Sure, and I don't think any format that requires random access can be a serious contender for an archive format. For the times you need them streaming protocols are just too powerful.
But TAR missed some obvious and cheap ways to support random access. The POSIX standard is technically extensible so I could add my own fields to support random access, but the standard tools then chitter at you about unrecognized flags and you might not be able to retrieve your data. At the end of the day I decided it was a better engineering decision to stick with standard ZIP & extensions (flaws and all) instead of shoehorning the same functionality into TAR.
The flip side is that ZIP archivers may be smart enough to recognize images or previously compressed files and skip the effort of recompressing them. You don't have that option when compressing a tarball.
I also doubt that there's that much opportunistic compression occuring. I have a special-purpose tarball engine that resets the compression engine for each file. (Why? It also maintains a separate index file mapping filename to file offset - searchable compressed tarballs!) The cost of resetting the compression engine has been modest, never more than a 5% increase in file size.
zlib can be run in stream mode, bzip2 can't. Even if you're willing to operate in block mode (and I'm not sure the OpenPGP specification allows this) the block size of a cipher will be far smaller than the block size of the bzip2 engine.
In either case manual intervention is required and there is no chance of a viral payload being automatically run. Remember the real issue isn't denying you the ability to send/receive executables, it's keeping the brain-dead POS from automatically running any executable it sees regardless of origin.
ZIP is also the basis for the various Java archive formats. What you call "outdated" others may call time-proven, what you call "bloated" others may call flexible. A lot of the "bloat" is anything but once you realize that the file is designed to work in both streaming and random-access modes. TAR is a pure-streaming format and a real bitch to use in random access mode.
It comes down to why you're putting the files into an archive in the first place. If you're just using an archive to transport files from one system to another the classic Unix approach works great.
But a lot of programs now use archive formats to bundle related files in a single place. Think of Unix archives (.a) files that used to just hold object files in software libraries - now we have Java archives (.jar) files that contain class files and properties, web archives (.war) that contain.jar files, images, html and jsp pages, etc. The last two formats (and other variants like.sar and.ear) are basically ZIP files with some specific entries.
It's a bit odd to work with archives directly at first, but after a while you find yourself thinking in terms of everything as archives. E.g., most image formats can also be thought of as specialized archives - it's perfectly reasonable to ask to read/write comments, thumbnails, etc.
I've written code to read and write archives directly, and I can tell you from first-hand experience that it's much easier to work with an archive format that handles compression and encryption on a per-file basis (e.g., ZIP format) than one that does it on a file-wide basis (e.g., encrypted, compressed tarballs). The same idea applies to "resource bundles" on Windows systems or Palm OS apps, although they're handled differently.
They can't have it both ways. Either they accept the cost of running "local" Usenet spools or they accept the cost of paying bandwidth costs to get Usenet feeds from outside their network.
A while back I read an article on the legality of manually changing the HTML form used by some shopping cart software. Is it legal to change the price of a plasma screen TV to $250 instead of $5000? Could you force the seller to honor the adjusted price?
The answer, surprisingly, is that the "hacker" had an excellent chance of winning in court. Quotes are offers and subject to negotiation. The burden is on the offerer to verify that the counteroffer is acceptable - they are always free to reject any counteroffer and insist on the original price. The company can either pay to have somebody check the prices in counteroffers (or to have somebody automate that check), or it can absorb the loss when it automatically accepts such counteroffers.
Missiles from Scientific American "Am. Scientist"
on
Linux Toys
·
· Score: 2, Insightful
I remember that in the late 70s my HS had a book of experiments from Scientific American's "Amateur Scientist" columns from the 30s through 50s.
I had played with model rockets powered by Estes rockets. Model rocket engines that now fall under terrorism regulations even though they're pretty small. This book discussed turning a metal rocket engine bell on a lathe, mixing your own chemicals for the propellant and pouring it it into the metal fuselage, etc.
On the one hand that's madness. It's one thing to fling metal high in the sky in a rural area, it's a very different thing to do it in an urban or suburban environment.
On the other hand as I get older I find myself agreeing with authors just a few years older than me - people who never actually did stuff - build model rockets, hike and camp in the boy scouts, etc., have missed something important.
I know, gross generalization. And I would have killed to get my physics and math degrees with modern computers even if inverting large matrices by hand did teach me to be careful and double check each step of my calculations.
In the real world you make sure that your exposure is limited. Better protection costs more, but you can certainly control the maximum amount you could lose.
As a trivial example, let's say that the stock costs $100 now and you're shorting it. You can limit your exposure by simultaneously buying a put at, oh, $120. If the stock ends up below $100, you make money and the put is worthless. If the stock ends up between $100 and $120 you pay the difference and again the put is worthless. But if the stock is above $120 then the put comes into play and you only have to pay $20 for each share shorted. In the first two cases who ever went long has made some quick cash, and in the third case they're forced to cover the difference. That may be less of a problem than you think, if they are covering their position with stock - they may still be selling it at a price substantially higher than they paid for it.
Of course cars and trucks can pass through the tunnel. They'll be ferried on train cars, just like on the Chunnel and other long distance tunnels.
The reason for "rail only" restrictions is because of the logistical implications of having car accidents in submarine tunnels, or long tunnels of any kind. Trains can still have problems, but far fewer than separately driven cars.
High speed trains can be faster than flights for short hops.
The reason is the "tails" on your trip. Airports are usually further out from the core city than train depots so you might have an extra 10-15 minutes of travel time on each tail just to get to/from the airport. Then there's delays while the plane taxis to/from one of the few operating runways instead of navigating through the switchyard - add another 10 minutes. And the time to get through security. And an extra 30 minutes (minimum) you want in case there's a backup in security, or the train to/from the concourses is running slow, etc.
When you're finally in the air on a short hop, you might not even spend any time cruising at 500 knots. If you listen to the ATC chatter you'll know that it takes 50-100 miles to climb up to cruising altitude, and the same to descend to the airport. So if your hop is under 200 miles you might not get to cruising altitude, and anything under 400 miles may spend less time cruising than passing through the inverted wedding cake.
Flights clearly win if you're traveling more than a 1000 miles or there's not a direct ground route (e.g., because of large bodies of water or mountains), but there's a strong argument for grounding all flights under 150-200 miles. They clutter the airways and ATC system and aren't that much faster than ground transportation that doesn't make frequent stops. The ATC factor is so bad that som airlines have requested permission to fly below the normal jetways - it's far less fuel efficient and they can't travel as fast, but they don't have delays waiting for available spots in the crowded flight levels.
How hard do you think it is to write a PAM module that sends off an email with the user name and password?
This won't "crack" inactive accounts, but it will capture any account where somebody uses a password to log in. On most systems the attacker wouldn't even need to hide this function in an existing pam module, they could just provide a new one with an official sounding name (e.g., "pam_audit") and edit the PAM configuration files.
(N.B., not all access requires passwords. E.g., I prefer using SSH DSA authentication instead of password authentication.)
crypt() truncates input at 8 characters. Hashes can use arbitrarily long input, but crypt() uses a variant of the DES algorithm and has an 8 byte block length.
Meanwhile the number of possible characters is actually 95 characters - the control characters and DEL (0x7F) are not available. So the total search space is 4096 * 95^8 or 27.2e18, including salt.
But as others have pointed out most people don't pick good random passwords[*]. A good multilingual dictionary may have 100k words, and you can try 500 variations on each word if you have 207 billion possibilities (including salt). That 500 variations can cover dropped vowels, o->0 mappings, etc.
[*] What's a good password? Hint: mine recursively computes the MD5 digest of random data and prints out a few dozen candidates with the right mix of upper & lower case, numbers and symbols. I can usually find at least one that's fairly mnemonic but still totally immune from dictionary attacks.
Digging in memory for joke from 20 years ago, updating it to include contemporary references...
A plane full of tourists from eastern Europe is taking a sight-seeing tour over Los Angeles. The pilot announces that the Hollywood landmark sign is visible to the right and everyone rushes to that side of the plane.
The plane swings wildly, but the pilot is able to recover and the plane flies on.
Now the plane is passing the Disneyland to the right. Again everyone rushes to the right side of the plane and the plane swings wildly, but the pilot is able to recover.
Unfortunately, the pilot announces when Michael Jackson's "Neverland Ranch" is visible to the right side of the plane. All of the parents grab their children and rush to the left side of the plane! The plane swings wildly, but this time the plane is unable to recover and the plane goes through progressively more violent isolations before plowing into the ground!
The NTSB investigator assigned to the crash immediately dismisses it as pilot error. Everyone knows that complex systems are unstable with all of the Poles in the left half plane.
I think MOND makes dark matter a 1 cuckoo. Something is broken with our theories, and there's arguably more direct evidence for MOND (in the trajectories of our furthest space probes) than there is for dark matter.
IANAL, but isn't this begging for the court to slap them with penalties?
IBM has the right to get answers from SCO, but the latter has been dragging its feet. So, in an effort to move the case forward, is talking to the people SCO has been talking to, the analysts and investors. It's harsh, but with SCO refusing to answer questions it's the only choice.
But what possible connection do Linus, Richard, et al have with IBM? AFAIK they are have never been employees of IBM, never been briefed with proprietary information, etc.
In other words, what possible grounds do they have for being named? If SCO can't show some good reason for harassing uninvolved parties, will the judge finally impose sanctions?
And perhaps at least as importantly, will Linus et al finally realize that tolerance does not have to extend towards those who deliberately and consciously mean you ill? They have the right to order a DMCA smackdown on the SCO website and it's time they forced it off the net if SCO continues to flaunt copyright law and harass the legal copyright holders. SCO has made it position clear - somebody is going to be bankrupt by the end of this and the time for remaining on the sidelines is long past.
Flat comparisons are meaningless since many countries have compulsary voting. I think it's a 100 AUS fine in Australia, for instance, and other countries are probably comparable.
So you may get 95% turnout... but how many of those voters really give a damn about the election? I bet you'll find the same 50% or so who made some effort to learn the issues, and the rest are voting at random or worse voting based on the briefest familiarity with the issues based on the TV ads.
One "convicted felon" was a county election official. One guess what was done with that list in that county.
(Lotsa of mindless blather inserted since Slashdot's latest "new & improved" spam filters apparently believe that nobody could add a useful one line comment.
How about the fradulent felon lists? One county commissioner threw the list out - she found her own name among the list of convicted felons! - but other counties accepted them as having valid and thousands of people were wrongfully struck from the voter lists as convicted felons. These people where overwhelmingly black and male.
A number of other allegations seem to have some real meat, but this is the one that's easiest to demonstrate.
Bully for him, but there's no doubt that this is a serious concern.
How many people would cave if their boss called them into the office to ensure they voted "the right way." Illegal as hell, but in the meanwhile they're unemployed and the DA is telling them that the charges probably won't be filed since they it's a "she said, he said" situation.
How about church "voting parties" where everyone publicly "witnesses" their battle against evil in casting a public vote. People are members of churches for many reasons, and in a free election there will be some scatter from a congregation... but if everyone is praying and celebrating each vote "cast against Satan" you'll find a remarkable uniformity in the vote.
Finally there are some sleazeballs that aren't afraid to take advantage of the elderly. Worse, our society treats them so poorly they may feel it's an honest unspoken trade to vote along party lines in exchange for some time away from the retirement prison.
Finally had the time to look up the specific citation....
DANDR, page 189.
"Avoid aspartame. Although the cause is as yet unknown, clinical observations show that certain individuals find weight loss slows with excessive intake of aspartame, the artificial sweetener sold as NutraSweet and Equal."
Page 230.
"12. Treat aspartame (NutraSweet or Equal) with caution. Avoid when possible. This includes products sweetened with this ingredient, such as diet sodas and diet Jell-O. Check labels on other products that purport to be low or controlled carb."
Slashdot Mirror
Sure, and I don't think any format that requires random access can be a serious contender for an archive format. For the times you need them streaming protocols are just too powerful.
But TAR missed some obvious and cheap ways to support random access. The POSIX standard is technically extensible so I could add my own fields to support random access, but the standard tools then chitter at you about unrecognized flags and you might not be able to retrieve your data. At the end of the day I decided it was a better engineering decision to stick with standard ZIP & extensions (flaws and all) instead of shoehorning the same functionality into TAR.
The flip side is that ZIP archivers may be smart enough to recognize images or previously compressed files and skip the effort of recompressing them. You don't have that option when compressing a tarball.
I also doubt that there's that much opportunistic compression occuring. I have a special-purpose tarball engine that resets the compression engine for each file. (Why? It also maintains a separate index file mapping filename to file offset - searchable compressed tarballs!) The cost of resetting the compression engine has been modest, never more than a 5% increase in file size.
zlib can be run in stream mode, bzip2 can't. Even if you're willing to operate in block mode (and I'm not sure the OpenPGP specification allows this) the block size of a cipher will be far smaller than the block size of the bzip2 engine.
In either case manual intervention is required and there is no chance of a viral payload being automatically run. Remember the real issue isn't denying you the ability to send/receive executables, it's keeping the brain-dead POS from automatically running any executable it sees regardless of origin.
ZIP is also the basis for the various Java archive formats. What you call "outdated" others may call time-proven, what you call "bloated" others may call flexible. A lot of the "bloat" is anything but once you realize that the file is designed to work in both streaming and random-access modes. TAR is a pure-streaming format and a real bitch to use in random access mode.
It comes down to why you're putting the files into an archive in the first place. If you're just using an archive to transport files from one system to another the classic Unix approach works great.
.jar files, images, html and jsp pages, etc. The last two formats (and other variants like .sar and .ear) are basically ZIP files with some specific entries.
But a lot of programs now use archive formats to bundle related files in a single place. Think of Unix archives (.a) files that used to just hold object files in software libraries - now we have Java archives (.jar) files that contain class files and properties, web archives (.war) that contain
It's a bit odd to work with archives directly at first, but after a while you find yourself thinking in terms of everything as archives. E.g., most image formats can also be thought of as specialized archives - it's perfectly reasonable to ask to read/write comments, thumbnails, etc.
I've written code to read and write archives directly, and I can tell you from first-hand experience that it's much easier to work with an archive format that handles compression and encryption on a per-file basis (e.g., ZIP format) than one that does it on a file-wide basis (e.g., encrypted, compressed tarballs). The same idea applies to "resource bundles" on Windows systems or Palm OS apps, although they're handled differently.
They can't have it both ways. Either they accept the cost of running "local" Usenet spools or they accept the cost of paying bandwidth costs to get Usenet feeds from outside their network.
A while back I read an article on the legality of manually changing the HTML form used by some shopping cart software. Is it legal to change the price of a plasma screen TV to $250 instead of $5000? Could you force the seller to honor the adjusted price?
The answer, surprisingly, is that the "hacker" had an excellent chance of winning in court. Quotes are offers and subject to negotiation. The burden is on the offerer to verify that the counteroffer is acceptable - they are always free to reject any counteroffer and insist on the original price. The company can either pay to have somebody check the prices in counteroffers (or to have somebody automate that check), or it can absorb the loss when it automatically accepts such counteroffers.
I remember that in the late 70s my HS had a book of experiments from Scientific American's "Amateur Scientist" columns from the 30s through 50s.
I had played with model rockets powered by Estes rockets. Model rocket engines that now fall under terrorism regulations even though they're pretty small. This book discussed turning a metal rocket engine bell on a lathe, mixing your own chemicals for the propellant and pouring it it into the metal fuselage, etc.
On the one hand that's madness. It's one thing to fling metal high in the sky in a rural area, it's a very different thing to do it in an urban or suburban environment.
On the other hand as I get older I find myself agreeing with authors just a few years older than me - people who never actually did stuff - build model rockets, hike and camp in the boy scouts, etc., have missed something important.
I know, gross generalization. And I would have killed to get my physics and math degrees with modern computers even if inverting large matrices by hand did teach me to be careful and double check each step of my calculations.
The other problem is that this assumes ASCII encoding. That's why most real implementations do array lookups, e.g.,
#isdigit(x) ((charset[(x)] & DIGIT_MASK) ? 1 : 0)
where 'charset' is actually something that can be specified at boot time.
If you put parentheses around the return value you'll get a recursive macro call.
In the real world you make sure that your exposure is limited. Better protection costs more, but you can certainly control the maximum amount you could lose.
As a trivial example, let's say that the stock costs $100 now and you're shorting it. You can limit your exposure by simultaneously buying a put at, oh, $120. If the stock ends up below $100, you make money and the put is worthless. If the stock ends up between $100 and $120 you pay the difference and again the put is worthless. But if the stock is above $120 then the put comes into play and you only have to pay $20 for each share shorted. In the first two cases who ever went long has made some quick cash, and in the third case they're forced to cover the difference. That may be less of a problem than you think, if they are covering their position with stock - they may still be selling it at a price substantially higher than they paid for it.
Of course cars and trucks can pass through the tunnel. They'll be ferried on train cars, just like on the Chunnel and other long distance tunnels.
The reason for "rail only" restrictions is because of the logistical implications of having car accidents in submarine tunnels, or long tunnels of any kind. Trains can still have problems, but far fewer than separately driven cars.
High speed trains can be faster than flights for short hops.
The reason is the "tails" on your trip. Airports are usually further out from the core city than train depots so you might have an extra 10-15 minutes of travel time on each tail just to get to/from the airport. Then there's delays while the plane taxis to/from one of the few operating runways instead of navigating through the switchyard - add another 10 minutes. And the time to get through security. And an extra 30 minutes (minimum) you want in case there's a backup in security, or the train to/from the concourses is running slow, etc.
When you're finally in the air on a short hop, you might not even spend any time cruising at 500 knots. If you listen to the ATC chatter you'll know that it takes 50-100 miles to climb up to cruising altitude, and the same to descend to the airport. So if your hop is under 200 miles you might not get to cruising altitude, and anything under 400 miles may spend less time cruising than passing through the inverted wedding cake.
Flights clearly win if you're traveling more than a 1000 miles or there's not a direct ground route (e.g., because of large bodies of water or mountains), but there's a strong argument for grounding all flights under 150-200 miles. They clutter the airways and ATC system and aren't that much faster than ground transportation that doesn't make frequent stops. The ATC factor is so bad that som airlines have requested permission to fly below the normal jetways - it's far less fuel efficient and they can't travel as fast, but they don't have delays waiting for available spots in the crowded flight levels.
How hard do you think it is to write a PAM module that sends off an email with the user name and password?
This won't "crack" inactive accounts, but it will capture any account where somebody uses a password to log in. On most systems the attacker wouldn't even need to hide this function in an existing pam module, they could just provide a new one with an official sounding name (e.g., "pam_audit") and edit the PAM configuration files.
(N.B., not all access requires passwords. E.g., I prefer using SSH DSA authentication instead of password authentication.)
crypt() truncates input at 8 characters. Hashes can use arbitrarily long input, but crypt() uses a variant of the DES algorithm and has an 8 byte block length.
Meanwhile the number of possible characters is actually 95 characters - the control characters and DEL (0x7F) are not available. So the total search space is 4096 * 95^8 or 27.2e18, including salt.
But as others have pointed out most people don't pick good random passwords[*]. A good multilingual dictionary may have 100k words, and you can try 500 variations on each word if you have 207 billion possibilities (including salt). That 500 variations can cover dropped vowels, o->0 mappings, etc.
[*] What's a good password? Hint: mine recursively computes the MD5 digest of random data and prints out a few dozen candidates with the right mix of upper & lower case, numbers and symbols. I can usually find at least one that's fairly mnemonic but still totally immune from dictionary attacks.
Oops. That should be "oscillations," not isolations.
Although the English geek in me wants to further correct that to "oscullations"...
A plane full of tourists from eastern Europe is taking a sight-seeing tour over Los Angeles. The pilot announces that the Hollywood landmark sign is visible to the right and everyone rushes to that side of the plane.
The plane swings wildly, but the pilot is able to recover and the plane flies on.
Now the plane is passing the Disneyland to the right. Again everyone rushes to the right side of the plane and the plane swings wildly, but the pilot is able to recover.
Unfortunately, the pilot announces when Michael Jackson's "Neverland Ranch" is visible to the right side of the plane. All of the parents grab their children and rush to the left side of the plane! The plane swings wildly, but this time the plane is unable to recover and the plane goes through progressively more violent isolations before plowing into the ground!
The NTSB investigator assigned to the crash immediately dismisses it as pilot error. Everyone knows that complex systems are unstable with all of the Poles in the left half plane.
I think MOND makes dark matter a 1 cuckoo. Something is broken with our theories, and there's arguably more direct evidence for MOND (in the trajectories of our furthest space probes) than there is for dark matter.
IANAL, but isn't this begging for the court to slap them with penalties?
IBM has the right to get answers from SCO, but the latter has been dragging its feet. So, in an effort to move the case forward, is talking to the people SCO has been talking to, the analysts and investors. It's harsh, but with SCO refusing to answer questions it's the only choice.
But what possible connection do Linus, Richard, et al have with IBM? AFAIK they are have never been employees of IBM, never been briefed with proprietary information, etc.
In other words, what possible grounds do they have for being named? If SCO can't show some good reason for harassing uninvolved parties, will the judge finally impose sanctions?
And perhaps at least as importantly, will Linus et al finally realize that tolerance does not have to extend towards those who deliberately and consciously mean you ill? They have the right to order a DMCA smackdown on the SCO website and it's time they forced it off the net if SCO continues to flaunt copyright law and harass the legal copyright holders. SCO has made it position clear - somebody is going to be bankrupt by the end of this and the time for remaining on the sidelines is long past.
Flat comparisons are meaningless since many countries have compulsary voting. I think it's a 100 AUS fine in Australia, for instance, and other countries are probably comparable.
So you may get 95% turnout... but how many of those voters really give a damn about the election? I bet you'll find the same 50% or so who made some effort to learn the issues, and the rest are voting at random or worse voting based on the briefest familiarity with the issues based on the TV ads.
One "convicted felon" was a county election official. One guess what was done with that list in that county.
(Lotsa of mindless blather inserted since Slashdot's latest "new & improved" spam filters apparently believe that nobody could add a useful one line comment.
blah, blah, blah and more blah)
How about the fradulent felon lists? One county commissioner threw the list out - she found her own name among the list of convicted felons! - but other counties accepted them as having valid and thousands of people were wrongfully struck from the voter lists as convicted felons. These people where overwhelmingly black and male.
A number of other allegations seem to have some real meat, but this is the one that's easiest to demonstrate.
Bully for him, but there's no doubt that this is a serious concern.
How many people would cave if their boss called them into the office to ensure they voted "the right way." Illegal as hell, but in the meanwhile they're unemployed and the DA is telling them that the charges probably won't be filed since they it's a "she said, he said" situation.
How about church "voting parties" where everyone publicly "witnesses" their battle against evil in casting a public vote. People are members of churches for many reasons, and in a free election there will be some scatter from a congregation... but if everyone is praying and celebrating each vote "cast against Satan" you'll find a remarkable uniformity in the vote.
Finally there are some sleazeballs that aren't afraid to take advantage of the elderly. Worse, our society treats them so poorly they may feel it's an honest unspoken trade to vote along party lines in exchange for some time away from the retirement prison.
Finally had the time to look up the specific citation....
DANDR, page 189.
"Avoid aspartame. Although the cause is as yet unknown, clinical observations show that certain individuals find weight loss slows with excessive intake of aspartame, the artificial sweetener sold as NutraSweet and Equal."
Page 230.
"12. Treat aspartame (NutraSweet or Equal) with caution. Avoid when possible. This includes products sweetened with this ingredient, such as diet sodas and diet Jell-O. Check labels on other products that purport to be low or controlled carb."