? Or is your code so dynamic that you never know where a function is from or something? I'm really having a hard time figuring out how this kind of comment could be a net gain (time spent keeping comments current vs. time saved following comments to code vs. just using automatic tools to search/crossreference/hyperlink the code)?
Well, while I think most of us agree that such an URL is just plain fugly, there is nothing in the _URL_ to suggest that ebay does not validate the input, track suspicious behaviour etc. But I agree that putting a mod_rewrite or something in front makes it not only nicer but also a bit more difficult for a random surfer to construct "attack" URLs (As I implied, if they validate the input, properly, any CGI can be safe).
I'm not saying that I believe them, but arguing wavelength by compating to the size of atoms sounds a bit dodgy to me. For reference, 5 to 10 microns is in the wavelength band of infrared radiation, quite close to visible light (REF: http://www.krysstal.com/spectrum.html). Granted, they are claiming electron emission, not foton, but I just think there are much better arguments against this tech.
You mighy very well like to take your works with you to the grave. How will you in practice achieve this? Either you need to keep them secret (drm, whatever) and thus you do not need the protection of copyright, or you have to rely on society to protect your rights for you, via copyright. If you choose copyright as your protection, then for it to work society needs to enforce your will. That means (in some small way) that _I_ have to pay to have your rights protected. The majority of society has decided that we are not willing to pay for your protection in all eternity, but we have decided that it is in our best interest to grant it to you for a limited time. If you don't like it, you can stop publishing, nobody is forcing you. If you can invent some way to enforce an "eternal copyright" that does not burden society, by all means tell us about it, but as information can be copied non-destructively and normal crypto does not work (drm is not about keeping secrets, it's about sharing them (with a limited group), implying that the user needs to be able to access the information, leading to society needing to back it up with dmca-like laws) I say "good luck".
One simple problem could be, if the files were scanned, but not (perfectly) OCR'ed. Maybe the budgets do not permit reentry of the data in (fulltext) searchable form. Maybe all that is possible is scans and keywords. Just thinking out loud.
I'm only guessing here, but since it's "cascading stylesheets", maybe a renderer (browser or whatever) should allow one to apply a suitable stylesheet, if printing options differ from those in the provided stylesheet? Another option would be to fit pages like pdfreaders does (pdfs also usually (always?) have pagesize hardcoded).
Sorry, eye-brain-hand interfacing malfunction.
Not just "...some bittorrent clients...". The whole idea of bittorrent is that everybody uploads the pieces of the torrented data they have. You will get lousy preformance if you don't.