TPM is designed to detect changes to specific protected operating system files so that the owner knows that they haven't been tampered with. SuperDRM spy reports?:-O That's some might fine tinfoil you have there...
How well do you understand the Remote Attestation system? If you have any doubts about what I said I will gladly explain it to you, and cite the documentation to back it up if you like. I just need some clue how much of it you already understand and how technical (or non-technical) you want the explanation to be. I am a programmer and I have studied the entire 332 page technical specification for the TPM chip, and studied all of the other technical info I've been able to find. I have have an extensive and very technical understanding of the chip and how it operates with software, and I have a less detailed picture of the Trusted Computing infrastructure they are building around the chip.
Yes, the TPM is capable of telling the owner whether anything has been tampered with. But saying that is like saying telephones are an in-home intercom. Yes, two phones on the same line in you home do act like an intercom, but that wildly misses the designed functionality of telephones.
Remote Attestation is designed to be able to securely report to ANYONE exactly what is BIOS/Bootloader/OperatingSystem/other-software is running your computer. And when I say "securely report" what is on your computer, I mean that this report is specifically designed to be secure against the owner. You can control whether your computer answers requests for this Remote Attestation report, but you the owner are unable to control or alter the contents of this report. The TPM will not permit you to alter the contents of the report, and the TPM cryptographically signs the report it sends. An unsigned Attestation is invalid, and any attempt to modify the TPM's signed attestation invalidates it.
So when I called it a "SuperDRM spy report" perhaps I was overly casual and colorful with the language, but it was essentially correct. The TPM is designed to keep a secure log of your system - and this log is specifically kept secure against "tampering" by the owner, and the contents of this log are specifically intended to be sent REMOTELY - meaning to other people over the internet a and again the TPM cyrptographically secures this report against "tampering" by the computer owner. It's all logged and secured in a "Super DRM secure against the owner" manner, and it's the chips "spy" log of what it has watched on your computer You can look at it to verify that your system files haven't been tampered with, but it also enables other people to check that your system hasn't been "tampered with", and that specifically includes verifying that YOU have not "tampered" with anything.
And after validating what BIOS you have and that you haven't tampered with it, and after validating what operating system you have and that you haven't tampered with that, and after validating exactly what program you are running and that you haven't tampered with that, the chip enables that validated program to securely add anything and everything it wants as additional information in that Remote Attestation.
It's easiest to illustrate it with a DRM example, because that is precisely what it is tailored to. Say you want to watch Hollywood movies on your computer. You connect over the internet to the MPAA's movie servers. They ask for a Remote Attestation. They examine that Attestation to verify that you have an approved BIOS and that you haven't tampered with it, and that you have an approved operating system and that you haven't tampered with it, and that you have an approved video card and approved video drivers and that you haven't tampered with them. (And of course all along the way "approved" means software that won't violate their DRM.) And then the verify what program you are running right now - they check that you are running their own DRM-enforcing video player. And of course Remote Attestation is validating that
TPM can be used for good or for ill. It's a tool. Tools are amoral.
In a narrow sense that is literally true, objects themselves are amoral. However there is a hell of a lot more context here than merely saying object X exists. Human acts and intentions are not amoral. The act of designing a new tool can be done for purpose and with an intent. The statements made about that tool can be honest or dishonest, for a purpose and with an intent.
Lets take for granted that bullets are a neutral tool, and even further state that teflon coated bullets are neutral. However anyone claiming teflon coated bullets were designed and intended for deer hunting is obviously lying. You don't need teflon on a bullet to hunt deer. The act of designing and building teflon coated bullets was done with a purpose and intent. The purpose and intent in the acts of designing and building those bullets is to pierce kevlar and similar protective vests. And I will even declare that that in itself is morally neutral, as the further intent can be for killing cops or killing Nazi soldiers. My two points here are (1) the design of a tool itself can patently reveal that least some of the purpose and intent of the designer which may bear some moral significance and (2) it can bear some moral significance when someone to patently lie that teflon bullets were designed for deer hunting.
And if I may stretch this analogy beyond the breaking point, it can bear moral significance if someone were to act coercively to force people to buy teflon bullets, and it may bear moral significance when someone acts to prohibit people from buying and selling non-teflon bullets.
Now to drop the broken analogy, anyone claiming TPMs were not designed to DRM-lock computers against their owners, they are at best badly misinformed and at worst outright lying. Saying TPMs were designed for pro-owner computer security is as false as saying teflon bullets were designed for deer hunting. The TPM technical specification explicitly treats owners as the enemy - it explicitly refers to so-called "rogue owners" owners and mandates that the TPM be designed against the interests of the owner. The overriding design criteria of the TPM is to forbid the owner himself from knowing or using his own master TPM keys, it endlessly mandates all of the things the owner is forbidden to do. The overarching design criteria is to lock the chip (and associated computer) against the the owner.
The TPM is designed to be secure against the owner. This is teflon. You don't need teflon to hunt deer, and anyone trying to defend teflon bullets by referring to deer hunting is at best badly misinformed and at worst outright lying.
People can debate the positive or negative moral value of trying to turn computers into UberDRM machines massively locked down against the owner (I certainly have strong opinions on that), but it is ill informed or an outright lying for anyone to deny that that was the intent and purpose in the act of designing the chips, that it was the intent and purpose in manufacturing the chips, that it is the intent and purpose of certain corporations using coercive methods to deploy this plan, and tat it is the intent and purpose in prohibiting anyone from buying or selling compatible chips where the owner *is* in control or does know his own chip's master key.
Objects themselves are amoral, however it is excessively pedantic and linguistically awkward to divorce the object from the context of actions and intentions intimately related to that object.
A virus is inherently an amoral object. If virus that was designed to be distributed by hospital injections and safely provoke a human immunity, one can refer to that act of distribution as a good thing, or even casually refer to the virus itself as good. If a virus was designed for airborne distribution in perfume and to provoke lethal smallpox, one can refer to that act of distribution as a bad thing, or even casually refer to the virus itself as bad.
You were right the first time. I'm a programmer and I've studied the 332 page TCPA Main TCG Architecture v1_1b.pdf design specification. It explicitly refers to the owner as an attacker and it specifically mandates the chip to be secure against the owner himself. And yes, in simple terms it is designed to provide insane DRM-type lockdown for computers.
One of the big TPM public relations lines is how it's all "opt-in" and "you're in control". As in opt-in handcuffs. As in new software that refuses to run unless you "opt-in" and "voluntarily" choose to put on handcuffs. As in files that you can't open unless you voluntarily "opt-in" to handcuffs. As in websites that you can't view unless you "opt-in". And best of all they've come up with something they call Trusted Network Connect (TNC). It enables your ISP to preform a "health check" to ensure your computer is patched and up to date and not infected with any viruses or anything. Of course, it can't preform that "health check" unless you have a Trust Chip in your computer. And of course it can't do that "health check" you "opt-in". And of course if you fail the TNC "health check", or if you decline to voluntarily "opt-in" to the TPM system, or if you don't have a TPM chip, or if you don't have the EXACT approved operating system, or if you're not running the EXACT mandated software, well in that case the ISP can't validate that your computer is not infected.... can't validate that your computer is not a threat to infecting other computers on their network... they can't validate that your computer is complying with whatever terms of service the ISP wants to make up for your computer.... if you can't or won't opt-in and pass the TNC "health check" then your network connection is denied.
No ISPs are using TNC today, and they aren't deploying it tomorrow, but yeah that is exactly what it is designed to do. In time, if this Trusted Computing crap is successfully deployed, then yeah eventually you may be denied internet access unless you voluntarily "opt-in" to Trusted handcuffs.
One of the primary functions of the TPM is to act as a spy inside your computer, logging your exact hardware and exactly what software you run and more, and sending that cryptographically certified spy report out over the internet. It's called Remote Attestation. That's how Trusted Network Connect works so that an ISP can check that you're not infected with a virus or something. The ISP asks the TPM for the spy report and they check that you're running an approved unmodified operating system and approved unmodified software.
Another chip function is called Sealed Storage. In simple terms that means SuperDRM files. Sealed storage means your files on your computer are encrypted, that you cannot read or modify your own data. The chip refuses to open Sealed files except with specific approved software - in other words the files can't only be opened with the specific unmodified approved DRM software.
Another fun point is that the TPM effectively destroys much of your data if you alter your "security settings". You "voluntarily" "opt-in" to some insane anti-owner "security settings", and then your data vanishes if you alter the security settings. See? You're in complete control! You can set any security settings you want, and you can change them at will, but NOTHING WORKS unless you send an internet Remote Attestation proving you've opted-in to Evil(tm) settings, and your files vanish if you change your security settings non-Evil(tm).
And this Slashdot story is about someone ripping open one of these chips to directly read it. Each chip has a unique master key locked inside (actually more than one, but that doesn't matter). It's basically your master key controlling all if the security on your computer. If you can read out this key then you gain full control of your computer. You can open the locked files, you can control the spy reports, you can run whatever software you want, you can use the master key to modify your security settings at will. With the master k
That's like denying the purpose of teflon coated bullets is penetrating kevlar vests. It would be ludicrous in the extreme for someone to say teflon coated bullets are for deer hunting.
The primary design criteria for TPMs is to secure computers against their owners. The TPM technical specification explicitly refers to the owner as an attacker and mandates "security" against "attacks" from the owner. The overriding design criteria throughout the specification is denying the owner access to his own master key, the Private Endorsement Key.
Let's go over you denial, point by point:
Um, no. TPMs are designed for three things: 1) establish a hardware root of trust for boot (i.e., make sure that you're actually booting your OS and not a rootkit first)
The mere knowledge of my key does not alter my computer's function. The mere fact that I know my key does not not diminish my computer's capability to "establish a hardware root of trust for boot (i.e., make sure that you're actually booting your OS and not a rootkit first)".
The sole purpose of forbidding the owner to know his own master key is to attempt to secure the computer against the owner, to establish a "hardware root of trust" against the owner.
2) provide lightweight, secure and fast cryptographic operations
Lets break that into three pieces.
Lightweight. Yes. And not merely lightweight, the design criteria is explicitly for TPMs to be dirt cheap so they can be included at negligible cost in all computers and other consumer electronics at negligible cost, included by default. And in accordance with that cost criteria they are deliberately designed to have minimalistic power and capabilities. Which directly leads into the next point:
fast cryptographic operations Absolutely NOT! It is completely laughable when people try to justify TPMs as any sort of "cryptographic co-processor". The "lightweight" design constraints for these chips are such that a a single cryptographic operation is permitted to take a half second or more. Preforming cryptographic operations on a PC's main CPU will typically be a hundred times faster than using a Trust chip to do it.
secure Yeah, "secure". As I said the specification explicitly mandates the chip be secure against the owner.
A normal bullet does not require a teflon coating, and normal security does not require securing the chip against the owner.
(so you don't have to do something stupid like store a cryptographic key in plaintext on your HD)
You're citing deer hunting. When we're talking about "what teflon coated bullets are for", and you answer "deer hunting", I don't know whether you're insulting my intelligence or if you just don't get it, or what's going on. You are NOT going to find teflon on a bullet if it were actually intended and designed for deer hunting. You do not need teflon to hunt deer, and you don't need to secure a computer against the owner for "so you don't have to do something stupid like store a cryptographic key in plaintext on your HD". A normal pro-owner chip can do that. An owner can know his master key, and you can do that.
3) allow remote attestation of a computer's software stack (i.e., verifying the integrity of the OS and other pieces of software...very useful for distributed systems).
Again, the mere knowledge of my key does not diminish my computer's ability to give me remote attestation verifying the integrity of the OS and other pieces of software.
And again, the purpose of this chip, the design criteria and the design purpose and the primary function of TPM remote attestation is to verify the "integrity" of the computer against the owner.
ANTI-OWNER "security" is not security.
there are applications of TPMs for DRM, but that is a side effect and not a primary factor.
That's exactly backwards. The central design criteria of the TPM specification is that the owner if forbidden to know or co
>The purpose of this key is that it should be kept secret and never realized off the chip, not to software, not to any other board component."
Without that key how do those other pieces of hardware know they're in the proper system? C'mon, there's a basic request/response mechanism that HAS to happen along the line somewhere for identification and verification.
Is called Public Key Crypto systems. In normal old-style crypto you have a secret key or password to encrypt something, and then you need the same secret key to decrypt it. This uses a different kind of crypto that creates special key-pairs. You use one key to encrypt or sign something, and you use a different key to decrypt it or validate a crypto-signature. This means that you can can make one of the keys completely public, only needing to keep the other half of the key-pair secret.
The Trusted Platform Module is specifically designed to secure the computer against the owner. The technical specification for the chip explicitly refers to the owner as the enemy, as a potential "attacker".
The way the chip works is that the manufacture generates these sorts of key-pairs, one half is the public half. The chip freely hands over that public half to the owner or anyone else. You can literally publish that public key on the front page of the New York Times. The other half of the key-pair is the private key, and the chip is explicitly forbidden to ever know or control the private key locked inside the chip. The way the chip works is very complicated with multiple layers of 3encryption, but I will will simplify it down as if it were a single layer. What happens is that the public key is given out to other people and they can encrypt stuff with that key, then they can send you the encrypted data and YOU can't read it or alter it because your private key is locked inside the chip. This encrypted data is then handed to the Trust chip which uses the secret private key to decrypt it, inside the chip, explicitly to deny you access or control over your own computer. The point of this is so that other people can send keys or files or other data to your computer while denying you the ability to see or alter any of it. It's like SuperDRM communication so other people can talk to your computer, specifically to be secure against you the owner. Note that one of typical secret messages they send into the chip is additional crypto keys, so that the chip can use those new keys to encrypt OUTGOING messages from your computer, specifically to prevent you from knowing what messages are being sent out of your computer, specifically to prevent you from altering the data being sent out of your computer, specifically to prevent you from controlling the data being sent out to other people.
The Trust chip also uses the secret key to encrypt files saved on your hard drive, so that you cannot read or modify your own files. The technical term for this is "Sealed" data. You cannot read or modify sealed files. The Trust chip refuses to decrypt Sealed files, except for specifically approved unmodified software. So these are like SuperDRM files and they cannot be read except by specifically approved SuperDRM software. Again the entire point is to secure the computer against the owner.
One of the primary functions of the chip is something called "Remote Attestation". The Trust chip acts as a spy, logging your hardware and precisely tracking the software you run on your computer and various data on your computer. The Trust chip uses the secret key to cryptographically sign this spy report so it can be sent out over the internet. Other people can then use the public half of the key to validate this spy report. And again the entire point of this is to secure the computer against the owner - to be able to send out secure SuperDRM spy reports from your computer while preventing you, the owner, from having any ability to modify or otherwise control these Trust spy reports. The point of the public key is for other people to be able to be able
From your other post: why is any expression of scepticism on any scientific issue automatically associated with intelligent design?
For me, and probably almost all of the people you are referring to, Intelligent Design is absolutely NOT associated with scientific skepticism. In fact that is the very point - Intelligent Design is the icon for NOT-scientific-skepticism masquerading as skepticism. It is the icon of mindless-denialism and persecution-complex-conspiracy-theoryism trying to claim legitimacy for itself under a charade of Reasonable Skepticism.
Speaking for myself, I consider scientific skepticism to be vitally important. I hold it is such high regard that I am deeply offended when I see the ghosts-and-goblins-brigade attacking it and undermining it and threatening to destroy it by falsely labeling mindless dogmatic denialism as Reasoned and Reasonable Skepticism, when I see them trying to sell blatant crackpottery as if it were Reasoned and Reasonable Skepticism, when I see them trying to sell paranoia and persecution complexes and conspiracy theories as if they were Reasoned and Reasonable Skepticism.
I absolutely agree that the scientific process relies upon people and that people are often very fallible. I absolutely agree that the scientific process as-implemented-by-people is imperfect. I absolutely agree that the scientific community is imperfect. But given a little time the scientific process is pretty dang good at getting past individual human errors and latching on to any valid and useful results.
The original post in this case has said in part "high-quality research of others basically shut out by the peer review process". If you submit "high-quality research" for peer review, yes it is entirely plausible that the reviewer was wrong. It's possible that the reviewer didn't understand it, or that the reviewer might have been too stuck in the mindset of prior-science, or maybe he had some financial or ideological bias. And if you submit it somewhere else for peer review, and it is rejected a second time, yes maybe you deserve the benefit of the doubt that maybe it was improperly rejected twice.
But that is not what we are talking about here. The poster was ranting about things being SHUT OUT by peer review. When someone submits their paper to four and five and more INDEPENDENT expert scientific reviews, that is kinda a hint that it is time to consider that the error might just be the paper. It's time to consider that maybe... just maybe... it actually isn't "high-quality research". It's time to consider that maybe.... just maybe... that it is the author of the paper who might have made an error, the author of the paper who might be ideological, the author of the paper who might be biased, the author of the paper who might be an outright crackpot.
The poster was implying that valid science was being systematically suppressed by the peer review process.
Maaaaaybe it's just the way I read it, but it did not sound to me like an "expression of scientific skepticism". It sounded to me like an unreasonable and unreasoning person with an ax to grind because his ideological bogoscience cause is systematically refuted and rejected when subjected to scientific scrutiny. By far the number one ideological cause whining about peer review rejection is Intelligent Design and the rest of the evolution denialists. The number two cause is by far the Global Warming denialists. After that it becomes an ocean of countless small causes such as the paranormalists, the Ghosts and Goblins Brigade.
Yes but my point is that there's no link between the scepticism most scientists and a lot of laymen are capable of (including the public at large) and belief in intelligent design.
Agreed. That is exactly the point. Mentioning Intelligent Design is meant as a way of saying "I do not think that is Reasonable Rational Scientific Skepticism".
ID is always wheeled out whenever anyone subjects a scientific hypothesis to criticism on a public forum.
Oh god, I actually hear her voice just reading your post.
Boxxy is a serious love-her-or-hate-her internet phenomena. If there were Boxxy bots, half of them would be fucked raw by drooling Boxxy fans and the other half would be beaten into Itty Bitty Boxxy Bits by irate Boxxy haters.
As a mathematician and programmer... it's not nearly as frightening as it first appears, looking in from the outside. Challenge yourself, and you will be rewarded.
I'm a math geek and a programing geek. I sympathize with your "Challenge yourself, and you will be rewarded" comment, but not everyone is mathematically inclined. While I certainly encourage people to take more math, not everyone will be rewarded for struggling with fields outside their talents. One can be a talented programmer without being advanced-mathematically inclined.
My first post was well received and your post inspired additional thoughts, so I will go over some of the areas I agree or disagree.
To be clear, my standard for what a programmer should study will be based on two points. First I will consider a figurative "90% of programmers at Microsoft", what they need to know and what they actually use. Second, I distinguish between things you need to understand, and things you can look up in a book and blindly copy-paste into a program.
Graph theory is really useful for manipulating problems when you have a set of object and various "connections" or "relations" between them.
A lot in programming is involves graph theory. A lot of data comes down to things with connections or some sort of relationships. If your data is list of people and who is friends with who, that is a classic graph. Many basic data structures are explicitly graphs, like linked lists and binary trees. All programmers deal with graph theory even if they don't realize it. Of course, those who don't realize that is what they are doing, and haven't studied it, might be doing it poorly. This s definitely on the important list.
Then there's Linear Algebra... 'matrix' or 'vector'
I struggle with classifying this. It is absolutely fundamental to a lot of graphics and I personally place a big connection between programming and that sort of thing, enjoy that stuff. But 90% of Microsoft programmers probably never touch that sort of thing. And if you are merely using a good graphics library and you only do basic stuff with it, then you may never need to see or touch or understand that sort of math. Outside of graphics, I have this nagging feeling that knowing that stuff is good and useful. However it may just be because that's how I think about things and that's the sort of mathematical software I like to do. It feels important to me, but I find it hard to rationally back up why a typical non-mathematical programmer needs it. Maybe it's just my pro-mathematical bias, but this is an area I advocate.
Calculus is relevant to programming in two different ways... tools as the Fourier series, which is what mp3s are based on, and... big-O runtimes of different algorithms.
Here I have to strongly disagree. Virtually all programmers can get by without calculus.
No programmer in his right mind should be meddling in MP3/JPEG/MPEG calculations, not unless he is specifically a mathematician-and-programmer specifically doing research work. Not only can that math be copy-pasted without understanding it, it is absolutely vital that it must be copy-pasted unaltered.
Big-O runtime is indeed important and should be covered in the very first algorithms course, but you don't need to know calculus for it. You can learn all you need to learn and do all you need to do about Big-O even if you are 90% incompetent at algebra. All you need to do is be able to follow the size of the largest exponent while throwing everything else away. There is one thing calculus teaches for Big-O, and I can trivially say it here. If you don't know the Big-O for an algorithm, but you can figure out the "Big-O" size of describing the amount of work you do when increasing n by one, just add increase that exponent by one and you have the Big-O for the algorithm. If it takes 100 unit of work to go from n=100 to n=101, and 1000 unites of work to go from n=1000 to n=1001, then your "single step Big-O" is BigO(
This This is a gross simplification, but there are sort of two kinds of math. There's logic math, and there's numbers math. It sounds like the the two courses roughly divide according to this line. When most people hear math they generally think of numbers math.
If you are a programmer then you do already love the first kind of math, and it does love you back. It's the second kind of math, the ugly numbers math, that scares you.
Math is not merely "important in programming", programming literally is a specialized form of math. Most people don't realize programming is math because because people think of "numbers math" when they hear the word math. Everything software is and everything software does is "logic math". The math of manipulating complex information, the math of manipulating complex logic relationships.
The math of manipulating data.
'Discreet structures with graph theory' (discrete math; proofs, sets, algorithms and graphs)
Programming extensively uses sets, discrete math, and graphs to organize data, to understand data, to manipulate data. A program is literally nothing more than one big algorithm built up out of several smaller algorithms. And in a deep sense, programs and proofs are the exact same thing. There is a math proof that every program can be directly translated into a proof, and every proof can be translated into a program. They are fundamentally identical things with identical logic and identical properties. Reading proofs and writing proofs uses the same precise step-wise logical analysis as reading and writing software.
This course is the math that is the very essence of programming. It's the sort of math and logic that you already you already use every day as a programmer without realizing that it is math - the sort of math you *will* use every day in the future as a programmer. The insights and logic skills in this course will directly advance your every day skills and capabilities as a programmer.
'Selected math chapters' (math analysis; vectors, euclidean space, differentials)
There are things that can be useful *in* a program, but they are not really useful *to* programming. For example if you want to handle or simulate physics-systems, falling rotating moving objects, manipulating 3D objects and graphics, then vectors acre extremely important, along with good intuitive spacial skills. The math analysis and differentials are generally even more rare and specialized. Computers are fantastic at handling that sort of stuff, and sometimes you really need an advanced math-programmer to do literal "rocket science" aerodynamics and orbital mechanics, but most programmers will never need to touch the stuff. You don't need scary-math analysis or differential equations to program an operating system or a webserver or any normal business application.
If you're not doing that sort of sciency-math programming, then you'll never use that stuff. If you're not working on that stuff but you do come across a case where you need to pull in a small piece of that stuff, you can usually just copy-patse in the ugly equation you need even if you don't have any grasp of the math behind it.
The biggest issue there is if you want to do 3D graphics manipulations. A lot of those math equations can be copy-pasted in semi-blindly, but you will seriously choke on that sort of work unless you are good with vectors and have a good intuitive spacial skills.
So in short you definitely want to take the 'Discreet structures with graph theory' course. It will make you a better programmer. The other course merely allows you to specialize as a mathy-sciency-programmer. Take both if you're up for it, but that sort of mathematical programming is not everyone's cup of tea. You can get by fine without it.
one assistant told me that it would be more useful for a programmer compared to the first subject. Then again, he's not a programmer.
Exactly - he's not a programmer.
He sees the course expanding your ability to write programs
That is correct, but I consciously left that technical complexity out of the simplified explanation. It doesn't fundamentally change the point I was explaining. What they should be doing is storing a key-length random garbage on the hardware, hashing or encrypting that random garbage with your password to generate a key, using that key to encrypt the data, and never storing that key anywhere. That way the key itself is properly random, and more importantly the key is not stored on the device. Then you can't decrypt the data without the password.
Instead they store the naked key along with your data - which for all practical purposes is the same as not encrypting the data at all. Never never NEVER store the actual key along with the data. The ONLY time you ever need to do that is with DRM. And the fact that DRM requires you to store the key with the data just comes back to the point NEVER store the key along with the data. There is no actual encryption if you're storing the key along with the data. DRM fails exactly because it doesn't (and can't) use any actual encryption.
this type of device would be significantly more secure if the password verification to access the key happened on the USB hardware
There is some security value in that sort of hardware, but no real encryption security. You could just use that hardware password verification to access stored plain data. Beating hardware to access a stored key is no more difficult than beating hardware to read naked data. If the key is in there with the data then the data is effectively not encrypted at all.
For most purposes here it doesn't matter if things are done in the hardware or in software. The important thing is that the key is never stored in the hardware or software. You store a random value and use the password plus random value to generate the key.
In the former, all a person has to do is get my password because there is (essentially) a map of how to put together the encrypted data to be read
They do not need to get your password.
With your jigsaw puzzle analogy, either the puzzles are jumbled the same way Either the there's one set of public instructions to descramble the puzzle, or the instructions to descramble the puzzle are printed inside the box.
The hardware is that box with the jigsaw puzzle. Anyone can plug one of these devices into their computer, and they can either use the public instructions or use the instructions printed in the box. They do not need to your password.
Along with the hardware they gave you some software. That software is programmed to ask for your password before talking to the hardware, but that doesn't matter. You don't need to use their software, or you can modify it. The box itself has no actual protection. You just can tell the computer to talk to the storage device and directly tell it to hand over the descrambled data.
Note that they approve the module and not the access software. The flaw is in the access software.
As a programmer and hardware geek with a passing familiarity with crypto. It is quite clear what this device is doing (and what it is not doing). In fact the design issue here is so fundamental and blatant that I hesitate to even call it a "flaw". The hardware does not actually offer any crypto security at all, none.
The hardware is doing one of two things, although I don't have enough information to be sure which of the two.
The less likely possibility is that all of these modules are encrypted with the exact same key. To use the standard car analogy, it's like a manufacture advertising that their cars use super-secure AES locks on their cars (and yes AES locks are insanely uncrackable locks) but they manufacture all the cars to use the same key. The software us written not to sick that key in the car unless you enter your password, but that is not a software flaw - the is hardware designed to open for anyone who sicks in that public key. It is flagrant deception to advertise these cars as being "protected by super locks". Yeah, the superlock is technically present but it is effectively unused. Anyone can stick in the blank key and drive off with your car and your data.
The second and much more likely possibility is that each car lock really does use different random keys, but the hardware actually keeps a copy of that key mounted inside the lock, and the car merely has a button on the outside of the door to rotate that key in the lock. Again the software may be written not to press that hardware button unless you enter your password, but again it is not a software flaw. The hardware flaw is that it stores the key duct-taped to your data, and to make matters worse the hardware has a public button to automatically use that key to unlock your data for anyone. Again, the "superlock" is technically present, but again it is effectively unused.
Either way, the hardware is designed to open for (1) anyone with a blank key or (2) anyone without any key at all.
Tossing unused solar panels in the trunk of a car does not make it a solar powered car. That's not a "flaw", and it is completely false to advertise it as a solar powered car.
This hardware is advertised as superduper AES data encryption, but the hardware does not actually bother to use your password to encrypt the data.
Firstly, I'll admit I misinterpreted your position. Some of what you said in your posts sounded to me like comments and arguments I've heard before from crusading religious types., people who take their holy scripture as the ultimate definition of morality, and who explicitly or implicitly declare atheists to be inherently immoral and evil.
It's interesting that you'd bring up the golden rule there - do unto others etc, especially as it has a very religious undertone and was mainly fleshed out by Kant, a Christian.
Kant? Christianity? Mere copycats reinventing the wheel:D
We can go back at least to 500 B.C. with one of Confucius's student's asking "Is there any one word that could guide a person throughout life?" and Confucius repling "How about 'shu' [reciprocity]: never impose on others what you would not choose for yourself?". The Golden rule may be phrased as 'do unto others' to Confucius's 'do not do unto others', but they are clearly mirror image forms of the identical principle.
Just because religions are mythology does not mean they cannot also teach truths and wisdom. In fact I wish Christians would actually pay more attention to studying and following the teachings of Christ. Christ was great and insightful moral teacher, and he said a lot true and valuable things. A true and valuable teachings remain true and valuable teachings, even if the teacher can't walk on water and even if he isn't resurrected from the dead.
Essentially all religions from Native American polytheism to Christianity agree on the fundamental points of morality, and where religions agree on morality that morality is effectively identical to morality as defined by atheists. Some people insist that morality is defined by God and uniquely revealed in their favorite scripture, but the principles and understanding of morality long predate any existing religion. Moral understanding and teaching was independently incorporated into each religion. Where religions conflict on morality its is non-moral cruft that got rilled into one religion or the other. Several religions have a "Law From God" forbidding the eating or pork or other 'unclean' foods. Well those were actually valid useful rules - for example pork used to be infected with nasty parasites and eating pork caused nasty diseases. A useful privative society rule and teaching, which has nothing to do with God or morality. And lots of barbaric rules and teachings got rolled into the "moral code" of Christianity and Islam and other religions. The Old Testament Bible teachings on women are at times as bad as the most abhorrent modern radical Islamic treatment of women.
Religions can teach 2+2=4, and they can also teach 3+3=5. The only odd thing here is that you think it it unusual or notable that Christianity says something (the Golden rule) that is substantially equivalent to what I argued. Truth is truth, moral truth is moral truth, and I do not find it unusual that Christianity copied some of that truth into it's moral teachings. I do not find it unusual or an embarrassment when a major religion agrees with principals of my moral reasoning:)
I don't *want* to live in a world where there is no right or wrong
Right. Human nature, most people have empathy, most don't want to want to be cruel hurtful destructive fuckers, most people want to see themselves as good people. People do not need orders from the sky to know that some things are good or bad, right or wrong. People do not need to be afraid some invisible magic man is going to torture them, in order to be good people and do the right thing. It feels better and it's rational and it actually works better. Many immoral things offer short term rewards, but in society in the long run morality actually works better. There is no God dealing out Karma for every bad thing you do, but in a sense karma is correct. People who lie and cheat and steal will find themselves surrounded by people who lie and cheat and steal. Good people who g
Where is it written that the BBC isn't allowed to encrypt or restrict its broadcasts? Is that a law I'm unaware of?
Exactly. TV broadcasts are legally required to be in the clear in the US as well. Public broadcasting licenses require the broadcasts to actually be public. For example you can broadcasts personal chat on CB frequencies, but a TV station cannot use its frequencies to transmit the station owner's chat to his buddies.
That is why the TV and movie studios have been pushing in the US for a "broadcasts flag"... un-encrypted video and audio along with a bit that says "don't copy me", and they want the FCC to impose an administrative regulation mandating that all digital TV receivers must implement DRM systems to obey that "do not copy" message.
They'd much rather get some an FCC administrative regulation than try to stand up in public before congress asking for a law to do that. There's already a law giving the FCC fairly general authority to administratively regulate transmitting equipment. Unfortunately for them (snicker), a court has already ruled that regulations on receiving equipment do not fall within the existing law giving the FCC power to regulate transmissions. Awwww, that's such a shame.
Slashdot Mirror
Oh god.... Nooooooooo!!!!!!!! You're making sense out of that painfully stupid Star Wars explanation for the Force!
Midichlorians are evolutionary decedents of the malaria parasite, and Jedis simply have the worst cases of malaria.
Pardon me while I go stab myself in the eye with a pencil.
-
Screw the Roomba - I say mount it on a patrolling mini-blimp.
-
Ok, my bad. I know do TPMs and I don't know ammunition. It was a lousy analogy trying to make a valid point.
-
TPM is designed to detect changes to specific protected operating system files so that the owner knows that they haven't been tampered with. SuperDRM spy reports? :-O That's some might fine tinfoil you have there...
How well do you understand the Remote Attestation system? If you have any doubts about what I said I will gladly explain it to you, and cite the documentation to back it up if you like. I just need some clue how much of it you already understand and how technical (or non-technical) you want the explanation to be. I am a programmer and I have studied the entire 332 page technical specification for the TPM chip, and studied all of the other technical info I've been able to find. I have have an extensive and very technical understanding of the chip and how it operates with software, and I have a less detailed picture of the Trusted Computing infrastructure they are building around the chip.
Yes, the TPM is capable of telling the owner whether anything has been tampered with. But saying that is like saying telephones are an in-home intercom. Yes, two phones on the same line in you home do act like an intercom, but that wildly misses the designed functionality of telephones.
Remote Attestation is designed to be able to securely report to ANYONE exactly what is BIOS/Bootloader/OperatingSystem/other-software is running your computer. And when I say "securely report" what is on your computer, I mean that this report is specifically designed to be secure against the owner. You can control whether your computer answers requests for this Remote Attestation report, but you the owner are unable to control or alter the contents of this report. The TPM will not permit you to alter the contents of the report, and the TPM cryptographically signs the report it sends. An unsigned Attestation is invalid, and any attempt to modify the TPM's signed attestation invalidates it.
So when I called it a "SuperDRM spy report" perhaps I was overly casual and colorful with the language, but it was essentially correct. The TPM is designed to keep a secure log of your system - and this log is specifically kept secure against "tampering" by the owner, and the contents of this log are specifically intended to be sent REMOTELY - meaning to other people over the internet a and again the TPM cyrptographically secures this report against "tampering" by the computer owner. It's all logged and secured in a "Super DRM secure against the owner" manner, and it's the chips "spy" log of what it has watched on your computer You can look at it to verify that your system files haven't been tampered with, but it also enables other people to check that your system hasn't been "tampered with", and that specifically includes verifying that YOU have not "tampered" with anything.
And after validating what BIOS you have and that you haven't tampered with it, and after validating what operating system you have and that you haven't tampered with that, and after validating exactly what program you are running and that you haven't tampered with that, the chip enables that validated program to securely add anything and everything it wants as additional information in that Remote Attestation.
It's easiest to illustrate it with a DRM example, because that is precisely what it is tailored to. Say you want to watch Hollywood movies on your computer. You connect over the internet to the MPAA's movie servers. They ask for a Remote Attestation. They examine that Attestation to verify that you have an approved BIOS and that you haven't tampered with it, and that you have an approved operating system and that you haven't tampered with it, and that you have an approved video card and approved video drivers and that you haven't tampered with them. (And of course all along the way "approved" means software that won't violate their DRM.) And then the verify what program you are running right now - they check that you are running their own DRM-enforcing video player. And of course Remote Attestation is validating that
TPM can be used for good or for ill. It's a tool. Tools are amoral.
In a narrow sense that is literally true, objects themselves are amoral. However there is a hell of a lot more context here than merely saying object X exists. Human acts and intentions are not amoral. The act of designing a new tool can be done for purpose and with an intent. The statements made about that tool can be honest or dishonest, for a purpose and with an intent.
Lets take for granted that bullets are a neutral tool, and even further state that teflon coated bullets are neutral. However anyone claiming teflon coated bullets were designed and intended for deer hunting is obviously lying. You don't need teflon on a bullet to hunt deer. The act of designing and building teflon coated bullets was done with a purpose and intent. The purpose and intent in the acts of designing and building those bullets is to pierce kevlar and similar protective vests. And I will even declare that that in itself is morally neutral, as the further intent can be for killing cops or killing Nazi soldiers. My two points here are (1) the design of a tool itself can patently reveal that least some of the purpose and intent of the designer which may bear some moral significance and (2) it can bear some moral significance when someone to patently lie that teflon bullets were designed for deer hunting.
And if I may stretch this analogy beyond the breaking point, it can bear moral significance if someone were to act coercively to force people to buy teflon bullets, and it may bear moral significance when someone acts to prohibit people from buying and selling non-teflon bullets.
Now to drop the broken analogy, anyone claiming TPMs were not designed to DRM-lock computers against their owners, they are at best badly misinformed and at worst outright lying. Saying TPMs were designed for pro-owner computer security is as false as saying teflon bullets were designed for deer hunting. The TPM technical specification explicitly treats owners as the enemy - it explicitly refers to so-called "rogue owners" owners and mandates that the TPM be designed against the interests of the owner. The overriding design criteria of the TPM is to forbid the owner himself from knowing or using his own master TPM keys, it endlessly mandates all of the things the owner is forbidden to do. The overarching design criteria is to lock the chip (and associated computer) against the the owner.
The TPM is designed to be secure against the owner. This is teflon. You don't need teflon to hunt deer, and anyone trying to defend teflon bullets by referring to deer hunting is at best badly misinformed and at worst outright lying.
People can debate the positive or negative moral value of trying to turn computers into UberDRM machines massively locked down against the owner (I certainly have strong opinions on that), but it is ill informed or an outright lying for anyone to deny that that was the intent and purpose in the act of designing the chips, that it was the intent and purpose in manufacturing the chips, that it is the intent and purpose of certain corporations using coercive methods to deploy this plan, and tat it is the intent and purpose in prohibiting anyone from buying or selling compatible chips where the owner *is* in control or does know his own chip's master key.
Objects themselves are amoral, however it is excessively pedantic and linguistically awkward to divorce the object from the context of actions and intentions intimately related to that object.
A virus is inherently an amoral object. If virus that was designed to be distributed by hospital injections and safely provoke a human immunity, one can refer to that act of distribution as a good thing, or even casually refer to the virus itself as good. If a virus was designed for airborne distribution in perfume and to provoke lethal smallpox, one can refer to that act of distribution as a bad thing, or even casually refer to the virus itself as bad.
The TPM is a poison apple, and
You were right the first time. I'm a programmer and I've studied the 332 page TCPA Main TCG Architecture v1_1b.pdf design specification. It explicitly refers to the owner as an attacker and it specifically mandates the chip to be secure against the owner himself. And yes, in simple terms it is designed to provide insane DRM-type lockdown for computers.
One of the big TPM public relations lines is how it's all "opt-in" and "you're in control". As in opt-in handcuffs. As in new software that refuses to run unless you "opt-in" and "voluntarily" choose to put on handcuffs. As in files that you can't open unless you voluntarily "opt-in" to handcuffs. As in websites that you can't view unless you "opt-in". And best of all they've come up with something they call Trusted Network Connect (TNC). It enables your ISP to preform a "health check" to ensure your computer is patched and up to date and not infected with any viruses or anything. Of course, it can't preform that "health check" unless you have a Trust Chip in your computer. And of course it can't do that "health check" you "opt-in". And of course if you fail the TNC "health check", or if you decline to voluntarily "opt-in" to the TPM system, or if you don't have a TPM chip, or if you don't have the EXACT approved operating system, or if you're not running the EXACT mandated software, well in that case the ISP can't validate that your computer is not infected.... can't validate that your computer is not a threat to infecting other computers on their network... they can't validate that your computer is complying with whatever terms of service the ISP wants to make up for your computer.... if you can't or won't opt-in and pass the TNC "health check" then your network connection is denied.
No ISPs are using TNC today, and they aren't deploying it tomorrow, but yeah that is exactly what it is designed to do. In time, if this Trusted Computing crap is successfully deployed, then yeah eventually you may be denied internet access unless you voluntarily "opt-in" to Trusted handcuffs.
One of the primary functions of the TPM is to act as a spy inside your computer, logging your exact hardware and exactly what software you run and more, and sending that cryptographically certified spy report out over the internet. It's called Remote Attestation. That's how Trusted Network Connect works so that an ISP can check that you're not infected with a virus or something. The ISP asks the TPM for the spy report and they check that you're running an approved unmodified operating system and approved unmodified software.
Another chip function is called Sealed Storage. In simple terms that means SuperDRM files. Sealed storage means your files on your computer are encrypted, that you cannot read or modify your own data. The chip refuses to open Sealed files except with specific approved software - in other words the files can't only be opened with the specific unmodified approved DRM software.
Another fun point is that the TPM effectively destroys much of your data if you alter your "security settings". You "voluntarily" "opt-in" to some insane anti-owner "security settings", and then your data vanishes if you alter the security settings. See? You're in complete control! You can set any security settings you want, and you can change them at will, but NOTHING WORKS unless you send an internet Remote Attestation proving you've opted-in to Evil(tm) settings, and your files vanish if you change your security settings non-Evil(tm).
And this Slashdot story is about someone ripping open one of these chips to directly read it. Each chip has a unique master key locked inside (actually more than one, but that doesn't matter). It's basically your master key controlling all if the security on your computer. If you can read out this key then you gain full control of your computer. You can open the locked files, you can control the spy reports, you can run whatever software you want, you can use the master key to modify your security settings at will. With the master k
That's like denying the purpose of teflon coated bullets is penetrating kevlar vests.
It would be ludicrous in the extreme for someone to say teflon coated bullets are for deer hunting.
The primary design criteria for TPMs is to secure computers against their owners. The TPM technical specification explicitly refers to the owner as an attacker and mandates "security" against "attacks" from the owner. The overriding design criteria throughout the specification is denying the owner access to his own master key, the Private Endorsement Key.
Let's go over you denial, point by point:
Um, no. TPMs are designed for three things: 1) establish a hardware root of trust for boot (i.e., make sure that you're actually booting your OS and not a rootkit first)
The mere knowledge of my key does not alter my computer's function. The mere fact that I know my key does not not diminish my computer's capability to "establish a hardware root of trust for boot (i.e., make sure that you're actually booting your OS and not a rootkit first)".
The sole purpose of forbidding the owner to know his own master key is to attempt to secure the computer against the owner, to establish a "hardware root of trust" against the owner.
2) provide lightweight, secure and fast cryptographic operations
Lets break that into three pieces.
Lightweight.
Yes. And not merely lightweight, the design criteria is explicitly for TPMs to be dirt cheap so they can be included at negligible cost in all computers and other consumer electronics at negligible cost, included by default. And in accordance with that cost criteria they are deliberately designed to have minimalistic power and capabilities. Which directly leads into the next point:
fast cryptographic operations
Absolutely NOT! It is completely laughable when people try to justify TPMs as any sort of "cryptographic co-processor". The "lightweight" design constraints for these chips are such that a a single cryptographic operation is permitted to take a half second or more. Preforming cryptographic operations on a PC's main CPU will typically be a hundred times faster than using a Trust chip to do it.
secure
Yeah, "secure". As I said the specification explicitly mandates the chip be secure against the owner.
A normal bullet does not require a teflon coating, and normal security does not require securing the chip against the owner.
(so you don't have to do something stupid like store a cryptographic key in plaintext on your HD)
You're citing deer hunting.
When we're talking about "what teflon coated bullets are for", and you answer "deer hunting", I don't know whether you're insulting my intelligence or if you just don't get it, or what's going on. You are NOT going to find teflon on a bullet if it were actually intended and designed for deer hunting. You do not need teflon to hunt deer, and you don't need to secure a computer against the owner for "so you don't have to do something stupid like store a cryptographic key in plaintext on your HD". A normal pro-owner chip can do that. An owner can know his master key, and you can do that.
3) allow remote attestation of a computer's software stack (i.e., verifying the integrity of the OS and other pieces of software...very useful for distributed systems).
Again, the mere knowledge of my key does not diminish my computer's ability to give me remote attestation verifying the integrity of the OS and other pieces of software.
And again, the purpose of this chip, the design criteria and the design purpose and the primary function of TPM remote attestation is to verify the "integrity" of the computer against the owner.
ANTI-OWNER "security" is not security.
there are applications of TPMs for DRM, but that is a side effect and not a primary factor.
That's exactly backwards. The central design criteria of the TPM specification is that the owner if forbidden to know or co
>The purpose of this key is that it should be kept secret and never realized off the chip, not to software, not to any other board component."
Without that key how do those other pieces of hardware know they're in the proper system? C'mon, there's a basic request/response mechanism that HAS to happen along the line somewhere for identification and verification.
Is called Public Key Crypto systems. In normal old-style crypto you have a secret key or password to encrypt something, and then you need the same secret key to decrypt it. This uses a different kind of crypto that creates special key-pairs. You use one key to encrypt or sign something, and you use a different key to decrypt it or validate a crypto-signature. This means that you can can make one of the keys completely public, only needing to keep the other half of the key-pair secret.
The Trusted Platform Module is specifically designed to secure the computer against the owner. The technical specification for the chip explicitly refers to the owner as the enemy, as a potential "attacker".
The way the chip works is that the manufacture generates these sorts of key-pairs, one half is the public half. The chip freely hands over that public half to the owner or anyone else. You can literally publish that public key on the front page of the New York Times. The other half of the key-pair is the private key, and the chip is explicitly forbidden to ever know or control the private key locked inside the chip. The way the chip works is very complicated with multiple layers of 3encryption, but I will will simplify it down as if it were a single layer. What happens is that the public key is given out to other people and they can encrypt stuff with that key, then they can send you the encrypted data and YOU can't read it or alter it because your private key is locked inside the chip. This encrypted data is then handed to the Trust chip which uses the secret private key to decrypt it, inside the chip, explicitly to deny you access or control over your own computer. The point of this is so that other people can send keys or files or other data to your computer while denying you the ability to see or alter any of it. It's like SuperDRM communication so other people can talk to your computer, specifically to be secure against you the owner. Note that one of typical secret messages they send into the chip is additional crypto keys, so that the chip can use those new keys to encrypt OUTGOING messages from your computer, specifically to prevent you from knowing what messages are being sent out of your computer, specifically to prevent you from altering the data being sent out of your computer, specifically to prevent you from controlling the data being sent out to other people.
The Trust chip also uses the secret key to encrypt files saved on your hard drive, so that you cannot read or modify your own files. The technical term for this is "Sealed" data. You cannot read or modify sealed files. The Trust chip refuses to decrypt Sealed files, except for specifically approved unmodified software. So these are like SuperDRM files and they cannot be read except by specifically approved SuperDRM software. Again the entire point is to secure the computer against the owner.
One of the primary functions of the chip is something called "Remote Attestation". The Trust chip acts as a spy, logging your hardware and precisely tracking the software you run on your computer and various data on your computer. The Trust chip uses the secret key to cryptographically sign this spy report so it can be sent out over the internet. Other people can then use the public half of the key to validate this spy report. And again the entire point of this is to secure the computer against the owner - to be able to send out secure SuperDRM spy reports from your computer while preventing you, the owner, from having any ability to modify or otherwise control these Trust spy reports. The point of the public key is for other people to be able to be able
I am Cyber Warrior. I was once likely to be eaten by a grue.
-
It's not a problem. You can now post replies without reading TFS either.
-
we deflected a civilization-ending asteroid lobbed at us by space aliens
You really shouldn't have bothered.
We're just going to use a much bigger asteroid next time.
-
From your other post: why is any expression of scepticism on any scientific issue automatically associated with intelligent design?
For me, and probably almost all of the people you are referring to, Intelligent Design is absolutely NOT associated with scientific skepticism. In fact that is the very point - Intelligent Design is the icon for NOT-scientific-skepticism masquerading as skepticism. It is the icon of mindless-denialism and persecution-complex-conspiracy-theoryism trying to claim legitimacy for itself under a charade of Reasonable Skepticism.
Speaking for myself, I consider scientific skepticism to be vitally important. I hold it is such high regard that I am deeply offended when I see the ghosts-and-goblins-brigade attacking it and undermining it and threatening to destroy it by falsely labeling mindless dogmatic denialism as Reasoned and Reasonable Skepticism, when I see them trying to sell blatant crackpottery as if it were Reasoned and Reasonable Skepticism, when I see them trying to sell paranoia and persecution complexes and conspiracy theories as if they were Reasoned and Reasonable Skepticism.
I absolutely agree that the scientific process relies upon people and that people are often very fallible. I absolutely agree that the scientific process as-implemented-by-people is imperfect. I absolutely agree that the scientific community is imperfect. But given a little time the scientific process is pretty dang good at getting past individual human errors and latching on to any valid and useful results.
The original post in this case has said in part "high-quality research of others basically shut out by the peer review process". If you submit "high-quality research" for peer review, yes it is entirely plausible that the reviewer was wrong. It's possible that the reviewer didn't understand it, or that the reviewer might have been too stuck in the mindset of prior-science, or maybe he had some financial or ideological bias. And if you submit it somewhere else for peer review, and it is rejected a second time, yes maybe you deserve the benefit of the doubt that maybe it was improperly rejected twice.
But that is not what we are talking about here. The poster was ranting about things being SHUT OUT by peer review. When someone submits their paper to four and five and more INDEPENDENT expert scientific reviews, that is kinda a hint that it is time to consider that the error might just be the paper. It's time to consider that maybe... just maybe... it actually isn't "high-quality research". It's time to consider that maybe.... just maybe... that it is the author of the paper who might have made an error, the author of the paper who might be ideological, the author of the paper who might be biased, the author of the paper who might be an outright crackpot.
The poster was implying that valid science was being systematically suppressed by the peer review process.
Maaaaaybe it's just the way I read it, but it did not sound to me like an "expression of scientific skepticism". It sounded to me like an unreasonable and unreasoning person with an ax to grind because his ideological bogoscience cause is systematically refuted and rejected when subjected to scientific scrutiny. By far the number one ideological cause whining about peer review rejection is Intelligent Design and the rest of the evolution denialists. The number two cause is by far the Global Warming denialists. After that it becomes an ocean of countless small causes such as the paranormalists, the Ghosts and Goblins Brigade.
Yes but my point is that there's no link between the scepticism most scientists and a lot of laymen are capable of (including the public at large) and belief in intelligent design.
Agreed.
That is exactly the point.
Mentioning Intelligent Design is meant as a way of saying "I do not think that is Reasonable Rational Scientific Skepticism".
ID is always wheeled out whenever anyone subjects a scientific hypothesis to criticism on a public forum.
Probably Intelligent Design, with a minor in the Global Warming Hoax.
-
just want the same respect you'd give any man on this forum.
This is the internet. Any sentence not containing the word gayfagdouchewad is about the epitome of respect, regardless of your gender.
-
even just the per-use cost of a RealDoll is probably lower
Maybe, but then you have to clean up the RealDoll after each use. Prostitutes are self-cleaning.
I guess I could raise the option of hiring a maid for washing the RealDoll, but then this whole discussion might start to get a little weird.
-
Um...does this post make me a sex toy nazi?
Um, I dunno. Are you now a 12 inch tall vibrating Hitler?
Waitaminute... I suddenly sense an extremely profitable business opportunity!
-
So you build male/female pairs of robots with wifi and an ssh tunnel connecting them.
Gives new meaning to the MITM attack.
-
Oh god, I actually hear her voice just reading your post.
Boxxy is a serious love-her-or-hate-her internet phenomena. If there were Boxxy bots, half of them would be fucked raw by drooling Boxxy fans and the other half would be beaten into Itty Bitty Boxxy Bits by irate Boxxy haters.
For those who have not yet met Boxxy, here are her three videos:
FOAR 4DD1 FRUM BOXXY
FOAR ANT FRUM BOXXY
FOAR EVERYWUN FRUM BOXXY
And in my opinion the most hysterical Boxxy remix:
Boxxy Not Talking
P.S.
I LUV YOU SLASHDOT! <3 (Finger heart!)
-
As a mathematician and programmer... it's not nearly as frightening as it first appears, looking in from the outside. Challenge yourself, and you will be rewarded.
I'm a math geek and a programing geek. I sympathize with your "Challenge yourself, and you will be rewarded" comment, but not everyone is mathematically inclined. While I certainly encourage people to take more math, not everyone will be rewarded for struggling with fields outside their talents. One can be a talented programmer without being advanced-mathematically inclined.
My first post was well received and your post inspired additional thoughts, so I will go over some of the areas I agree or disagree.
To be clear, my standard for what a programmer should study will be based on two points. First I will consider a figurative "90% of programmers at Microsoft", what they need to know and what they actually use. Second, I distinguish between things you need to understand, and things you can look up in a book and blindly copy-paste into a program.
Graph theory is really useful for manipulating problems when you have a set of object and various "connections" or "relations" between them.
A lot in programming is involves graph theory. A lot of data comes down to things with connections or some sort of relationships. If your data is list of people and who is friends with who, that is a classic graph. Many basic data structures are explicitly graphs, like linked lists and binary trees. All programmers deal with graph theory even if they don't realize it. Of course, those who don't realize that is what they are doing, and haven't studied it, might be doing it poorly. This s definitely on the important list.
Then there's Linear Algebra... 'matrix' or 'vector'
I struggle with classifying this. It is absolutely fundamental to a lot of graphics and I personally place a big connection between programming and that sort of thing, enjoy that stuff. But 90% of Microsoft programmers probably never touch that sort of thing. And if you are merely using a good graphics library and you only do basic stuff with it, then you may never need to see or touch or understand that sort of math. Outside of graphics, I have this nagging feeling that knowing that stuff is good and useful. However it may just be because that's how I think about things and that's the sort of mathematical software I like to do. It feels important to me, but I find it hard to rationally back up why a typical non-mathematical programmer needs it. Maybe it's just my pro-mathematical bias, but this is an area I advocate.
Calculus is relevant to programming in two different ways... tools as the Fourier series, which is what mp3s are based on, and ... big-O runtimes of different algorithms.
Here I have to strongly disagree. Virtually all programmers can get by without calculus.
No programmer in his right mind should be meddling in MP3/JPEG/MPEG calculations, not unless he is specifically a mathematician-and-programmer specifically doing research work. Not only can that math be copy-pasted without understanding it, it is absolutely vital that it must be copy-pasted unaltered.
Big-O runtime is indeed important and should be covered in the very first algorithms course, but you don't need to know calculus for it. You can learn all you need to learn and do all you need to do about Big-O even if you are 90% incompetent at algebra. All you need to do is be able to follow the size of the largest exponent while throwing everything else away. There is one thing calculus teaches for Big-O, and I can trivially say it here. If you don't know the Big-O for an algorithm, but you can figure out the "Big-O" size of describing the amount of work you do when increasing n by one, just add increase that exponent by one and you have the Big-O for the algorithm. If it takes 100 unit of work to go from n=100 to n=101, and 1000 unites of work to go from n=1000 to n=1001, then your "single step Big-O" is BigO(
This This is a gross simplification, but there are sort of two kinds of math. There's logic math, and there's numbers math. It sounds like the the two courses roughly divide according to this line. When most people hear math they generally think of numbers math.
If you are a programmer then you do already love the first kind of math, and it does love you back. It's the second kind of math, the ugly numbers math, that scares you.
Math is not merely "important in programming", programming literally is a specialized form of math. Most people don't realize programming is math because because people think of "numbers math" when they hear the word math. Everything software is and everything software does is "logic math". The math of manipulating complex information, the math of manipulating complex logic relationships.
The math of manipulating data.
'Discreet structures with graph theory' (discrete math; proofs, sets, algorithms and graphs)
Programming extensively uses sets, discrete math, and graphs to organize data, to understand data, to manipulate data. A program is literally nothing more than one big algorithm built up out of several smaller algorithms. And in a deep sense, programs and proofs are the exact same thing. There is a math proof that every program can be directly translated into a proof, and every proof can be translated into a program. They are fundamentally identical things with identical logic and identical properties. Reading proofs and writing proofs uses the same precise step-wise logical analysis as reading and writing software.
This course is the math that is the very essence of programming. It's the sort of math and logic that you already you already use every day as a programmer without realizing that it is math - the sort of math you *will* use every day in the future as a programmer. The insights and logic skills in this course will directly advance your every day skills and capabilities as a programmer.
'Selected math chapters' (math analysis; vectors, euclidean space, differentials)
There are things that can be useful *in* a program, but they are not really useful *to* programming. For example if you want to handle or simulate physics-systems, falling rotating moving objects, manipulating 3D objects and graphics, then vectors acre extremely important, along with good intuitive spacial skills. The math analysis and differentials are generally even more rare and specialized. Computers are fantastic at handling that sort of stuff, and sometimes you really need an advanced math-programmer to do literal "rocket science" aerodynamics and orbital mechanics, but most programmers will never need to touch the stuff. You don't need scary-math analysis or differential equations to program an operating system or a webserver or any normal business application.
If you're not doing that sort of sciency-math programming, then you'll never use that stuff. If you're not working on that stuff but you do come across a case where you need to pull in a small piece of that stuff, you can usually just copy-patse in the ugly equation you need even if you don't have any grasp of the math behind it.
The biggest issue there is if you want to do 3D graphics manipulations. A lot of those math equations can be copy-pasted in semi-blindly, but you will seriously choke on that sort of work unless you are good with vectors and have a good intuitive spacial skills.
So in short you definitely want to take the 'Discreet structures with graph theory' course. It will make you a better programmer. The other course merely allows you to specialize as a mathy-sciency-programmer. Take both if you're up for it, but that sort of mathematical programming is not everyone's cup of tea. You can get by fine without it.
one assistant told me that it would be more useful for a programmer compared to the first subject. Then again, he's not a programmer.
Exactly - he's not a programmer.
He sees the course expanding your ability to write programs
That is correct, but I consciously left that technical complexity out of the simplified explanation. It doesn't fundamentally change the point I was explaining. What they should be doing is storing a key-length random garbage on the hardware, hashing or encrypting that random garbage with your password to generate a key, using that key to encrypt the data, and never storing that key anywhere. That way the key itself is properly random, and more importantly the key is not stored on the device. Then you can't decrypt the data without the password.
Instead they store the naked key along with your data - which for all practical purposes is the same as not encrypting the data at all. Never never NEVER store the actual key along with the data. The ONLY time you ever need to do that is with DRM. And the fact that DRM requires you to store the key with the data just comes back to the point NEVER store the key along with the data. There is no actual encryption if you're storing the key along with the data. DRM fails exactly because it doesn't (and can't) use any actual encryption.
this type of device would be significantly more secure if the password verification to access the key happened on the USB hardware
There is some security value in that sort of hardware, but no real encryption security. You could just use that hardware password verification to access stored plain data. Beating hardware to access a stored key is no more difficult than beating hardware to read naked data. If the key is in there with the data then the data is effectively not encrypted at all.
For most purposes here it doesn't matter if things are done in the hardware or in software. The important thing is that the key is never stored in the hardware or software. You store a random value and use the password plus random value to generate the key.
-
In the former, all a person has to do is get my password because there is (essentially) a map of how to put together the encrypted data to be read
They do not need to get your password.
With your jigsaw puzzle analogy, either the puzzles are jumbled the same way
Either the there's one set of public instructions to descramble the puzzle, or the instructions to descramble the puzzle are printed inside the box.
The hardware is that box with the jigsaw puzzle. Anyone can plug one of these devices into their computer, and they can either use the public instructions or use the instructions printed in the box. They do not need to your password.
Along with the hardware they gave you some software. That software is programmed to ask for your password before talking to the hardware, but that doesn't matter. You don't need to use their software, or you can modify it. The box itself has no actual protection. You just can tell the computer to talk to the storage device and directly tell it to hand over the descrambled data.
-
Note that they approve the module and not the access software. The flaw is in the access software.
As a programmer and hardware geek with a passing familiarity with crypto. It is quite clear what this device is doing (and what it is not doing). In fact the design issue here is so fundamental and blatant that I hesitate to even call it a "flaw". The hardware does not actually offer any crypto security at all, none.
The hardware is doing one of two things, although I don't have enough information to be sure which of the two.
The less likely possibility is that all of these modules are encrypted with the exact same key. To use the standard car analogy, it's like a manufacture advertising that their cars use super-secure AES locks on their cars (and yes AES locks are insanely uncrackable locks) but they manufacture all the cars to use the same key. The software us written not to sick that key in the car unless you enter your password, but that is not a software flaw - the is hardware designed to open for anyone who sicks in that public key. It is flagrant deception to advertise these cars as being "protected by super locks". Yeah, the superlock is technically present but it is effectively unused. Anyone can stick in the blank key and drive off with your car and your data.
The second and much more likely possibility is that each car lock really does use different random keys, but the hardware actually keeps a copy of that key mounted inside the lock, and the car merely has a button on the outside of the door to rotate that key in the lock. Again the software may be written not to press that hardware button unless you enter your password, but again it is not a software flaw. The hardware flaw is that it stores the key duct-taped to your data, and to make matters worse the hardware has a public button to automatically use that key to unlock your data for anyone. Again, the "superlock" is technically present, but again it is effectively unused.
Either way, the hardware is designed to open for (1) anyone with a blank key or (2) anyone without any key at all.
Tossing unused solar panels in the trunk of a car does not make it a solar powered car. That's not a "flaw", and it is completely false to advertise it as a solar powered car.
This hardware is advertised as superduper AES data encryption, but the hardware does not actually bother to use your password to encrypt the data.
-
Firstly, I'll admit I misinterpreted your position. Some of what you said in your posts sounded to me like comments and arguments I've heard before from crusading religious types., people who take their holy scripture as the ultimate definition of morality, and who explicitly or implicitly declare atheists to be inherently immoral and evil.
It's interesting that you'd bring up the golden rule there - do unto others etc, especially as it has a very religious undertone and was mainly fleshed out by Kant, a Christian.
Kant? Christianity? Mere copycats reinventing the wheel :D
We can go back at least to 500 B.C. with one of Confucius's student's asking "Is there any one word that could guide a person throughout life?" and Confucius repling "How about 'shu' [reciprocity]: never impose on others what you would not choose for yourself?". The Golden rule may be phrased as 'do unto others' to Confucius's 'do not do unto others', but they are clearly mirror image forms of the identical principle.
Just because religions are mythology does not mean they cannot also teach truths and wisdom. In fact I wish Christians would actually pay more attention to studying and following the teachings of Christ. Christ was great and insightful moral teacher, and he said a lot true and valuable things. A true and valuable teachings remain true and valuable teachings, even if the teacher can't walk on water and even if he isn't resurrected from the dead.
Essentially all religions from Native American polytheism to Christianity agree on the fundamental points of morality, and where religions agree on morality that morality is effectively identical to morality as defined by atheists. Some people insist that morality is defined by God and uniquely revealed in their favorite scripture, but the principles and understanding of morality long predate any existing religion. Moral understanding and teaching was independently incorporated into each religion. Where religions conflict on morality its is non-moral cruft that got rilled into one religion or the other. Several religions have a "Law From God" forbidding the eating or pork or other 'unclean' foods. Well those were actually valid useful rules - for example pork used to be infected with nasty parasites and eating pork caused nasty diseases. A useful privative society rule and teaching, which has nothing to do with God or morality. And lots of barbaric rules and teachings got rolled into the "moral code" of Christianity and Islam and other religions. The Old Testament Bible teachings on women are at times as bad as the most abhorrent modern radical Islamic treatment of women.
Religions can teach 2+2=4, and they can also teach 3+3=5. The only odd thing here is that you think it it unusual or notable that Christianity says something (the Golden rule) that is substantially equivalent to what I argued. Truth is truth, moral truth is moral truth, and I do not find it unusual that Christianity copied some of that truth into it's moral teachings. I do not find it unusual or an embarrassment when a major religion agrees with principals of my moral reasoning :)
I don't *want* to live in a world where there is no right or wrong
Right. Human nature, most people have empathy, most don't want to want to be cruel hurtful destructive fuckers, most people want to see themselves as good people. People do not need orders from the sky to know that some things are good or bad, right or wrong. People do not need to be afraid some invisible magic man is going to torture them, in order to be good people and do the right thing. It feels better and it's rational and it actually works better. Many immoral things offer short term rewards, but in society in the long run morality actually works better. There is no God dealing out Karma for every bad thing you do, but in a sense karma is correct. People who lie and cheat and steal will find themselves surrounded by people who lie and cheat and steal. Good people who g
Where is it written that the BBC isn't allowed to encrypt or restrict its broadcasts? Is that a law I'm unaware of?
Exactly. TV broadcasts are legally required to be in the clear in the US as well. Public broadcasting licenses require the broadcasts to actually be public. For example you can broadcasts personal chat on CB frequencies, but a TV station cannot use its frequencies to transmit the station owner's chat to his buddies.
That is why the TV and movie studios have been pushing in the US for a "broadcasts flag"... un-encrypted video and audio along with a bit that says "don't copy me", and they want the FCC to impose an administrative regulation mandating that all digital TV receivers must implement DRM systems to obey that "do not copy" message.
They'd much rather get some an FCC administrative regulation than try to stand up in public before congress asking for a law to do that. There's already a law giving the FCC fairly general authority to administratively regulate transmitting equipment. Unfortunately for them (snicker), a court has already ruled that regulations on receiving equipment do not fall within the existing law giving the FCC power to regulate transmissions. Awwww, that's such a shame.
-