512 MB video RAM *is* practical, for some applications. The Slashdot blurb missed the point. More video RAM doesn't have performance benefits*, it has quality benefits. It allows more and higher quality textures and innovative new rendering techniques.
Your current games likely won't use 512 MB of video RAM, so you're right that it isn't practical to buy one of these just now for gaming (and gamers will probably buy it anyway). But future games will benefit with more realistic graphics, and other 3D card applications (3D modeling, visualization, offline rendering, vector processing, accelerating next-gen GUIs like Xorg/Longhorn) could definitely use the extra room immediately.
* well, it could have performance benefits if you're already using more textures than your video RAM can hold and thus spilling over into main RAM. But games go to great pains to avoid this so you likely aren't.
Um, you just excepted the main reason. BitTorrent on a 100 Mbps up/down connection would be heaven. If everybody had it, you could download songs in seconds, movies in minutes, anything in less than an hour. This will probably be a main reason why people go for 100 Mbps-class connections. But not only would it be heaven for pirates, it would be great for simply sharing your own files, pictures, home movies, using hi-def videophones, getting hi-def video on demand, even broadcasting your own TV station live over the Internet; whatever you want. Basically, 100 Mbps up/down + BitTorrent would make everybody in the world a major media distribution powerhouse to equal any government, news organization, or global corporation.
It would be the end of all kinds of media distribution/production monopolies/oligarchies (landline phones, cable TV, TV stations in general, RIAA, MPAA, etc). Only the most draconian enforcement of copyright law would be able to preserve the content industries we have today. DRM could possibly preserve the software industry as we know it; however music and video DRM is doomed to fail because of the analog hole. The movie industry might survive by using strict security at theaters to eliminate film redistribution, and never releasing to the general public, or only releasing very old movies. But this would be hard to pull off and would remove DVDs as a revenue stream. The music industry as we know it is doomed; it will shrink back down into a concert industry. The book industry will likely be relegated to a printing service for free texts.
I'm not saying that this is all necessarily a good thing or a bad thing; it's just the truth. Personally I feel it will have many bad effects, but the good might outweigh the bad, though it seems inevitable regardless so we'll just have to wait and see.
I have a question for you, if you're reading. Are you excited about that research implanting electrodes into monkey brains for them to control robot arms and such? If I were disabled, I would be volunteering for that stuff if they're accepting volunteers. Not necessarily to control robot arms (seems likely to be of limited use when the robot arms are not going to be nearly as capable or sensitive as human arms/hands), but to control computers with a brain mouse or even a brain keyboard or gamepad. Then you could browse the net easier, play whatever game you liked, or even get a job coding. You might even be able to type faster than other people can with their hands.
Same with Battlestar Galactica. Sky One (the UK's version of DirecTV or Dish Network) apparently is in a partnership with the SciFi channel. The entire first season of Battlestar Galactica was shown on Sky One in the UK before it started airing in the US. So if you're a US watcher, you can download the rest of the season right now! Not that I recommend this or anything.
That's fine for providing information overlays (actually it looks really cool, if the mirror can be made smaller and less obvious, and you use one of those phone microphones that hangs at your throat instead of that obvious one he has), but it looks like that's all his current system can do. The system in the article is supposed to be an "immersive" type system, where the entire field of view is replaced by virtual reality. You'd need two large mirrors to do that with his system, pretty much necessitating a helmet. The two systems are for different applications.
He is not merely a processor emulating god; he is a coding god in general. Look at his project page. QEmu is not even his most significant project! He the main force behind the FFMpeg project, which is the premier open-source library for all things video-related (including open-source encoders and/or decoders for nearly every video/audio codec known to man). You can thank him for much of the progress that MPlayer/Xine have made, especially on non-x86 systems.
In addition, he has implemented a complete C99 compiler, and a software modem (unfortunately incomplete), which is the hard part of making open-source WinModem drivers. Also, an emacs clone which also happens to have full Unicode support (including bidirectional editing), *and* a built-in HTML/CSS2 renderer with WYSIWYG editing.
And if that wasn't enough, he has won awards in the IOCCC twice. If that doesn't prove he's a true coding god, I don't know what would. He has done all of this in his free time, for no pay. I think it is safe to say that he *really* deserves a sponsorship.
It has always been Fabrice's intention to have the accelerator GPL'd; he uses the word "when" to describe the event rather than "if". He is just looking for a sponsorship first; hopefully some company will soon provide him with one (Lindows^H^H^H^Hspire perhaps?) If nobody does sponsor him within a year or so, I imagine that somebody else will write a different accelerator unless he releases his own; there is quite a bit of demand.
I will probably be moderated down for this, but: likely yes. Mozilla has a few crash bugs; Konqueror has more. It is quite likely that some of those bugs are exploitable; then just use a Linux kernel privelege-escalation exploit (of which there are also many) to instantly become root. Voila; r00ted Linux system in two easy steps. Just because nobody bothers to do it (Konqueror's market share is necessarily even smaller than the Linux desktop market; it doesn't even come close to Mozilla's measly percentage) doesn't mean it's impossible.
Of course I knew about maxRequestLength. I can use Google. You must have a funny definition of "works fine". Mine doesn't include "takes far too long and leaks hundreds of megabytes of memory on the server". You must have a lot of RAM on your machine if you didn't notice the gobs of it being chewed up and spat on the floor. As the files get even larger, the problem gets worse exponentially as Windows starts swapping. The same task can be done by other systems using very little RAM (the used RAM does not need to be proportional to the file size). It's basically not possible to fix it unless you go to third-party products.
OK, in all my searches about ASP.NET, I never once ran into that page; and while manually browsing through the literally hundreds of MSDN magazine back articles relating to ASP.NET it is easy to miss, especially with such a generic name. Hard-to-find documentation is just as bad as no documentation. That article should be announced with trumpets in the API docs for relevant classes (Page, for example). As it is, the API docs contain very little of that information, and no link to that article. I still maintain that the API is badly designed, with objects changing under you all the time and/or not responding to your commands. It doesn't have to be that way. I won't even dignify your last questions with an answer.
Re:Broken, but not for everything...
on
SHA-1 Broken
·
· Score: 1
I know what they did, but they *said* "2^11 less operations", not "2^11 times fewer operations". There's a big difference, and people could be misled.
I said *large* file. Have you tried it? Actually I know you haven't because otherwise you wouldn't be posting that code. Please try uploading a 100 MB file to that page and then get back to me. (And yes, I do need the capability to upload 100 MB files; don't try to rationalize ASP.NET's problems away by saying that's stupid or unimportant.)
The documentation *is* quite weak on specifying when you can and can't set certain properties of objects on a page. Telling me that MSDN exists (duh!) doesn't prove me wrong. Furthermore, the fact that setting many properties can silently fail, or the fact that properties you just read can change unexpectedly due to this complexity is just bad API design, even if there was excellent documentation.
Re:Not a problem (yet) - Do the math!
on
SHA-1 Broken
·
· Score: 1
Let me point out that an executable can have any amount of abrbitrary junk appended to it, or stuck in the middle, so signed executables make a great candidate for this type of attack (though of course the attack wouldn't work unmodified, it is entirely possible that it could be fixed). In addition, the same techniques (which are now, or soon to be, public knowledge) might be useful in constructing more serious attacks, even though the current attack isn't very useful, which was my main point. Let me further point out that only a moron wouldn't realize that hashes aren't unique, and by spending most of your post needlessly flailing that dead horse you have only proved how badly you missed the point.
Re:Not a problem (yet)
on
SHA-1 Broken
·
· Score: 1
Yes I know. That's why I mentioned it. The attack doesn't allow that.
Re:Not a problem (yet)
on
SHA-1 Broken
·
· Score: 1
Sounds prudent to me, as long as you have the CPU time to spare.
Re:Not a problem (yet)
on
SHA-1 Broken
·
· Score: 4, Interesting
Thought by much of the Slashdot community, as general reaction to this article shows. Until today, the prevailing Slashdot wisdom was that MD5 was weak and broken and SHA-1 was strong. Now we know that's not the case. Maybe this is no surprise to your circle of cryptography guru friends, but nobody told me until now.
Re:Not a problem (yet)
on
SHA-1 Broken
·
· Score: 2, Informative
There is no logic flaw. Your summary of the first attack is not correct. The attack does not allow you to produce data that has a specified hash value. It allows you to find two sets of data with the same hash, but you don't control the actual hash value. Think of it this way: the process of attaking the hash involves two sets of data; you perform the attack by modifying *both* data sets until their hashes are the same. Now you have two different data sets with the same hash, but the actual hash value is random and not controlled by you.
Re:Broken, but not for everything...
on
SHA-1 Broken
·
· Score: 1
That comment is wrong. 2^80 - 2^69 != 2^11. You can't subtract exponents like that. 2^80 - 2^69 is actually larger than 2^79. So they actually reduced the number of operations necessary to crack the hash by more than 2^79 (from the original 2^80)!
Not a problem (yet)
on
SHA-1 Broken
·
· Score: 5, Informative
For password hashes this attack shouldn't be a problem, if it is as described in the article. The attack does only one thing: allows an attacker to generate two streams of data which hash to the same value. This is a problem for digital signatures, because somebody can sign one data stream, then distribute another with the same signature. So the signature doesn't guarantee the data has not been modified. However, this attack does not allow an attacker to magically deduce your password from its hash, or even generate another password that would hash to the same value as yours. So you don't need to immediately jump up and replace SHA-1 wherever you use it.
OTOH, this attack indicates that other types of attacks may be found sooner than was previously thought. So it is still a good idea to move away from SHA-1 in the medium to long term. Though it's not entirely clear what you should move to. And it is not certain that more attacks will be found soon.
In my experience this is both a blessing and a curse. It is great when you can slap a DataGrid on a page and have a simple report with basically no work. It is horrible when you're trying to do something moderately complex (uploading large files, for one exmaple of many) and you have to become inimately familiar with a huge chunk of a huge complex class structure in order to make it do what you want (if it's even possible). Or you get caught in an issue that depends on the order in which things are initialized, so you set properties of objects on your page which later get overwritten and you can't figure out why. (The documentation is not very helpful here, and these problems are common because many things in ASP.NET depend on order of initialization).
ASP.NET is nice for some things, but I often find myself wishing I'd tried some other solution.
This would also help stop Google abuse. Right now, whenever somebody follows a link from Google, their search terms are sent to the site in the Referer header. This makes it easy for "Search Engine Optimizers" (more like search engine spammers) to figure out exactly which terms people are using in their searches, and what techniques people are using to try to filter out their spam in the search results. I think without this information the search engine spammers would be a lot less effective.
The Referer header is still useful in many situations; it is only a problem when people abuse it. I think the real solution is to add a new "ref" attribute to the HTML anchor tag. For example <a href="http://dontlinktous.com ref="http://bogusreferer.com">. This way the referer could continue to be useful for the majority of cases (statistics), but when it is abused it could easily be changed, and the abuse therefore thwarted.
The million dollars would not come out of his pocket; there is a fund already set aside for that purpose, so he really has no reason to care whether or not the fund is given out, in a monetary sense.
Also, you are more prone to typing errors when typing a long passphrase. Though I suppose typing an English sentence could be easier than typing, for example, D84*#ijo).
I really wonder about the long-term viability of this solution as well. Sure, it makes brute-force attacks harder because the password is longer, but it also makes each character of the password much easier to guess because it makes up a coherent English sentence. Those crazy security wizards will probably come up with a way to defeat passphrases as well, by using an enhanced dictionary type attack that strings words together into semi-coherent sentences.
An eight-word password does have a lot more possibilities than an eight-character password, because there are a LOT more words than there are characters. However, in coherent English sentences, some words are WAY more common than others. Has the analysis been done to see if English sentence passphrases really are theoretically stronger than passwords?
Furthermore, it isn't even within the Wikimedia Foundation's power to grant an exclusive deal to anybody. Wikipedia's content is licensed under the GNU Free Documentation License. Everybody can use, copy, redistribute, and modify Wikipedia content without fear of violating any law (which is why you see many crap sites such as this one repackaging wikipedia content with ads). It's hard to see how anybody could make an exclusive deal with Wikipedia when the content is free for everybody to copy at will. In the worst case, Wikipedia could simply be forked.
Slashdot Mirror
Your current games likely won't use 512 MB of video RAM, so you're right that it isn't practical to buy one of these just now for gaming (and gamers will probably buy it anyway). But future games will benefit with more realistic graphics, and other 3D card applications (3D modeling, visualization, offline rendering, vector processing, accelerating next-gen GUIs like Xorg/Longhorn) could definitely use the extra room immediately.
* well, it could have performance benefits if you're already using more textures than your video RAM can hold and thus spilling over into main RAM. But games go to great pains to avoid this so you likely aren't.
It would be the end of all kinds of media distribution/production monopolies/oligarchies (landline phones, cable TV, TV stations in general, RIAA, MPAA, etc). Only the most draconian enforcement of copyright law would be able to preserve the content industries we have today. DRM could possibly preserve the software industry as we know it; however music and video DRM is doomed to fail because of the analog hole. The movie industry might survive by using strict security at theaters to eliminate film redistribution, and never releasing to the general public, or only releasing very old movies. But this would be hard to pull off and would remove DVDs as a revenue stream. The music industry as we know it is doomed; it will shrink back down into a concert industry. The book industry will likely be relegated to a printing service for free texts.
I'm not saying that this is all necessarily a good thing or a bad thing; it's just the truth. Personally I feel it will have many bad effects, but the good might outweigh the bad, though it seems inevitable regardless so we'll just have to wait and see.
I have a question for you, if you're reading. Are you excited about that research implanting electrodes into monkey brains for them to control robot arms and such? If I were disabled, I would be volunteering for that stuff if they're accepting volunteers. Not necessarily to control robot arms (seems likely to be of limited use when the robot arms are not going to be nearly as capable or sensitive as human arms/hands), but to control computers with a brain mouse or even a brain keyboard or gamepad. Then you could browse the net easier, play whatever game you liked, or even get a job coding. You might even be able to type faster than other people can with their hands.
Same with Battlestar Galactica. Sky One (the UK's version of DirecTV or Dish Network) apparently is in a partnership with the SciFi channel. The entire first season of Battlestar Galactica was shown on Sky One in the UK before it started airing in the US. So if you're a US watcher, you can download the rest of the season right now! Not that I recommend this or anything.
That's fine for providing information overlays (actually it looks really cool, if the mirror can be made smaller and less obvious, and you use one of those phone microphones that hangs at your throat instead of that obvious one he has), but it looks like that's all his current system can do. The system in the article is supposed to be an "immersive" type system, where the entire field of view is replaced by virtual reality. You'd need two large mirrors to do that with his system, pretty much necessitating a helmet. The two systems are for different applications.
I think somebody should upload this picture to Wikipedia for the "nerd" article. Especially the helmet on the left; that picture is priceless.
Can you run Windows from the partition where it is already installed on your hard disk? That's all I'd ever want to use it for.
In addition, he has implemented a complete C99 compiler, and a software modem (unfortunately incomplete), which is the hard part of making open-source WinModem drivers. Also, an emacs clone which also happens to have full Unicode support (including bidirectional editing), *and* a built-in HTML/CSS2 renderer with WYSIWYG editing.
And if that wasn't enough, he has won awards in the IOCCC twice. If that doesn't prove he's a true coding god, I don't know what would. He has done all of this in his free time, for no pay. I think it is safe to say that he *really* deserves a sponsorship.
It has always been Fabrice's intention to have the accelerator GPL'd; he uses the word "when" to describe the event rather than "if". He is just looking for a sponsorship first; hopefully some company will soon provide him with one (Lindows^H^H^H^Hspire perhaps?) If nobody does sponsor him within a year or so, I imagine that somebody else will write a different accelerator unless he releases his own; there is quite a bit of demand.
I will probably be moderated down for this, but: likely yes. Mozilla has a few crash bugs; Konqueror has more. It is quite likely that some of those bugs are exploitable; then just use a Linux kernel privelege-escalation exploit (of which there are also many) to instantly become root. Voila; r00ted Linux system in two easy steps. Just because nobody bothers to do it (Konqueror's market share is necessarily even smaller than the Linux desktop market; it doesn't even come close to Mozilla's measly percentage) doesn't mean it's impossible.
OK, in all my searches about ASP.NET, I never once ran into that page; and while manually browsing through the literally hundreds of MSDN magazine back articles relating to ASP.NET it is easy to miss, especially with such a generic name. Hard-to-find documentation is just as bad as no documentation. That article should be announced with trumpets in the API docs for relevant classes (Page, for example). As it is, the API docs contain very little of that information, and no link to that article. I still maintain that the API is badly designed, with objects changing under you all the time and/or not responding to your commands. It doesn't have to be that way. I won't even dignify your last questions with an answer.
I know what they did, but they *said* "2^11 less operations", not "2^11 times fewer operations". There's a big difference, and people could be misled.
The documentation *is* quite weak on specifying when you can and can't set certain properties of objects on a page. Telling me that MSDN exists (duh!) doesn't prove me wrong. Furthermore, the fact that setting many properties can silently fail, or the fact that properties you just read can change unexpectedly due to this complexity is just bad API design, even if there was excellent documentation.
Let me point out that an executable can have any amount of abrbitrary junk appended to it, or stuck in the middle, so signed executables make a great candidate for this type of attack (though of course the attack wouldn't work unmodified, it is entirely possible that it could be fixed). In addition, the same techniques (which are now, or soon to be, public knowledge) might be useful in constructing more serious attacks, even though the current attack isn't very useful, which was my main point. Let me further point out that only a moron wouldn't realize that hashes aren't unique, and by spending most of your post needlessly flailing that dead horse you have only proved how badly you missed the point.
Yes I know. That's why I mentioned it. The attack doesn't allow that.
Sounds prudent to me, as long as you have the CPU time to spare.
Thought by much of the Slashdot community, as general reaction to this article shows. Until today, the prevailing Slashdot wisdom was that MD5 was weak and broken and SHA-1 was strong. Now we know that's not the case. Maybe this is no surprise to your circle of cryptography guru friends, but nobody told me until now.
There is no logic flaw. Your summary of the first attack is not correct. The attack does not allow you to produce data that has a specified hash value. It allows you to find two sets of data with the same hash, but you don't control the actual hash value. Think of it this way: the process of attaking the hash involves two sets of data; you perform the attack by modifying *both* data sets until their hashes are the same. Now you have two different data sets with the same hash, but the actual hash value is random and not controlled by you.
That comment is wrong. 2^80 - 2^69 != 2^11. You can't subtract exponents like that. 2^80 - 2^69 is actually larger than 2^79. So they actually reduced the number of operations necessary to crack the hash by more than 2^79 (from the original 2^80)!
OTOH, this attack indicates that other types of attacks may be found sooner than was previously thought. So it is still a good idea to move away from SHA-1 in the medium to long term. Though it's not entirely clear what you should move to. And it is not certain that more attacks will be found soon.
ASP.NET is nice for some things, but I often find myself wishing I'd tried some other solution.
The Referer header is still useful in many situations; it is only a problem when people abuse it. I think the real solution is to add a new "ref" attribute to the HTML anchor tag. For example <a href="http://dontlinktous.com ref="http://bogusreferer.com">. This way the referer could continue to be useful for the majority of cases (statistics), but when it is abused it could easily be changed, and the abuse therefore thwarted.
The million dollars would not come out of his pocket; there is a fund already set aside for that purpose, so he really has no reason to care whether or not the fund is given out, in a monetary sense.
I really wonder about the long-term viability of this solution as well. Sure, it makes brute-force attacks harder because the password is longer, but it also makes each character of the password much easier to guess because it makes up a coherent English sentence. Those crazy security wizards will probably come up with a way to defeat passphrases as well, by using an enhanced dictionary type attack that strings words together into semi-coherent sentences.
An eight-word password does have a lot more possibilities than an eight-character password, because there are a LOT more words than there are characters. However, in coherent English sentences, some words are WAY more common than others. Has the analysis been done to see if English sentence passphrases really are theoretically stronger than passwords?
Furthermore, it isn't even within the Wikimedia Foundation's power to grant an exclusive deal to anybody. Wikipedia's content is licensed under the GNU Free Documentation License. Everybody can use, copy, redistribute, and modify Wikipedia content without fear of violating any law (which is why you see many crap sites such as this one repackaging wikipedia content with ads). It's hard to see how anybody could make an exclusive deal with Wikipedia when the content is free for everybody to copy at will. In the worst case, Wikipedia could simply be forked.