IPSec, on the other hand, was designed and reviewed by a large number of experts in security. It continues to go through a lot of review, and constant attempts to break it.
I can't argue with this. But IPsec's biggest enemy is its own complexity. I've read enough about IPsec and it scares the shit out of me. Sure, I can set it up and see that it works (and have done so). But to really understand what's going on would take a me a solid week (probably more) of research, and even then there's no guarantee I'd really grok it.
In contrast, OpenVPN's protocols like its key exchange (which is the primary "infrastructure built around SSL" as you put it) is fairly straightforward to understand. Now I'm not saying they're secure because I don't know; I'm not a cryptographer. But getting the architecture of a system fully in your head is a prerequisite to understanding its security implications. Modularization helps here, and this is where openvpn shines. IPsec digs its fingers into many different layers, with quite complex relationships between them.
IPsec has received a lot more review than openvpn, but it also needs it. IPsec probaby solves some more esoteric problems than openvpn can, but when all I need is a simple, secure tunnel between two points, I'll continue to recommend OpenVPN.
You would have been safer if you used Double ROT-13 encryption instead.
That's fine if you don't care about the security of your data. Current cryptanalysis indicates that at a minimum you want 16 rounds of ROT-13. And since I'm rather paranoid, as a rule I tend to double the recommendations of cryptographic primitives, so I use 32 rounds of ROT-13. With current CPUs as fast as they are, there's very little reason to use less than 16 rounds. And 2 rounds is just insanity.
I'm going to chime in with a definite "me too" here. I've been using OpenVPN for over a year, and this is absolutely solid software. It easily falls into the Just Works category. I have it started on boot, and I simply forget that it's there. If there are network issues, it recovers gracefully.
I can't quite speak to its security, but there's nothing I've seen that makes me the least bit concerned. Although Peter Gutmann didn't do a real audit of openvpn, he did have this to say about it: "... but a quick look through it indicates that the author knows what
he's doing." After you read a few remarks made by cryptographers, something like "this person is not a moron" is exceptionally high praise.
And Gutmann did leave us with this memorable quote: "Whenever someone thinks that they can replace SSL/SSH with something much
better that they designed this morning over coffee, their computer speakers
should generate some sort of penis-shaped sound wave and plunge it
repeatedly into their skulls until they achieve enlightenment."
If you need a vpn solution that Just Works, check out OpenVPN.
I thought the standard wisdom was that WEP is useless, so if you're serious, always use a VPN over your wireless. right?
That's true, but WEP isn't entirely useless as one layer in the system. If somebody is war driving down my street looking for an easy target, the few minutes it will take them to crack my WEP key is often enough to keep them driving on.
Think of WEP as a locked window. As a security system, a window is crap. It can be broken without any tools and you can even see what's behind it! But locking my windows and doors might help deter someone looking to swipe the $20 bill on my table. Of course, it also might not, so if they smash the window they'll have to deal with the noisy alarm that will go off. Similarly, anyone who takes the time to crack my WEP key will have to contend with openvpn.
In some senses, WEP is security through obscurity. A system shouldn't rely on obscurity for security, but it does contribute to a solution to certain types of problems. It's basically like tinting the windows of your car so nobody can see your nice stereo. "Nothing to see here. Move along."
Actually that's word-for-word exactly what you said.
But anyway, I think you misunderstand what statistics are. When you want some data, like say -- off the top of my head -- browser marketshare, nobody expects every Internet-connected user to be included in the data. Obviously that'd give the most accurate result, but it's so ridiculously impractical that there's no point in even discussing it.
So instead one must find a source from which one can obtain a reasonably representative sample of "WWW users." Google may not be the best site from which to gather browser usage statistics, but I think it's probably _one_ of the best ones these days. I'm much more inclined to accept google's browser usage statistics as an accurate sample of all web users than most others. And suggesting that marketshare statistics have absolutely no worth unless all Internet users can be sampled is mind-numbingly absurd.
At best, you're being pedantic with this in attempting to defend the initial point. At worst, you're just trolling.
This is pretty much the de facto response by people who can't defend their position. "If you don't agree with me, then you're either an idiot, or you're being an asshole."
Metric prefixes were defined long before computers came around. The binary prefixes aren't the greatest solution, but at least it's something. Perhaps they used to be used only by a handful of elitists, but they're beginning to gain favor now in places that might surprise you.
Obviously you've never watched '24'. DVD is the ONLY way to watch the show without pulling your hair out at the end of every episode because they leave you hanging.
Agreed. DVD is the way to go with a series like 24.
I own both season 1 & 2 and have avoided watching season 3 so I can watch it all on DVD
Season 3 was the first season I watched on tv, week by week. Maybe it was because of this, or maybe it was just a weaker story, but I found season 3 paled in comparison to the first two seasons.:(
yet it's probably my favorite TV show.
Go rent (or buy) Dead Like Me. It's top of the list on my tv favorites, just above Buffy and 24.
So why change? Because for a public company, just being "profitable" isn't enough -- they now have an obligation to maximize profit.
Google has claimed in its Letter from the Founders, addressed to the shareholders and contained in their S-1 filing, that it plans to sacrifice short term profitability in order to remain true to its original vision.
A choice quote from their letter:
We believe a well functioning society should have abundant, free and unbiased access to high quality information. Google therefore has a responsibility to the world. [...] We believe that fulfilling this responsibility will deliver increased value to our shareholders.
Meanwhile, I can turn a gallon into gills simply by halving, halving, halving, halving & halving. And I can cut a foot into inches but cutting in half, half and thirds. And a pound into ounces by cutting in half four times.
Errr, I really can't tell: are you arguing for or against the metric system?
Great! Finally I can respond to those GPL-is-not-proven-in-court trolls!
Actually, I rather liked being able to say to people, "The GPL has never been tested in court because nobody has ever dared. They know they will lose, because the terms of the GPL are so clearly defined, and since they grant additional rights on top of existing copyright law, disobeying the terms of the license means all you're granted is what copyright law grants you."
It's terribly simple, and the fact that nobody wants to test the GPL in court makes it seem even more bullet-proof. Of course, I'm happy that now case law will begin to set precidence for the GPL, but I kinda liked being able to say "people are afraid to test the GPL in court.":)
Jason.
Re:instructor doesn't get it
on
Why PHBs Fear Linux
·
· Score: 2, Insightful
Question #2 in the top post asks, "Why was it released to the public domain instead of copyrighted?" The question makes a statement that it was released to the public domain and not copyrighted, which is obviously absurd.
Hey, I'm all for critical thinking. But this question makes false implications. It's like asking the question, "Why does a triangle have 4 sides instead of 3?" Any question that expects a balanced, critically thought answer ought not to be loaded.
Imagine asking the question in a course on evolutionary theory, "Why did God create man symmetrically instead of asymmetrically?"
Jason.
Re:instructor doesn't get it
on
Why PHBs Fear Linux
·
· Score: 3, Insightful
I would have asked her who her instructor was, and then contacted that instructor to ask about the possibility about doing a guest lecture on Linux and FLOSS in general.
The questions posed by the instructor indicate stunning amounts of cluelessness that, being involved in a LUG, would be almost a civic duty for you to clear up.:)
I know they're attempting to appeal to inexperienced users, but they always seem to (1) do so in a way that pisses off experienced users, and (2) botch things up in the inexperienced-user case anyway.
I'm sure you like to pretend to think you know what you're talking about, but the design of this new file selector was not haphazard. There were long, arduous debates on the various, related lists about the UI and API and various use-cases for both beginner and advanced users.
Please set aside your righteous indignation and consider reading the list archives on desktop-devel-list, gtk-list, and others, and read the issues that the developers and designers have weighed and addressed in the design of the new file selector.
I'm sure nobody would say it's perfect, but you're grossly mistaken if you think it was blindly hacked together without regard to usability and API.
But with the supposed 1000s of developers constantly looking at the Linux kernel why was the bug left in so long? How many months has this bug been in the kernel, easily open to the evil crackers to see? (Ive no clue, im asking as regardless if the bug is now fixed quickly or not, its been available for the oft praised peer review for X amount of time).
Nobody claims that peer review results in code which is free of bugs or security problems. The claim is the peer review model results in less bugs and security problems than the closed source model, given equivalent man power.
Cryptographers tend to be the most paranoid, security-conscious types, and any (respected) cryptographer is going to tell you that peer review is an absolute necessity. Peer review doesn't guarantee unbreakable algorithms, but if a dozen pairs of brilliant, and objective eyeballs review an algorithm and don't find any attacks, it's a hell of a lot more likely to be secure than some closed, proprietary algorithm.
It sucks that I have to update the kernel of all my Linux servers. But this is reality when you use complex software. I still feel much safer using OSS with a peer review model, because this way I don't have to trust that a company with an agenda (i.e. profit) has my best interests in mind.
I've been waiting for this. Last time I filed a bug report with KDE I got some snotty reply from some programmer who said I was wrong (the bug got fixed in the next release and was listed in the changelog).
Try CTRL + KeyPad+ or CTRL + KeyPad- to cycle back and fourth between the different resolutions.
I find that simpler than "Click desktop -> Properties -> Advanced -> Tick new resolution -> Apply -> Yes, we are not dead -> Ok". But that's just me.
Stop complaining:) You get a long way with knowledge....
Except that those two tasks perform different things.
'We don't expect to make Ximian the default user interface, and for the medium term KDE will remain the default GUI on SuSE Linux.' In other words, on the long term KDE will not remain the default GUI.
This is so frustrating. People do this all the time. Please, for the love of god people, take a course on critical thinking, or a discrete math course where boolean logic is taught.
Your words are not equivalent to what Novell has said. At best, you are making assumptions. Novell has not said what their long term plans are. They may set Ximian's desktop to be the default, or they may not. But you are simply plain wrong by saying "in other words..."
That looks like a sweet player. Go loook at all the features. They include ogg support. Most people the use ogg are pretty cool and open-minded, so hopefully they'll open up what is required.
Well, if they stole MPlayer's code, they get Ogg support without having to be cool and open-minded.:)
Slashdot Mirror
Jason.
I can't argue with this. But IPsec's biggest enemy is its own complexity. I've read enough about IPsec and it scares the shit out of me. Sure, I can set it up and see that it works (and have done so). But to really understand what's going on would take a me a solid week (probably more) of research, and even then there's no guarantee I'd really grok it.
In contrast, OpenVPN's protocols like its key exchange (which is the primary "infrastructure built around SSL" as you put it) is fairly straightforward to understand. Now I'm not saying they're secure because I don't know; I'm not a cryptographer. But getting the architecture of a system fully in your head is a prerequisite to understanding its security implications. Modularization helps here, and this is where openvpn shines. IPsec digs its fingers into many different layers, with quite complex relationships between them.
IPsec has received a lot more review than openvpn, but it also needs it. IPsec probaby solves some more esoteric problems than openvpn can, but when all I need is a simple, secure tunnel between two points, I'll continue to recommend OpenVPN.
Cheers,
Jason.
That's fine if you don't care about the security of your data. Current cryptanalysis indicates that at a minimum you want 16 rounds of ROT-13. And since I'm rather paranoid, as a rule I tend to double the recommendations of cryptographic primitives, so I use 32 rounds of ROT-13. With current CPUs as fast as they are, there's very little reason to use less than 16 rounds. And 2 rounds is just insanity.
I dare you to crack my data.
Jason.
I can't quite speak to its security, but there's nothing I've seen that makes me the least bit concerned. Although Peter Gutmann didn't do a real audit of openvpn, he did have this to say about it: "... but a quick look through it indicates that the author knows what he's doing." After you read a few remarks made by cryptographers, something like "this person is not a moron" is exceptionally high praise.
And Gutmann did leave us with this memorable quote: "Whenever someone thinks that they can replace SSL/SSH with something much better that they designed this morning over coffee, their computer speakers should generate some sort of penis-shaped sound wave and plunge it repeatedly into their skulls until they achieve enlightenment."
If you need a vpn solution that Just Works, check out OpenVPN.
Jason.
That's true, but WEP isn't entirely useless as one layer in the system. If somebody is war driving down my street looking for an easy target, the few minutes it will take them to crack my WEP key is often enough to keep them driving on.
Think of WEP as a locked window. As a security system, a window is crap. It can be broken without any tools and you can even see what's behind it! But locking my windows and doors might help deter someone looking to swipe the $20 bill on my table. Of course, it also might not, so if they smash the window they'll have to deal with the noisy alarm that will go off. Similarly, anyone who takes the time to crack my WEP key will have to contend with openvpn.
In some senses, WEP is security through obscurity. A system shouldn't rely on obscurity for security, but it does contribute to a solution to certain types of problems. It's basically like tinting the windows of your car so nobody can see your nice stereo. "Nothing to see here. Move along."
Jason.
I must be missing something.
Jason.
I think you missed the part where he was being sarcastic.
Jason.
Actually that's word-for-word exactly what you said.
But anyway, I think you misunderstand what statistics are. When you want some data, like say -- off the top of my head -- browser marketshare, nobody expects every Internet-connected user to be included in the data. Obviously that'd give the most accurate result, but it's so ridiculously impractical that there's no point in even discussing it.
So instead one must find a source from which one can obtain a reasonably representative sample of "WWW users." Google may not be the best site from which to gather browser usage statistics, but I think it's probably _one_ of the best ones these days. I'm much more inclined to accept google's browser usage statistics as an accurate sample of all web users than most others. And suggesting that marketshare statistics have absolutely no worth unless all Internet users can be sampled is mind-numbingly absurd.
Jason.
This is pretty much the de facto response by people who can't defend their position. "If you don't agree with me, then you're either an idiot, or you're being an asshole."
Metric prefixes were defined long before computers came around. The binary prefixes aren't the greatest solution, but at least it's something. Perhaps they used to be used only by a handful of elitists, but they're beginning to gain favor now in places that might surprise you.
I suppose you could call Alan Cox an elitist, but I think he's being a realist.
Jason.
KiB versus KB. 278927592 bytes = 272390.23 KiB = 278927.59 KB = 266.01 MiB = 278.93 MB.
This is where things are going. You might as well get used to it now.
Agreed. DVD is the way to go with a series like 24.
I own both season 1 & 2 and have avoided watching season 3 so I can watch it all on DVD
Season 3 was the first season I watched on tv, week by week. Maybe it was because of this, or maybe it was just a weaker story, but I found season 3 paled in comparison to the first two seasons. :(
yet it's probably my favorite TV show.
Go rent (or buy) Dead Like Me. It's top of the list on my tv favorites, just above Buffy and 24.
Jason.
Google has claimed in its Letter from the Founders, addressed to the shareholders and contained in their S-1 filing, that it plans to sacrifice short term profitability in order to remain true to its original vision.
A choice quote from their letter:
Jason.
Errr, I really can't tell: are you arguing for or against the metric system?
Sounds like you're arguing in favor of it to me.
Jason.
What Gecko-based browser did Apple create? This is rather news to me.
Jason.
Actually, I rather liked being able to say to people, "The GPL has never been tested in court because nobody has ever dared. They know they will lose, because the terms of the GPL are so clearly defined, and since they grant additional rights on top of existing copyright law, disobeying the terms of the license means all you're granted is what copyright law grants you."
It's terribly simple, and the fact that nobody wants to test the GPL in court makes it seem even more bullet-proof. Of course, I'm happy that now case law will begin to set precidence for the GPL, but I kinda liked being able to say "people are afraid to test the GPL in court." :)
Jason.
Hey, I'm all for critical thinking. But this question makes false implications. It's like asking the question, "Why does a triangle have 4 sides instead of 3?" Any question that expects a balanced, critically thought answer ought not to be loaded.
Imagine asking the question in a course on evolutionary theory, "Why did God create man symmetrically instead of asymmetrically?"
Jason.
I would have asked her who her instructor was, and then contacted that instructor to ask about the possibility about doing a guest lecture on Linux and FLOSS in general.
:)
The questions posed by the instructor indicate stunning amounts of cluelessness that, being involved in a LUG, would be almost a civic duty for you to clear up.
Jason.
I'm sure you like to pretend to think you know what you're talking about, but the design of this new file selector was not haphazard. There were long, arduous debates on the various, related lists about the UI and API and various use-cases for both beginner and advanced users.
Please set aside your righteous indignation and consider reading the list archives on desktop-devel-list, gtk-list, and others, and read the issues that the developers and designers have weighed and addressed in the design of the new file selector.
I'm sure nobody would say it's perfect, but you're grossly mistaken if you think it was blindly hacked together without regard to usability and API.
Jason.
Nobody claims that peer review results in code which is free of bugs or security problems. The claim is the peer review model results in less bugs and security problems than the closed source model, given equivalent man power.
Cryptographers tend to be the most paranoid, security-conscious types, and any (respected) cryptographer is going to tell you that peer review is an absolute necessity. Peer review doesn't guarantee unbreakable algorithms, but if a dozen pairs of brilliant, and objective eyeballs review an algorithm and don't find any attacks, it's a hell of a lot more likely to be secure than some closed, proprietary algorithm.
It sucks that I have to update the kernel of all my Linux servers. But this is reality when you use complex software. I still feel much safer using OSS with a peer review model, because this way I don't have to trust that a company with an agenda (i.e. profit) has my best interests in mind.
Jason.
Which bug?
Jason.
Err, huh?
Jason.
I find that simpler than "Click desktop -> Properties -> Advanced -> Tick new resolution -> Apply -> Yes, we are not dead -> Ok". But that's just me.
Stop complaining
Except that those two tasks perform different things.
Jason.
This is so frustrating. People do this all the time. Please, for the love of god people, take a course on critical thinking, or a discrete math course where boolean logic is taught.
Your words are not equivalent to what Novell has said. At best, you are making assumptions. Novell has not said what their long term plans are. They may set Ximian's desktop to be the default, or they may not. But you are simply plain wrong by saying "in other words ..."
Jason.
Well, if they stole MPlayer's code, they get Ogg support without having to be cool and open-minded. :)
Jason.
You mean like an Anonymous Coward posting on Slashdot on Christmas Eve?
Jason.