Right. I was responding to: "The table is generated by creating passwords and hashing them until all possible hash have one matching known password." I was pointing out the absurd consequences of that. But of course, it's not true. Rainbow tables are generated as you suggest, not as the anonymous coward suggests. You are done when you have hashed every plaintext of interest for every salt of interest. The table will cover an insignificant fraction of possible hashes and the probability it will ever encounter a single 'wrong plaintext that hashes the same' is negligible. That certainly isn't its primary purpose.
I can't follow your claim. You say "breaking the encryption head on" but then say "not the hash function or the public key encryption or the symmetrical key encryption". Breaking the encryption head on would have to mean breaking either the PK encryption or the symmetrical key encryption since that's the only encryption there is.
In any event, it's obvious that historically breaking the encryption head on, particularly the symmetric encryption, was a real issue. That's why the NSA worked so hard to hold down key sizes in exported SSL products. The NSA forced Netscape to make a version of their browser for International use with shorter keys, and since such a key could be broken in less than a week with less than $250,000 in hardware, it stands to reason that a few of them were in fact broken.
SHA-512 is a hashing algorithm that can be used to generate the hash that you actually sign with the low-level signature algorithm. To sign a digital certificate, you generate the secure hash of the 'inner certificate' (called a "TBS certificate" -- 'to be signed') and sign that, combining them to form the final, signed certificate. This is advantageous for a variety of reasons but it's necessary for one -- the low-level signature algorithm has a certain maximum length that it can sign and the certificate as a whole may exceed that.
Well, even if you picked a relatively-weak 128-bit hash, there are 340 billion, billion, billion, billion possible hashes. So that would be one heck of a table. And if the hash was salted, you'd need one such table for every possible salt. For a 160-bit hash like SHA1 with 32-bit salt, your rainbow table would need over six thousand billion, billion, billion, billion, billion, billion entries. If you had a billion computers each of which could calculate a billion, billion hashes per second, you could perhaps fill your table in 4,777,094,000,000,000,000,000,000 years. I leave it as an exercise for the reader to calculate how many 2TB hard drives you'd need to hold such a table.
To be precise, there is no reason to use MD5 other than when you have to interoperate with something that uses MD5 and can't easily be changed or when you're already using it and it's good enough for your application. You're not using MD5 to verify your photos because it was a considered choice, you're using it because you have no particular reason to change it.
Cryptography doesn't work that way. The onus is on you to demonstrate that your scheme is secure. Anyone who doesn't have the expertise to do that (which is almost everyone) has to use a scheme that was developed by someone else and vetted by others as well.
It is trivial to make a scheme that you yourself cannot break. It is not that hard to make an insecure scheme whose insecurity cannot be easily demonstrated.
If QM is the mechanism for the will, then it's not random. It simply appears random from the outside, as any exercise of free will must. If my choice of breakfast cereal is an act of free will, then at best you can make probabilistic predictions about what I'll choose for breakfast (based on the constraints that are not part of free will). But my final choice will seem random to any outsider. So the fact that QM always seems random from the outside is consistent with free will working by the same mechanism.
You are correct that the part of the will that is not constrained cannot learn, but so what? The constraints are the learning. The will most certainly can choose what it learns, that's precisely what it does. I agree that the unconstrained portion can be argued to be blameless, but so what? My pinkie is also blameless for my choices. And in any event, if QM is the mechanism, then the constrained and unconstrained 'portions' are inseparable. An electron does not have a constrained and an unconstrained part.
To make an impossibility proof, you have to rule out every possible mechanism, and I don't think you can do that.
The fallacy in your argument is assuming that there is such a thing as a "chain of cause and effect". There is no such thing. It's an illusion caused by the our tendency to think of effects as having but a single cause. We tend to think that throwing a match in a garbage can causes a fire, but in fact the fire requires oxygen, fuel, and many other factors. A more accurate view of cause and effect is that prior states constrain possible future states. If I'm in New York at 3 without some form of super-transportation, I can't be in San Francisco at 3:01. Nothing in the law of cause and effect requires that prior states wholly determine future states.
While the will must be able to cause things, it is incorrect to say it must not be caused by anything. It simply must not be wholly constrained by prior states -- and QM suggests that almost nothing is. As for whether it makes learning impossible, I submit that making this argument solid that requires ruling out every other possible way learning could work. And there's one obvious one -- learning consists of adjusting the constraints on future decisions. To give an analogy, imagine a 1,000-sided die. Free will is like rolling the die. Learning is like changing the values on the faces. There is no reason we cannot exercise our free will today in a way that constrains, for the better, our free will tomorrow. (Kind of like marriage.)
You're misreading the sentence, look closely at the "license *requiring* part". No license requires that DirectX be licensed for the purpose of making derivative works as a condition of using it. You can use DirectX without licensing anyone to make derivative works of it.
"I challenge you to show me something GPL'd that is an original work, not a clear copy of someone elses previous work or idea."
By "work", we mean the work for copyright purposes. That specifically excludes any and all ideas. You can copy someone else's idea exactly and it can still be an entirely original work for copyright purposes. Ideas cannot be protected by copyright, only by patent.
"Apple says that any license agreement is between developer and end user, and Apple is just helping to put the app onto the end user's device."
This is called "distributing" and it is illegal to do without permission of the copyright holder. If you take a work that has elements that you received under any version of the GPL, you cannot authorize Apple or Microsoft to distribute those elements that you did not author. Only the GPL can do that, so Apple or Microsoft would have to comply with the GPL. They cannot make the work available to the public without obtaining the right to do that somehow. See 17 USC 106(1) and (3).
I think what you're missing is that Microsoft has solved the copyright issue by insisting that those who post applications in the Windows market also grant Microsoft the right to distribute those applications. If you received a library under the GPLv3, you cannot grant anyone the right to distribute that library. Microsoft does not with to be bound by the GPLv3 and distributing works covered by it would bind Microsoft to it.
How do you do that? If the application uses a library covered by the GPLv3, how do you release a closed source version of it exactly? I think you're missing the entire point of this -- Microsoft doesn't care if you release an open source version of the application. *They* don't want to be bound by the open source licenses. The problem is that in order to submit an application to Microsoft's market, you have to be able to give Microsoft the right to distribute it. If you received some parts of that work under the GPLv3, you have no ability to grant distribution rights to Microsoft.
To state the correct understanding of how the GPL works:
When you receive a work covered by the GPL, you have all the rights granted to you under copyright law. This includes fair use, first sale, and so on. In addition, should you wish additional rights to the work, you are offered a license that grants additional rights. Technically, the license for each bit of code is offered to you by the author of that particular piece of code. The person who happened to distribute the code to you has no authority to offer you any license to code he did not author and the GPL does not permit anyone else to offer you rights.
The GPL makes this 100% clear in section 6 of version 2:
"Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License."
That is 100% complete nonsense. I don't know where you got that from or whether you just made it up, but *NONE* of that is true. The GPL is not a contract, the GPL is not an EULA. The GPL cannot take away *any* rights. You do not need to agree to the GPL if you do not wish to. You are not required to somehow 'bind' recipients to the GPL in order for them to be qualified to receive a work covered by the GPL.
"But since this isn't sales First Sale Amendment doesn't apply."
Umm, what? First sale has nothing to do with whether or not something is sold. It says exactly what the it seems to say -- if you lawfully possess a copy of a work, you can sell that copy without permission from the copyright holder.
"Or to give a simplified example: if the law worked as you say I could just make 50,000 copies of my favorite DVD and give them to my friend Joe. Joe would then proceed to sell those 50,000 copies."
No, you can't because those 50,000 copies would not be "lawfully made" as 17 USC 109 requires.
I'm right about this. It's simple, obvious, and non-controversial. You can choose to understand it or not.
Did you read 17 USC 109? It specifically gives you the right to sell a copy that you lawfully made and own. The license cannot take this right away. A "you can do anything but sell it" license cannot work because the license gives you the right to do anything but sell it and 17 USC 109 gives you the right to sell it.
Look at my specific example again: Joe makes 50,000 copies of the assets and gives them to John for free. Joe has not violated the license since he hasn't sold anything. John is now the legal owner of 50,000 particular copies of the assets. He can now sell all 50,000 of them. Joe gets his right to sell from 17 USC 109, which the license cannot take away.
A "you can do anything but sell it" license simply cannot work under US copyright law.
Yes, they can be, unless the DMCA safe harbor applies. See, for example, Fonovisa v. Cherry Auction. Apple both enables, and benefits from, this infringement.
So they're selling the GPL'd code and including the assets for free. It sounds like they just failed to make this clear.
In any event, a "you can do anything but sell it" license can't work, due to 17 USC 109: "[T]he owner of a particular copy or phonorecord lawfully made under this title, or any person authorized by such owner, is entitled, without the authority of the copyright owner, to sell or otherwise dispose of the possession of that copy or phonorecord[.]" - 17 USC 109
You can make 50,000 copies of the assets and then give them to me. You have complied with the license, since you didn't sell them. I can then sell them, since 17 USC 109 gives me that right and a copyright license cannot take away any rights.
The child's autism is relevant if it gave him some unusual ability to play video games so well that this caused Microsoft to erroneously determine that he was cheating when he wasn't. We now know that this is almost certainly not what happened because Microsoft specifically investigated this possibility and found definitive proof of cheating. They have no incentive to lie about this -- they'd much rather be seen as doing the right thing than picking on an autistic child.
Umm, no. It was not clear that Microsoft's policy and enforcement ever considered the possibility that the boy was an unusually good player that made it appear that he had cheated. Now, it's clear that the head of P&E personally analyzed this case, specifically checking for the possibility that the boy may have had unusual skills and put his reputation behind the conclusions that the boy definitely cheated.
This makes the mother's original claim totally implausible. She said Microsoft made a particular type of error that they may never have considered it was possible to make, Microsoft investigated and concluded they did not make that specific type of error. Microsoft says they provided evidence to the mother.
The ball is now in the mother's court. Until and unless she claims Microsoft's evidence doesn't satisfy her or that she has some way to know her son didn't cheat, Microsoft's case is much stronger than hers.
That won't work because there's no way for the video site to know for sure that it's talking to an Intel CPU. One could simply mimic the CPU's function in software and extract the session key.
The only way to make that work is to essentially put a hardware token inside each CPU. The token would have to contain a private key that could not be read out and a certificate proving that the corresponding public key was secured by Intel in one of their CPUs. The public key and certificate would have to be extractable.
Thus, the session key could only be decrypted by the CPU itself, since only the CPU would have the private key that corresponds to the signed public key. The CPU hardware would have to limit what you could do with the session key. Obviously, it could not let you extract it. Equally importantly, it would have to decrypt the stream in hardware and restrict heavily what you could do with the decrypted stream.
If it was correctly implemented along these lines, the only way to break it would be to find a point at which one could access the decrypted stream, likely where it exits the CPU/GPU to go to the sound and video output hardware.
The information does not seem to be public. I've searched Intel's web pages, and I can't find any information on what exactly is in the CPU. Are there particular instructions that is uses? Are there particular algorithms that it implements? If so, which ones? There's basically nothing there. From the web page, you can't even tell if there's actually anything special in the processors at all or if it's just software that Intel only allows to run on those CPUs.
Slashdot Mirror
Right. I was responding to:
"The table is generated by creating passwords and hashing them until all possible hash have one matching known password."
I was pointing out the absurd consequences of that. But of course, it's not true. Rainbow tables are generated as you suggest, not as the anonymous coward suggests. You are done when you have hashed every plaintext of interest for every salt of interest. The table will cover an insignificant fraction of possible hashes and the probability it will ever encounter a single 'wrong plaintext that hashes the same' is negligible. That certainly isn't its primary purpose.
I can't follow your claim. You say "breaking the encryption head on" but then say "not the hash function or the public key encryption or the symmetrical key encryption". Breaking the encryption head on would have to mean breaking either the PK encryption or the symmetrical key encryption since that's the only encryption there is.
In any event, it's obvious that historically breaking the encryption head on, particularly the symmetric encryption, was a real issue. That's why the NSA worked so hard to hold down key sizes in exported SSL products. The NSA forced Netscape to make a version of their browser for International use with shorter keys, and since such a key could be broken in less than a week with less than $250,000 in hardware, it stands to reason that a few of them were in fact broken.
SHA-512 is a hashing algorithm that can be used to generate the hash that you actually sign with the low-level signature algorithm. To sign a digital certificate, you generate the secure hash of the 'inner certificate' (called a "TBS certificate" -- 'to be signed') and sign that, combining them to form the final, signed certificate. This is advantageous for a variety of reasons but it's necessary for one -- the low-level signature algorithm has a certain maximum length that it can sign and the certificate as a whole may exceed that.
Actually, a simple salted hash *IS* a validated algorithm. But don't do it because some guy on Slashdot said it was okay. ;)
Well, even if you picked a relatively-weak 128-bit hash, there are 340 billion, billion, billion, billion possible hashes. So that would be one heck of a table. And if the hash was salted, you'd need one such table for every possible salt. For a 160-bit hash like SHA1 with 32-bit salt, your rainbow table would need over six thousand billion, billion, billion, billion, billion, billion entries. If you had a billion computers each of which could calculate a billion, billion hashes per second, you could perhaps fill your table in 4,777,094,000,000,000,000,000,000 years. I leave it as an exercise for the reader to calculate how many 2TB hard drives you'd need to hold such a table.
To be precise, there is no reason to use MD5 other than when you have to interoperate with something that uses MD5 and can't easily be changed or when you're already using it and it's good enough for your application. You're not using MD5 to verify your photos because it was a considered choice, you're using it because you have no particular reason to change it.
Cryptography doesn't work that way. The onus is on you to demonstrate that your scheme is secure. Anyone who doesn't have the expertise to do that (which is almost everyone) has to use a scheme that was developed by someone else and vetted by others as well.
It is trivial to make a scheme that you yourself cannot break. It is not that hard to make an insecure scheme whose insecurity cannot be easily demonstrated.
If QM is the mechanism for the will, then it's not random. It simply appears random from the outside, as any exercise of free will must. If my choice of breakfast cereal is an act of free will, then at best you can make probabilistic predictions about what I'll choose for breakfast (based on the constraints that are not part of free will). But my final choice will seem random to any outsider. So the fact that QM always seems random from the outside is consistent with free will working by the same mechanism.
You are correct that the part of the will that is not constrained cannot learn, but so what? The constraints are the learning. The will most certainly can choose what it learns, that's precisely what it does. I agree that the unconstrained portion can be argued to be blameless, but so what? My pinkie is also blameless for my choices. And in any event, if QM is the mechanism, then the constrained and unconstrained 'portions' are inseparable. An electron does not have a constrained and an unconstrained part.
To make an impossibility proof, you have to rule out every possible mechanism, and I don't think you can do that.
The fallacy in your argument is assuming that there is such a thing as a "chain of cause and effect". There is no such thing. It's an illusion caused by the our tendency to think of effects as having but a single cause. We tend to think that throwing a match in a garbage can causes a fire, but in fact the fire requires oxygen, fuel, and many other factors. A more accurate view of cause and effect is that prior states constrain possible future states. If I'm in New York at 3 without some form of super-transportation, I can't be in San Francisco at 3:01. Nothing in the law of cause and effect requires that prior states wholly determine future states.
While the will must be able to cause things, it is incorrect to say it must not be caused by anything. It simply must not be wholly constrained by prior states -- and QM suggests that almost nothing is. As for whether it makes learning impossible, I submit that making this argument solid that requires ruling out every other possible way learning could work. And there's one obvious one -- learning consists of adjusting the constraints on future decisions. To give an analogy, imagine a 1,000-sided die. Free will is like rolling the die. Learning is like changing the values on the faces. There is no reason we cannot exercise our free will today in a way that constrains, for the better, our free will tomorrow. (Kind of like marriage.)
You're misreading the sentence, look closely at the "license *requiring* part". No license requires that DirectX be licensed for the purpose of making derivative works as a condition of using it. You can use DirectX without licensing anyone to make derivative works of it.
"I challenge you to show me something GPL'd that is an original work, not a clear copy of someone elses previous work or idea."
By "work", we mean the work for copyright purposes. That specifically excludes any and all ideas. You can copy someone else's idea exactly and it can still be an entirely original work for copyright purposes. Ideas cannot be protected by copyright, only by patent.
"Apple says that any license agreement is between developer and end user, and Apple is just helping to put the app onto the end user's device."
This is called "distributing" and it is illegal to do without permission of the copyright holder. If you take a work that has elements that you received under any version of the GPL, you cannot authorize Apple or Microsoft to distribute those elements that you did not author. Only the GPL can do that, so Apple or Microsoft would have to comply with the GPL. They cannot make the work available to the public without obtaining the right to do that somehow. See 17 USC 106(1) and (3).
I think what you're missing is that Microsoft has solved the copyright issue by insisting that those who post applications in the Windows market also grant Microsoft the right to distribute those applications. If you received a library under the GPLv3, you cannot grant anyone the right to distribute that library. Microsoft does not with to be bound by the GPLv3 and distributing works covered by it would bind Microsoft to it.
How do you do that? If the application uses a library covered by the GPLv3, how do you release a closed source version of it exactly? I think you're missing the entire point of this -- Microsoft doesn't care if you release an open source version of the application. *They* don't want to be bound by the open source licenses. The problem is that in order to submit an application to Microsoft's market, you have to be able to give Microsoft the right to distribute it. If you received some parts of that work under the GPLv3, you have no ability to grant distribution rights to Microsoft.
To state the correct understanding of how the GPL works:
When you receive a work covered by the GPL, you have all the rights granted to you under copyright law. This includes fair use, first sale, and so on. In addition, should you wish additional rights to the work, you are offered a license that grants additional rights. Technically, the license for each bit of code is offered to you by the author of that particular piece of code. The person who happened to distribute the code to you has no authority to offer you any license to code he did not author and the GPL does not permit anyone else to offer you rights.
The GPL makes this 100% clear in section 6 of version 2:
"Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License."
That is 100% complete nonsense. I don't know where you got that from or whether you just made it up, but *NONE* of that is true. The GPL is not a contract, the GPL is not an EULA. The GPL cannot take away *any* rights. You do not need to agree to the GPL if you do not wish to. You are not required to somehow 'bind' recipients to the GPL in order for them to be qualified to receive a work covered by the GPL.
"But since this isn't sales First Sale Amendment doesn't apply."
Umm, what? First sale has nothing to do with whether or not something is sold. It says exactly what the it seems to say -- if you lawfully possess a copy of a work, you can sell that copy without permission from the copyright holder.
"Or to give a simplified example: if the law worked as you say I could just make 50,000 copies of my favorite DVD and give them to my friend Joe. Joe would then proceed to sell those 50,000 copies."
No, you can't because those 50,000 copies would not be "lawfully made" as 17 USC 109 requires.
I'm right about this. It's simple, obvious, and non-controversial. You can choose to understand it or not.
Did you read 17 USC 109? It specifically gives you the right to sell a copy that you lawfully made and own. The license cannot take this right away. A "you can do anything but sell it" license cannot work because the license gives you the right to do anything but sell it and 17 USC 109 gives you the right to sell it.
Look at my specific example again: Joe makes 50,000 copies of the assets and gives them to John for free. Joe has not violated the license since he hasn't sold anything. John is now the legal owner of 50,000 particular copies of the assets. He can now sell all 50,000 of them. Joe gets his right to sell from 17 USC 109, which the license cannot take away.
A "you can do anything but sell it" license simply cannot work under US copyright law.
Yes, they can be, unless the DMCA safe harbor applies. See, for example, Fonovisa v. Cherry Auction. Apple both enables, and benefits from, this infringement.
So they're selling the GPL'd code and including the assets for free. It sounds like they just failed to make this clear.
In any event, a "you can do anything but sell it" license can't work, due to 17 USC 109:
"[T]he owner of a particular copy or phonorecord lawfully made under this title, or any person authorized by such owner, is entitled, without the authority of the copyright owner, to sell or otherwise dispose of the possession of that copy or phonorecord[.]" - 17 USC 109
You can make 50,000 copies of the assets and then give them to me. You have complied with the license, since you didn't sell them. I can then sell them, since 17 USC 109 gives me that right and a copyright license cannot take away any rights.
The child's autism is relevant if it gave him some unusual ability to play video games so well that this caused Microsoft to erroneously determine that he was cheating when he wasn't. We now know that this is almost certainly not what happened because Microsoft specifically investigated this possibility and found definitive proof of cheating. They have no incentive to lie about this -- they'd much rather be seen as doing the right thing than picking on an autistic child.
Umm, no. It was not clear that Microsoft's policy and enforcement ever considered the possibility that the boy was an unusually good player that made it appear that he had cheated. Now, it's clear that the head of P&E personally analyzed this case, specifically checking for the possibility that the boy may have had unusual skills and put his reputation behind the conclusions that the boy definitely cheated.
This makes the mother's original claim totally implausible. She said Microsoft made a particular type of error that they may never have considered it was possible to make, Microsoft investigated and concluded they did not make that specific type of error. Microsoft says they provided evidence to the mother.
The ball is now in the mother's court. Until and unless she claims Microsoft's evidence doesn't satisfy her or that she has some way to know her son didn't cheat, Microsoft's case is much stronger than hers.
That won't work because there's no way for the video site to know for sure that it's talking to an Intel CPU. One could simply mimic the CPU's function in software and extract the session key.
The only way to make that work is to essentially put a hardware token inside each CPU. The token would have to contain a private key that could not be read out and a certificate proving that the corresponding public key was secured by Intel in one of their CPUs. The public key and certificate would have to be extractable.
Thus, the session key could only be decrypted by the CPU itself, since only the CPU would have the private key that corresponds to the signed public key. The CPU hardware would have to limit what you could do with the session key. Obviously, it could not let you extract it. Equally importantly, it would have to decrypt the stream in hardware and restrict heavily what you could do with the decrypted stream.
If it was correctly implemented along these lines, the only way to break it would be to find a point at which one could access the decrypted stream, likely where it exits the CPU/GPU to go to the sound and video output hardware.
The information does not seem to be public. I've searched Intel's web pages, and I can't find any information on what exactly is in the CPU. Are there particular instructions that is uses? Are there particular algorithms that it implements? If so, which ones? There's basically nothing there. From the web page, you can't even tell if there's actually anything special in the processors at all or if it's just software that Intel only allows to run on those CPUs.
Oops, or may be it will. It depends exactly which check we're talking about.