Slashdot Mirror


User: ajs

ajs's activity in the archive.

Stories
0
Comments
4,773
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 4,773

  1. Got to be getting sloppy on Results From "Jam Echelon Day" · · Score: 4
    Echelon has already got to be getting sloppy. There's so much traffic that's going to be hard to handle. For example, VPNs are becoming quite popular, and while I'm sure the NSA has the technology to crack the top 10 hardware-VPN strategies, I'm also sure that the fact that, e.g. F5's BigIP ships with a myriad of encryption options has got to be pissing them off. This could be defeated by making a "deal" with companies that ship VPN hardware, but still, software VPNs aren't uncommon at all, and they too have a myriad of options.

    I also can't see the NSA throwing compute resources at every single Email message with image attachments (unless they just have a statistical analyzer that tells them if a given image might have been dicked with to embed encrypted text).

    Overall, I'd say that Echelon is now pretty much stuck with three classes of analysis:

    1. By individual (e.g. anything coming from the Iraqi embasy or from an anonymous remailer is probably worth breaking).
    2. By analyzing plain text (it's amazing how much info can be gained by looking at what isn't obfuscated).
    3. By breaking certain cyphers which they have standard attacks for. For example, it's basically a given at this point that they have built the next-generation of the DES craker, and can probably take DES-encrypted data-streams apart in real time. 3DES is probably just as unsafe.

    Given the above and the fact that almost no one encrypts phone converstations, I'll bet Echelon gets quite a bit, but it would be easy to move data through in the noise in such a way that it would be almost impossible to detect, much less break.

    How would I do it? Probably by setting up several VPNs which constanntly move random data. I would use several encryption technologies, and occasionally move small chunks of the real data over arbitrary subsets of the pipes. The real data would, of course, be encrypted once re-assembled using yet another scheme. Just to muddy the waters, I would also move chunks of the newspaper this way at least once a day.

    Of course, I would only do this if I had something to hide, but these days, every business has something to hide, because you never know if your competition is bribing some lacky at the NSA to get your Email. Sure, that would be hard. Just look at the excellent security that the DOE was maintaining.... :-(

    These days businesses can't affort to not be paranoid. And, yes, I know there are several simple flaws with the above, but if I told you exactly what I'd do, someone would write an engine to detect it, and that would defeat the point.
  2. Re:It might be tough, but "think about the childre on FTC Regulates Kids' Privacy Online · · Score: 2

    Of course, there's a big difference between someone that wants to kidnap children, and a web site aimed at kids. But there's still the same possibility that things could happen.

    So, there's a big difference, but "things could happen"? Things could happen when a kid walks down the street. Let's require people to be pulled over, and their cars searched every time they drive through a school-zone too!

    If a web site aimed at kids asks an 'innocent' question such as "Do you go home to an empty house after school?" [...] that could lead to robbery and maybe kidnapping if the right person got a hold of the info.

    Oh, yeah, of course! So, the obvious solution is to make collecting the information illegal. Gee, if a site is collecting this sort of information in order to break into someone's home and steal their stuff and maybe kids, making an HTML form illegal will certainly be a major deterant....

    On the other hand, if you simply monitor the Web (not packet snooping, just visiting the same sites that the kids do) for such suspicious activity as people asking kids if they go home alone, maybe you'd STOP these crimes. Actually, this law is unenforcable, since anyone who wants this sort of information can get it in subtler ways (e.g. a site for "Kids who are home alone", which does not require any information be given, but has a chat forum in which you can then ASK questions, which is still not illegal).

    I get so sick of "protect the kiddies" as a battle cry for minimal-effort regulation that actually does more to hurt kids and the Net than help....

  3. Protecting from WHAT? on FTC Regulates Kids' Privacy Online · · Score: 2

    The statute and rule apply to commercial Web sites and online services directed to, or that knowingly collect information from, children under 13. To inform parents of their information practices, these sites will be required to provide notice on the site and to parents about their policies with respect to the collection, use and disclosure of children's personal information. With certain statutory exceptions, sites will also have to obtain "verifiable parental consent" before collecting, using or disclosing personal information from children. The rule will become effective on April 21, 2000, giving Web sites six months to come into compliance with the rule's requirements.

    So, is this to mean that the kiddies will have to get their parent's permission to sign up with Slashdot? Does anyone have the text of the actual act, and can comment on WHAT has to be collected to count? Do cookies count? Username/password registration? What?

    Sigh, more "protect the kiddies" legislation. Would someone please run for office on the "please don't protect me" agenda?

  4. Why so anti-Linux? on FreeBSDCon Quickies · · Score: 1

    Unlike Linux, however, FreeBSD has received high profile corporate endorsements from the likes of Yahoo and even Microsoft, a company which uses FreeBSD in both its HotMail and LinkExchange subsidiaries.

    Yeah. No one runs Linux sites.... ;-)

    Seriously, though, I found this whole article rather disturbing. It's so Linux vs. BSD. We are all open source. We are all part of the community. Why is that so hard to grasp?

    Yes, BSD is a much clique-ier world. Yes, Linux has more trigger-happy flame-kiddies. But, that's not what either effort is about. Let's just choose the right tools for the job, and at some point we'll all have a beer together....

  5. Re:More details soon (PLEASE?) on Linux Kernel 2.2.13 Makes the Scene · · Score: 2

    Actually, the more I look at this, the more annoying it is. There are no release notes anywhere. I've looked at cutting edge, kernelnotes, Alan's site. No one claims to even know that 2.2.13 *is*.

    Is this supposed to prevent people from addopting 2.2.13 too fast? What's the deal? I really should not have to read the development mailing list archives to find out what the latest "stable" kernel does.

    That said, I can see the other side of the coin. Most of the people who should upgrade are those who have specific problems, and their vendors will direct them to the new version.... I dunno, it just seems odd. What do others think?

  6. More details soon, I expect on Linux Kernel 2.2.13 Makes the Scene · · Score: 3

    Look to the kernelnotes site for more details. I expect the changes list will appear there first....

  7. Releasing specs? on ATI Announces Open 2D/3D Linux Support · · Score: 3

    I suppose this is a good thing, but I have to compare to people like S3. When I couldn't get my S3 Virge GX2-based card to work, I went to S3's site, filled out a form and 2 days later got a 3-inch-thick specification book in the mail. They didn't even ask if I was working on an Open Source project.

    Good to see another company smartening up, though. Eventually I look forward to the day they all write their own XFree86-4 module....

  8. Meta-Palm observation on Color Palms Announced · · Score: 2

    Here's an interesting factoid about the Palm community on Slashdot:

    I keep my talkback threshold set to 2 (except when I'm moderating), and with most articles, I end up seeing between 5 and 15 percent of the articles. When a palm article hits, I see around 25% of the articles!

    I'll have to keep tabs on what these Palm folks have to say...

  9. More references and activism info on Basic Patent Law for Programmers · · Score: 3
  10. internet.com history on LinuxToday Acquired By Internet.com · · Score: 4

    Interesting. I used to have a lot of friends who worked for "The Internet Company, Inc." which was internet.com before they failed and sold the domain off.

    This was always one of the scarriest things to me. How can a company that owns internet.com fail?! All you have to do is put a credit-card submission form on your home page with a "give us a dollar and get your name on our site" or whatever. Remember, if you just type "internet" into most browsers, you end up at internet.com. How many newbies do you think do this? The answer, as I recall, was lots.

    Ah well, leave it to a startup to not see what they've got.

  11. More detail: Not Motif... maybe on Linux to Get Windows Apps? · · Score: 2

    From MainWin:

    These Windows Services on UNIX incorporate several
    million lines of Windows source code, assuring you that your code will run on UNIX exactly as it does on NT.

    MainWin's implementation of Win32 on UNIX is a thin, efficient layer that sits directly on top of UNIX operating system low-level
    services. MainWin's Win32 for UNIX supports the full range of Win32 API calls on the UNIX operating system.


    Er... does anyone else see a contradiction here? I want to hear from someone who's got their hands on this beast. Does it use a toolkit? Does it even use X? Is it as much of a pig as it sounds?

    Questions.....

  12. Don't place any bets on Linux to Get Windows Apps? · · Score: 5

    Microsoft is likely willing to spend an awful lot of money on "market research". At this point, they are probably just trying to find out how viable a platform Linux is. The added bonus is, if they port Win32 now, they won't have to port it later if they find that they need to ship something under Linux. This is also a cheap way to test the FUD waters. After all a lot of people are thinking of porting apps to Linux. If MS announces that Win32 may support Linux "Real Soon Now", those plans may be de-railed by companies that don't want Linux porting to be a waste of their time...

    My question is this, though: what underlying toolkit will they use. Will it be based on raw Xlib (good for speed), Motif (a lose just about all the way around, at this point), GTk+ or Qt (good, full-featured toolkits with powerful features "free") or GNOME or KDE (even more features than their underlying toolkits, but even more bloat to put the world's most bloated toolkit on top of). I think that at this point even GNOME is not in a position to be a simple back-end to a Win32 port (i.e. there is not a 1-1 mapping from all Win32 features to GNOME, yet), so there's going to be a lot of glue code no matter what. I'd hate to see Win32 apps released for Linux, and be 10 times slower out of the gate.

    This will be fun to watch, but I doubt it will pan out as anything serious just yet.

  13. Re:Change the rules on Trend: More Software Patents · · Score: 2

    Essentially what you're asking is for companies to take gambles that their huge court bills will be reimbursed when they win. This is a risky business at the very least.

    Why would you want other businesses to do it? It should be something that DoJ could spend some time researching. Perhaps they could even use the same site that I proposed for the USPTO, in order to figure out which ones were spurious before they became actual patents.

    This is, of course, a pipe-dream. I think the 2-year limit with essentially automatic approval, and much easier and cheaper elimination of patents shown to be bad would work out well. It's just in human nature to abuse this kind of group dynamic, and the only reasonable way to avoid it is to limit the overall usefulness of the system.

    Sigh.

  14. Re:Exactly on Trend: More Software Patents · · Score: 2

    The problem with your angle, here, is that you assume that the goal of a patent is to inspire someone to innovate, but otherwise would not.

    This is very much not the case. In fact, the USPTO was founded to encourage companies to share ideas that they had ALREADY come up with. The thinking was (and it was valid at the time) that companies would get a bit of a lead on the industry (17 years), but then others would be allowed to use the new information, and the original company would be forced to continue innovating.

    Never was it the goal of the USPTO to encourage the kind of personal innovation that you describe. That's expected to happen as a result of individuals selling their ideas to companies, or developing their ideas by founding a company (the old, build-a-better-mousetrap scenario, for example, is supposed to end in your starting a successful mousetrap company). These are secondary (but IMPORTANT effects).

  15. Change the rules on Trend: More Software Patents · · Score: 4

    Just create a $10,000 fine for "spurious patents", and define spurious just
    as vaguely as the USPTO defines valid software patents. This will put
    the breaks on most companies (if, for example 1/3 of Microsoft's software
    patents were found to be invalid, that would probably be enough to
    cancel out profit from Office for a year!)

    The other way to go, that a lot of people cite is just limiting the life
    of a software patent to 3 years. I'd sign on to this, IF there were
    a reasonable way to speed up the approval process.

    One way to speed it up might be to open it up. Let everyone see every
    submitted patent that has been past the first "does it fit the
    required format, and did they pay up" pass. Do it over the Web, and
    allow a Slashdot-like feedback. Only patents that don't get a bozo-alert
    from the masses get sent on to the next stage (internal USPTO technical
    review). Thus the next 200 people to submit "talking online" and
    "window-shopping online" will be bounced in less time than it takes
    to Slashdot a personal web-server into the ground.

  16. Read the RFC on New GOP Domain Name Violates RFC 2146 · · Score: 3
    From the RFC:

    The registrar will use this RFC as guidance and will not grant the ".GOV" to any new entity which is not listed in the FIPS 95-1 or the US Government Manual or which has not been granted an exception status by the FNC Executive Committee.


    This clearly makes a policy for exceptions. The FNC Executive Committee is allowed to make exceptions to the policy at their discression.

    Is GOP.GOV a reasonable use of the .GOV space? Perhaps not. Is it in compliance with the RFC? Yes.
  17. Neither on Upside Editorial Piece on Sun and Open Source · · Score: 3

    is Sun an enemy? Or is the enemy of my enemy my friend?

    Why do they have to be either? They are a software developer. If they're smart, this is the first step in testing the waters of true Open Source. After all, they may find that Linux makes huge strides in some area that they want to pick up source from. If they move to a truely open license in the future, they will be able to do this.

    This makes them no more or less an enemy than BeOS. They are a software developer and have the same standing in the community as any other software developer give-or-take the quality of their code and the nature of their actions WRT the community.

    We must never drop to the level of "Not... us... must be... enemy! Must... KILL!" That department is well stocked with hundreds of companies of which the usuall ScapeGoat mentioned here on Slashdot is only the most successful. If Sun chooses to embrace a different path, we should not turn around and slap them in the face for it!

  18. Re:What a bunch of garbage on One for the Kids · · Score: 3

    "how about looking into how a *lot* of computer companies [...] put out buggy software and then sell the security or software patches?"

    If I could be sued for every bug in every program I have written [...]

    Ah. This is what we call a straw-man argument. The statement centered around the buggy software and selling the fixes. Your response focuses on an imagined scenario where you get sued for every bug. The original author never introduced such a scenario, of course, but that does not seem to trouble you.

    The likely scenario to develop from a re-evaluation of such extortion tactics is that software firms would have to start shipping updates to their users (or making them readily available) without being able to make more money from the sale of these "fixes".

    What you have now is more like a protection racket where MS can demand that you pay 100s of dollars to upgrade to a new version of their software because, of course, they're not going to continue supporting Word 97. Hell, that's two years old! Same deal with just about all software nowadays.

    Open Source may eventually end up addressing this, we'll see. What I would expect to happen is to see lots of little project forks, not to go off an support different functionality, but to support old versions with their existing functionality. For example, some people just can't upgrade to perl 5 (yes, perl 4 was last touched years and years ago, but how long do you expect to have your car?)

    Someone could take over bug-fixing of the old perl 4 source, starting their own project to do so.

    Same with Linux 2.0. Or Red Hat 4.2!

    This could become a booming business, but not one that most companies would want to burden themselves with.

    I say keep software free and clear. Don't introduce parasitic lawyers into what is, despite griping from people like yourself, very nearly a perfect industry.

    Wow. So, you think that the problems with crypto, privacy, predatory market practices (for which MS is not the world's worst offender, but tries quite hard) and so on, are right in line with what we should expect and accept? Or, do you consider these to be part of the "very nearly" in "very nearly perfect"? In that case, what would be "bad"?

    I really don't think that you and I are in the same industry.

  19. Re:Logical fallacy. on The Big Bang Generator That Wasn't · · Score: 2

    Most people should worry about a) heart disease, b) lung cancer, and c) an auto accident, in roughly that order. Since we all know that very few people give those very real dangers any thought at all ....

    Actually, a lot of people do take these seriously. I, for example, do not drive a car in order to decrease everyone elses chance of (c), as I am a terrible driver.

    The point in being concerned about small chances of global catastrophy is not that it's likely, it's that right now we have all of our eggs in one basket and we can't very well afford to go throwing rocks....

    I don't think this one accelerator is a big deal, but the thought is important. Every day, we receive several gamma-ray emmisions from deep-space. Many of them do not seem to be associated with any detectable stellar phenomenon. What if these gamma-ray sources are what's left of some world where a researcher said "I don't *think* this will cause a kilogram of matter to totally convert"? I haven't done the math, so I don't know how much matter would have to convert before you saw the kind of gamma-ray emmisions that we detect, but I suspect it's much less than an earth-size planet....

    These are important things to think about. Even if we decide that it's more important to discover the nature of the universe than to avoid a little risk, we should consider what risk it is that we're not avoiding.

  20. DirectX, Open GL, Linux and X on Ask John Carmack About Quake - or Anything Else · · Score: 5

    I read a sort-of-analysis that you wrote way back comparing DirectX 3D handling to Open GL (with Open GL being far preferable to you). Do you feel that the tools that you and others will need to create the next generation of games exist now under Linux or other Open Source operating systems, or is that still a long way off? What would you recommend that we developers and developer wannabes dedicate our time to?

    On an almost related point... Doom was the beginning of 3D, first-person shooters, and they have lived quite happilly in the gaming market for some time. Other games have proven to be stable formats: sports, strategy and/or tactics simulations (e.g. Myth), multi-player build-and-conquer type games (e.g. Starcraft). What do you envision being the next set of technical hurldes that will lead to what sort of new game formats?

  21. Great interview on The Interview with Bruce Sterling · · Score: 2

    I loved the organized crime comment. It's woefully true that there's an awful lot of us early adopters that keep getting shocked that our "universal, cool, quantum doohickies" keep getting picked up by the mainstream (which is really just us, 10 years later). I've uttered the "when did the advertizers steal MY Internet" line more than once, but that WAS what I asked for when I said I wanted the Net to be everywhere, wasn't it? What was I thinking? Can I take it back? ;-)

    "We are all of us, living in the shadow of Manhatten." I keep wishing that that phrase (from Watchmen) wasn't so descriptive of the way we buil(d|t) our society.

  22. Not much content in that article on Robert Cringley on Slashdot Editing Jane's · · Score: 2

    This guy basically rails against whatever he can find, and doesn't seem to do much research. For example, he points out the .cc domain thing, and wonders if maybe the next to do this will be the Christmas Islands. Well, if he'd bothered to do the research, he'd know that .cx is the Christmas Islands, and anyone can buy a domain there....

    On the Jane's thing, he didn't even know how it turned out, he was just talking about the initial request. I find it amusing that he thinks asking Slashdot for information comprises "censorship". What would he think a technical editor is ;-)

    Overall, pretty much content-free.

  23. Red Hat fixes wouldn't have helped on ZDNet Admits Mistakes in Recent SecurityTest · · Score: 3

    The Red Hat fixes would have limited the scope of the intrusion, but the bottom line is that the guy got a shell at all because the 3rd-party CGI was buggy. This will be a problem if you're using NT or Linux or True64.

    I'm torn on these kinds of tests. On the one hand, the test is attempting to prove the security of an operating system distribution, so that's really all that should be running. On the other hand, you are going to want to do something with that machine. Certainly a stand-alone Linux box with nothing else on it is not much of a real-world test.

    In the end we're just serving to prove an old truism of security: You put a firewall in to keep out the 13-year-olds, but to stop the determinied crackers who are targeting your site in particular, you need to audit every piece of source you run. A very tall order, and always painful. It comes down to risk analysis and trade-offs.

  24. Time to show my colors on DOJ Fights Hackers with Brainwashing · · Score: 5

    Ok, it's time to come out of the closet. When I was a lad, I was a "cracker". Oh, not a good one, or even a terribly motivated one (my exploits in college mostly involved doing geurilla sys-admin when the real admins were away, and people needed to get work done). But that's not the point. I was one of the evil few who you should fear and despise.

    Here's the scary part: in my daily work as a senior software engineer (oooh! a title, I get a title!) and all-around UNIX-monkey I use every scrap of knowledge that I gained back then. I *need* to know what kind of exploits people will look for in my software. I *need* to be able to put myself into the mind of the cracker. In previous jobs I've had to deal with active intrusions. No one else had a clue what to expect, and I had to spoon-feed them all.

    I'm not saying that you should give every kid a "breaking in 101" class, but those who show the insight, skill and motivation to subvert security should be helped to find the "good path". Their skills should be respected. If you just turn a cold eye to them and tell them that what they are doing is evil, they will end up working against you. If you nurture their talent and push them to accept responsibility for their capabilities, they will be valuable members of the community.

    As a closing thought, the most important lesson that I learned was when someone that I felt great respect for told me that he knew what I had been doing all along, and he didn't bother to stop me. But, when he took action was when I started telling others how to do it. I could have ended up writing exploit programs for script-kiddies, but that one conversation ended the possibility as firmly as a bullet. Say the right thing at the right time, and you can change someone's world.

  25. Problems with "originator" on Toward a Better Open Source License · · Score: 2

    First off: who is the originator? The company that produced the first version? The individual who re-tooled the entire thing over night, re-wrote it in C++ and added a GUI? Who?

    Second: If I (say, Sun) can pull the code back into my proprietary source, what happens when someone makes a change (say, writes a driver for Solaris) and I then pull that back into my source tree. I add features, I bug-fix, I embrace-and-extend. Why should I show the world what I've done? I'll release those changes as one big wad next major release, stomping on the existing source-code base, and pretty much guaranteeing that no one will try to fork their own version of my code (say, Red Hat Solar-OS for Alpha ;-)

    I don't mind that companies will do this. This is called capitalism, and I'm a fan of that model. However, I refuse to call that Open Source, and think its a bad idea to start getting people used to the idea of a GPL--

    If companies want to release source "a little" and go half-way, let 'em. In the end is business-model vs. business model. I think the one that attracts the most developers will win, but perhaps I'm wrong.