Why would that be a problem? I have it running right now with six tabs open, and it's using just 64MB -- about four MB of which is the in-memory cache. This is 2.0.0.16; supposedly the upgrade is even more efficient. 128MB should be plenty for Firefox plus a minimal graphical environment. Alternately, there are a number of other perfectly usable web browsers with even lower memory requirements: Epiphany, Konqueror, even Links2 (which has a graphical mode as well as text).
First, there is some debate over whether the immoral act consists of "using other's [sic] property without permission" or depriving the owner of the use of his/her property.
In the case of the code, they did deprive the owner of use of their property - they usurped the owner's control and profited from it.
If copyright is treated as a property rights, then the property itself is the code (or whatever) that the copyright covers. Your argument and copyright law are based on first variant, that use without permission is immoral. If one accepts the second view, however, then the concept of copyright is meaningless, because one cannot actually deprive the "owner" of anything copyright would cover.
I also find some of those that make that argument hypocritical as they gladly take other's code but scream with indignation if someone even hints of doing so with GPL'd code.
I would likewise find that hypocritical, which is why all my work is in the public domain.
People have certain inherent (some may say inalienable) rights that cannot be taken away; unlike inanimate objects.
That is your subjective, moral opinion. The fact that you feel that your moral views on slavery take precedence over the legal definition of property for the purpose of determining whether freeing them is, in fact, theft -- morally -- proves my point.
BTW - sic is properly used to avoid confusion when quoting passages so the reader does not think you made the spelling or grammatical error.
That is exactly how I used it. The errors were, in order: (a) spelling; (b) missing comma; (c) sentence fragment; (d) singular possessive used in place of plural.
You are attempting to argue that TLS/SSL is useless unless it can provide absolute security. You are demanding the impossible. In the real world there is value in reducing uncertainty and risk even if they cannot be completely eliminated. The use of CAs reduces uncertainty compared to the same communication without them. For most people, under most circumstances, this is sufficient; the benefit gained from the communication outweighs the remaining risk. This is not a false sense of security; it is a realistic sense of security. You are demanding an unrealistic degree of security which no system can provide, online or offline. That is your prerogative, but it does not represent a fault in the TLS/SSL protocol or in the choices others make to trust it based on their own preferences and risk tolerance.
Absolutely? No one. Good enough, most of the time? All of the ordinary certificate authorities.
This isn't some abstract possibility we're talking about.
It also isn't the massive breach you're trying to present it as. The fact is that a limited number of certificates were issued with names similar (but not exactly equal) to the names of well-known corporations due to insufficient validation by Verisign. This had no effect on the certification of the vast majority of web sites, and revocation procedures were already in place to deal with it.
The user doesn't know if their data is safe, and the fact is TLS doesn't make any guarantees that the data is safe.
TLS isn't designed to make such a guarantee. It's only designed to make it much more difficult to pass oneself off as a trusted organization, or to intercept the data in transit, and it carries out these functions quite well. Paranoid individuals such as yourself can feel free not to trust it, despite the minimal risk, and deny yourselves the benefit of reasonably-secure, reasonably-authenticated online communication.
The risk that the other party may not adequately protect the information once received is not specific to TSL/SSL. It applies whenever you give someone else data you would prefer to be kept private, online or offline.
Just out of curiosity, do you do the same thing offline? Do you insist on personally running FBI criminal background checks on your bank teller, for example? Or your broker? Or your employer's payroll department? Do you require proof of identity from the cashiers at your local grocery store? These individuals deal with sensitive information all the time, but you inevitably trust a third party to ensure the security of your personal data in these instances. An online transaction with TLS/SSL is far more secure from eavesdropping, and permits much more limited human access to your data. The risk that the system may fail you in any given circumstance is almost always much less than the benefit gained from trusting it. Unless your situation is very unusual -- or your risk tolerance absurdly low -- it makes sense to trust TLS for authentication rather than go without.
I'm not trying to say that a CA-signed certificate is an absolute guarantee of identity. If you can actually trust the certification authority, and everyone follows all the rules and keeps their private keys secure, and the private keys aren't broken by brute force or cryptoanalysis, then the authentication will be valid. These conditions are implied in any security arrangement, and pointing out that they may not hold in any given implementation adds nothing useful to the discussion. Everyone is already quite well aware of that fact.
You aren't going to find absolute security anywhere. There is always the possibility that someone, somewhere, may fail to uphold their part of the protocol. TLS/SSL is still a significant improvement over systems without certificates or CAs, which would be insecure even if perfectly implemented.
P.S. A certificate signed by the actual CA is not a forgery. If such a certificate is false it merely means that particular CA cannot be absolutely trusted.
It's not really incorrect. The client can optionally contact the CA for additional validation; this is typically done to determine if the certificate has been revoked since it was originally issued. The certificate itself still has to be signed by a trusted CA, as indicated by the second bullet point under the Security section:
The client verifies that the issuing CA is on its list of trusted CAs.
If someone is at the root "In The Middle" point, between a client and the WAN, they can forge the Certificate Authority transaction to represent their cert as valid, claiming to be whoever they want.
There is no "Certificate Authority" transaction. The CA signature on the site certification is verified locally against a whitelist of CA public keys built into the web browser. The fact that anyone can create their own self-signed key for any domain is exactly why such keys do not establish identity, making MITM attacks possible. By contrast, CA-signed certificates can't be forged without first breaking (or otherwise acquiring) an established CA's signing key.
A CA-signed certificate guarantees that your data can only be decrypted by the intended recipient. There's no way to tell whether a self-signed certificate belongs to the intended recipient or a MITM, which renders the encryption useless against a determined attacker.
You cna [sic] disagree with the law, and think it needs to be changed (as I do) [sic] but as the law currently defines software programs as property [sic]. Property rights are pretty well viewed as important in our society, and using other's [sic] property without permission is generally not viewed as a moral act.
First, there is some debate over whether the immoral act consists of "using other's [sic] property without permission" or depriving the owner of the use of his/her property. I would tend to side with the latter, and would moreover assert that it is impossible to avoid benefiting from (i.e. using) others' property whether you intend to or not; the simple fact that the property exists results in an external benefit.
Second, morality relating to property depends on the moral definition of property, which is not necessarily the same as the legal definition. To pick an obvious example from our past, the fact that many jurisdictions legally defined slaves as property of their masters did not make it incontestably immoral to assist in their escape. Whether an individual actually considered it immoral or not depended on whether their subjective, moral view of property coincided with the legal definition.
This is precisely what I am hoping would happen. That, once enough software and libraries are under GPL..., then proprietary software companies would have no option other than to use GPL themselves..., or, as is more likely to happen, they would lobby for abolition of copyright themselves, at least in software.
That's not going to happen. No matter how many GPL libraries you write the proprietary software companies will just continue to write their own code in-house, or employ third-party libraries under more palatable licenses. It will never be more profitable for them to abolish copyright entirely rather than simply avoid the use of GPL software.
The way I see it, the ultimate goal for a libertarian has to be the abolition of copyright system itself...
You're right -- our goals are very different. My goal as a libertarian is to abolish the concept of "legitimate", systematic aggression entirely. Copyright is simply one example of such aggression out of many.
In my opinion it would be futile to attempt to force the non-libertarian majority to follow libertarian principles; moreover, any such effort would eliminate -- at least in the view of the general populace -- the primary distinction between libertarians and non-libertarians, which is an absolute opposition to the initiation and/or escalation of coercion.
If we are willing to turn to aggression to achieve our goals, why shouldn't others do the same? It's not just a matter of being a "purist"; I don't believe that the goal -- mine or yours -- can be achieved sustainably in the first place via unprincipled methods.
For them, the ultimate goal is to be free of copyright themselves, not to free the world from copyright.
The world will be free of copyright only when the vast majority of individuals believe that copyright is wrong and are willing to resist any attempt to enforce such claims on themselves or others. That state cannot be achieved by force, and it's exceedingly difficult to persuade someone that you consider copyright to be wrong when your methods are fully dependent on it.
As I said, it comes down to the end justifying the means. Yours is one common view, but there is just as much support for the view that claiming copyright (as one must do to utilize "copyleft" licenses) is wrong regardless of the motivation, or that doing so undermines your ultimate goal.
In my opinion, if one fails to stick to one's principles throughout the entire effort one runs a strong risk of becoming the enemy, and simply replacing one tyranny with another. I have seen this already where some have argued that all software should be required to be GPL, which goes rather beyond a simple lack of copyrights into forced distribution of source code. Personally I don't use the BSDL or GPL; everything I write for myself is in the public domain.
I don't follow this. The late, great wireless driver controversy was specifically about a BSD-licensed driver being changed to GPL, and the consensus seems (I believe) to be that this is not permitted - only the copyright holder can change the license once under BSD.
I'm not sure I agree with that consensus entirely, and I'm not a lawyer of any sort (which should be assumed -- this is the Internet after all), but there is at least one important distinction to be made: the driver wasn't significantly altered in any way, but rather just re-labeled as GPL. In other words, the license and authorship of the original work were being misrepresented. This isn't the same as if BSDL code had been incorporated into a GPL project (retaining all the relevant attribution and license notices), where the result is a mix of BSDL and GPL code, and following both licenses reduces to just following the GPL.
One can't simply relicense BSDL code under more restrictive terms, but the BSDL places no restrictions on distributors beyond retaining the copyright notices and license of the original code; ergo, BSDL code can be incorporated into a larger codebase with an arbitrarily restrictive overall license. GPL code, by contrast, can only be incorporated into a codebase with a license no more restrictive than the GPL itself.
The problem is that copyright itself is contrary to libertarian principles.
BSDL and similar licenses take minimal advantage of copyright themselves, but allow downstream developers to apply as strict a copyright policy as they wish to any derivative works.
The GPL relies more on copyright for enforcement, but is designed to limit the ways in which downstream developers can apply more restrictive copyright and patent policies to GPL-derived works.
Whether you prefer the BSDL or GPL mostly comes down to whether you believe the ends justify the means. The GPL comes much closer to achieving the ultimate goal of undermining copyright restrictions, but at the expense of relying on a means (copyright itself) that the more "public domain"-style advocates find unjustifiable.
Not saying I agree with stopping the presentation, but the right of free speech is really about petitioning the government over greivances [sic], not saying whatever you want.
No, the right of free speech is about speech alone not being a crime for which one can be punished, or a source of harm for which one can be made liable. It's fairly obvious that freedom of speech is separate from the right to petition; just look at where the semicolons were placed. The amendment is addressing three different rights:
Freedom of religion
Freedom of speech, including speech via the press
Freedom of assembly for the purpose of petitioning the government for redress
You wouldn't try to argue that freedom of religion is all about petitioning the government for redress, would you? The segment describing freedom of religion relates to the right of assembly in exactly the same way as the segment about freedom of speech.
The difference is that admins of the SSL site want that their users make sure that they are connecting to the correct server. It's the admin of the site who is requesting the browser to flag up any potential problem with the connection. If they wouldn't care, they wouldn't have used SSL in the first place.
That may be what the protocol says, but it isn't necessary what the site admin wants. Where is the option for encryption without authentication? The only way to get encryption is to use SSL, but using SSL forces you to authenticate whether you want to or not. Self-signed certificates were the answer to that, until this change reclassified them all as a threat to security.
... just don't bother to worry the user about it unless the cert is trustworthy according to the user spec.
In other words, go ahead and encrypt the traffic, but don't do anything to suggest to the user that the site is "secure" unless there is a valid, authenticated certificate in place.
Don't you see a small problem with that? Don't let the user know that the free wifi access point they're using internet from is doing a man in the middle attack when they login to their bank account with what they think is SSL?
The things is, the user doesn't have any reason to think they're using SSL. If there is no authentication the browser presents it as just another insecure site. The bank would still need a signed certificate to be labeled as secure. In the meantime other sites which don't care about authentication can use encrypted connections to avoid passive dragnet-style monitoring. The browser can also detect when the site's certificate changes.
I believe that experiment was related to Quantum tunneling. Essentially the photons that made it to the sensor couldn't have gone through the block without being absorbed, but instead tunneled past it. They still traveled at the speed of light, but the distance they had to travel was decreased by the thickness of the block, resulting in a higher apparent speed.
First, you're exaggerating by quite a bit. Hyperbole does not help your case. Second, the problem you describe is trivially solved by simply not allowing such individuals to trespass on private property. (Your streets and sidewalks are private property, right?) If the property owners choose to ignore the problem your complaint is with them, not the drug addicts.
Finally, "getting hassled for change" is not harm, and the projected unpleasantness of your walk to work does not represent harm done to you, but rather to the property owners.
If society has to pick up the pieces after these "grown" men fall apart, doesn't society deserve to have a say in what is or isn't good for the public health?
If these individuals were forcing you to help then you could argue that their actions caused you harm, and thus justify coercing them into repaying you for your loss. There is still no justification for placing a prior constraint on their actions short of a direct and immediate threat of irreversible damage. However, you are not being forced. "Society" -- meaning anyone other than the individuals in question -- has no obligation to "pick up the pieces". Their actions are causing you no harm. If you do intervene that is your choice, and any hardship you may suffer as a result is entirely your own responsibility.
Your unwillingness to look the other way and let people experience the consequences of their own choices does not justify employing threats or force to manipulate others into doing what you think is best for them.
One could just reuse the sectors originally belonging to the plaintext, in which case it looks no different than single-pass encryption.
As for "playing games" -- the doubly-encrypted file is at least as secure as if you had just used a double-length key, and if you can manage to obscure the fact that you used two passes you make it far more difficult for an attacker to succeed by brute force, since they don't even know to try attacking the inner encryption. It's more a matter of psychology than cryptology, perhaps, but provides a clear advantage nonetheless.
Better 64 hex digits than several megabytes worth of binary data.
AES-256 is a symmetric encryption algorithm, not public-key. There is no advantage to using a pseudo-random number generator as a pad, as you suggest, versus using the AES block cipher algorithm. The PRNG would likely be much easier to attack without resorting to brute force.
That is an interesting approach, and I will admit that it reveals that two files of similar sizes were encrypted (well, written) at nearly the same time, although one would still have to infer why -- it's not really a given that the only possibility is double-encryption, although it is likely enough. To carry it out, though, you'd have to have access not just to the encrypted file, but also to the original hard drive the file was encrypted on -- assuming the intermediate files were written to disk at all. Wiping the free space of the drive would also eliminate the necessary evidence in both the disk sectors and the filesystem.
Anyway, this isn't a weakness in the technique itself, but rather in the way a specific implementation fails to protect information about the encryption process. It's no different than allowing the key itself to be written to a swap file, for example. I believe I did say that one would have to protect the method used to the same extent as the key.
In practice, of course, I'd just use a single pass of AES-256, that being sufficient to ward off any realistic brute-force attacks.
There is a thing called natural law and every human being has a deep moral obligation to stand up for the oppressed regardless of circumstances.
There is such a thing as natural law, but morals have nothing to do with it. To call something a natural law is to say that a given action/circumstance always has certain consequences/effects, by its very nature. Essentially, natural laws are self-enforcing and cannot be broken by any human action. This would include such things as the laws of physics, the principle of rational self-interest, the law of supply and demand, etc.
Morality, and by extension moral obligations, are by their nature highly subjective things, and thus not a matter of natural law.
These offenses you speak of are carried out by China's government, whereas any trade we may have with China is really with China's people. This is an important distinction. If anything we should be encouraging commerce and communication with the people of China, while undermining any claim to legitimacy or authority China's government may attempt to assert over them.
If you just want to encrypt a single file for yourself, and can assure the key remains secret in practice, the algorithm should be a one time pad.
But I can't remember a one-time pad, which has to be random data just as long as the original message. If I could do that I would just remember the message -- it'd be a lot easier. The whole point was to use an encryption algorithm with a key length shorter than the message, while preventing brute-force attacks from succeeding.
OTP would be easy and uninteresting, sure, but it's not an option here due to the key size. The real problem -- which you are attempting to redefine into nonexistence -- is much more difficult, and interesting to me, even if it is useless for communication.
For one, it's not at all an interesting approach if it only works for encrypting a single file.
Maybe not to security researchers, but it's certainly interesting to me if all I want to do is encrypt a single file such that attacks designed for standard encryption schemes won't work on it.
For another, you're discounting the very real possibility that there is additional evidence in the situation that makes it apparent that it was done via this method.
Like what, exactly? Obviously you'd have to be just as careful about revealing the real encryption method as you would normally be about revealing the key, but given that, how would anyone else know? (I'm assuming there is no dedicated two-pass program -- you just run the same single-pass encryption program twice.)
Slashdot Mirror
Why would that be a problem? I have it running right now with six tabs open, and it's using just 64MB -- about four MB of which is the in-memory cache. This is 2.0.0.16; supposedly the upgrade is even more efficient. 128MB should be plenty for Firefox plus a minimal graphical environment. Alternately, there are a number of other perfectly usable web browsers with even lower memory requirements: Epiphany, Konqueror, even Links2 (which has a graphical mode as well as text).
If copyright is treated as a property rights, then the property itself is the code (or whatever) that the copyright covers. Your argument and copyright law are based on first variant, that use without permission is immoral. If one accepts the second view, however, then the concept of copyright is meaningless, because one cannot actually deprive the "owner" of anything copyright would cover.
I would likewise find that hypocritical, which is why all my work is in the public domain.
That is your subjective, moral opinion. The fact that you feel that your moral views on slavery take precedence over the legal definition of property for the purpose of determining whether freeing them is, in fact, theft -- morally -- proves my point.
That is exactly how I used it. The errors were, in order: (a) spelling; (b) missing comma; (c) sentence fragment; (d) singular possessive used in place of plural.
You are attempting to argue that TLS/SSL is useless unless it can provide absolute security. You are demanding the impossible. In the real world there is value in reducing uncertainty and risk even if they cannot be completely eliminated. The use of CAs reduces uncertainty compared to the same communication without them. For most people, under most circumstances, this is sufficient; the benefit gained from the communication outweighs the remaining risk. This is not a false sense of security; it is a realistic sense of security. You are demanding an unrealistic degree of security which no system can provide, online or offline. That is your prerogative, but it does not represent a fault in the TLS/SSL protocol or in the choices others make to trust it based on their own preferences and risk tolerance.
Absolutely? No one. Good enough, most of the time? All of the ordinary certificate authorities.
It also isn't the massive breach you're trying to present it as. The fact is that a limited number of certificates were issued with names similar (but not exactly equal) to the names of well-known corporations due to insufficient validation by Verisign. This had no effect on the certification of the vast majority of web sites, and revocation procedures were already in place to deal with it.
TLS isn't designed to make such a guarantee. It's only designed to make it much more difficult to pass oneself off as a trusted organization, or to intercept the data in transit, and it carries out these functions quite well. Paranoid individuals such as yourself can feel free not to trust it, despite the minimal risk, and deny yourselves the benefit of reasonably-secure, reasonably-authenticated online communication.
The risk that the other party may not adequately protect the information once received is not specific to TSL/SSL. It applies whenever you give someone else data you would prefer to be kept private, online or offline.
Just out of curiosity, do you do the same thing offline? Do you insist on personally running FBI criminal background checks on your bank teller, for example? Or your broker? Or your employer's payroll department? Do you require proof of identity from the cashiers at your local grocery store? These individuals deal with sensitive information all the time, but you inevitably trust a third party to ensure the security of your personal data in these instances. An online transaction with TLS/SSL is far more secure from eavesdropping, and permits much more limited human access to your data. The risk that the system may fail you in any given circumstance is almost always much less than the benefit gained from trusting it. Unless your situation is very unusual -- or your risk tolerance absurdly low -- it makes sense to trust TLS for authentication rather than go without.
I'm not trying to say that a CA-signed certificate is an absolute guarantee of identity. If you can actually trust the certification authority, and everyone follows all the rules and keeps their private keys secure, and the private keys aren't broken by brute force or cryptoanalysis, then the authentication will be valid. These conditions are implied in any security arrangement, and pointing out that they may not hold in any given implementation adds nothing useful to the discussion. Everyone is already quite well aware of that fact.
You aren't going to find absolute security anywhere. There is always the possibility that someone, somewhere, may fail to uphold their part of the protocol. TLS/SSL is still a significant improvement over systems without certificates or CAs, which would be insecure even if perfectly implemented.
P.S. A certificate signed by the actual CA is not a forgery. If such a certificate is false it merely means that particular CA cannot be absolutely trusted.
It's not really incorrect. The client can optionally contact the CA for additional validation; this is typically done to determine if the certificate has been revoked since it was originally issued. The certificate itself still has to be signed by a trusted CA, as indicated by the second bullet point under the Security section:
There is no "Certificate Authority" transaction. The CA signature on the site certification is verified locally against a whitelist of CA public keys built into the web browser. The fact that anyone can create their own self-signed key for any domain is exactly why such keys do not establish identity, making MITM attacks possible. By contrast, CA-signed certificates can't be forged without first breaking (or otherwise acquiring) an established CA's signing key.
A CA-signed certificate guarantees that your data can only be decrypted by the intended recipient. There's no way to tell whether a self-signed certificate belongs to the intended recipient or a MITM, which renders the encryption useless against a determined attacker.
First, there is some debate over whether the immoral act consists of "using other's [sic] property without permission" or depriving the owner of the use of his/her property. I would tend to side with the latter, and would moreover assert that it is impossible to avoid benefiting from (i.e. using) others' property whether you intend to or not; the simple fact that the property exists results in an external benefit.
Second, morality relating to property depends on the moral definition of property, which is not necessarily the same as the legal definition. To pick an obvious example from our past, the fact that many jurisdictions legally defined slaves as property of their masters did not make it incontestably immoral to assist in their escape. Whether an individual actually considered it immoral or not depended on whether their subjective, moral view of property coincided with the legal definition.
That's not going to happen. No matter how many GPL libraries you write the proprietary software companies will just continue to write their own code in-house, or employ third-party libraries under more palatable licenses. It will never be more profitable for them to abolish copyright entirely rather than simply avoid the use of GPL software.
You're right -- our goals are very different. My goal as a libertarian is to abolish the concept of "legitimate", systematic aggression entirely. Copyright is simply one example of such aggression out of many.
In my opinion it would be futile to attempt to force the non-libertarian majority to follow libertarian principles; moreover, any such effort would eliminate -- at least in the view of the general populace -- the primary distinction between libertarians and non-libertarians, which is an absolute opposition to the initiation and/or escalation of coercion.
If we are willing to turn to aggression to achieve our goals, why shouldn't others do the same? It's not just a matter of being a "purist"; I don't believe that the goal -- mine or yours -- can be achieved sustainably in the first place via unprincipled methods.
The world will be free of copyright only when the vast majority of individuals believe that copyright is wrong and are willing to resist any attempt to enforce such claims on themselves or others. That state cannot be achieved by force, and it's exceedingly difficult to persuade someone that you consider copyright to be wrong when your methods are fully dependent on it.
As I said, it comes down to the end justifying the means. Yours is one common view, but there is just as much support for the view that claiming copyright (as one must do to utilize "copyleft" licenses) is wrong regardless of the motivation, or that doing so undermines your ultimate goal.
In my opinion, if one fails to stick to one's principles throughout the entire effort one runs a strong risk of becoming the enemy, and simply replacing one tyranny with another. I have seen this already where some have argued that all software should be required to be GPL, which goes rather beyond a simple lack of copyrights into forced distribution of source code. Personally I don't use the BSDL or GPL; everything I write for myself is in the public domain.
I'm not sure I agree with that consensus entirely, and I'm not a lawyer of any sort (which should be assumed -- this is the Internet after all), but there is at least one important distinction to be made: the driver wasn't significantly altered in any way, but rather just re-labeled as GPL. In other words, the license and authorship of the original work were being misrepresented. This isn't the same as if BSDL code had been incorporated into a GPL project (retaining all the relevant attribution and license notices), where the result is a mix of BSDL and GPL code, and following both licenses reduces to just following the GPL.
One can't simply relicense BSDL code under more restrictive terms, but the BSDL places no restrictions on distributors beyond retaining the copyright notices and license of the original code; ergo, BSDL code can be incorporated into a larger codebase with an arbitrarily restrictive overall license. GPL code, by contrast, can only be incorporated into a codebase with a license no more restrictive than the GPL itself.
The problem is that copyright itself is contrary to libertarian principles.
BSDL and similar licenses take minimal advantage of copyright themselves, but allow downstream developers to apply as strict a copyright policy as they wish to any derivative works.
The GPL relies more on copyright for enforcement, but is designed to limit the ways in which downstream developers can apply more restrictive copyright and patent policies to GPL-derived works.
Whether you prefer the BSDL or GPL mostly comes down to whether you believe the ends justify the means. The GPL comes much closer to achieving the ultimate goal of undermining copyright restrictions, but at the expense of relying on a means (copyright itself) that the more "public domain"-style advocates find unjustifiable.
No, the right of free speech is about speech alone not being a crime for which one can be punished, or a source of harm for which one can be made liable. It's fairly obvious that freedom of speech is separate from the right to petition; just look at where the semicolons were placed. The amendment is addressing three different rights:
You wouldn't try to argue that freedom of religion is all about petitioning the government for redress, would you? The segment describing freedom of religion relates to the right of assembly in exactly the same way as the segment about freedom of speech.
That may be what the protocol says, but it isn't necessary what the site admin wants. Where is the option for encryption without authentication? The only way to get encryption is to use SSL, but using SSL forces you to authenticate whether you want to or not. Self-signed certificates were the answer to that, until this change reclassified them all as a threat to security.
I think that was the whole point of this part:
In other words, go ahead and encrypt the traffic, but don't do anything to suggest to the user that the site is "secure" unless there is a valid, authenticated certificate in place.
The things is, the user doesn't have any reason to think they're using SSL. If there is no authentication the browser presents it as just another insecure site. The bank would still need a signed certificate to be labeled as secure. In the meantime other sites which don't care about authentication can use encrypted connections to avoid passive dragnet-style monitoring. The browser can also detect when the site's certificate changes.
Not applicable; all you have to do to prevent that scenario is publish the design, not patent it. Any form of publication would serve as prior art.
I believe that experiment was related to Quantum tunneling. Essentially the photons that made it to the sensor couldn't have gone through the block without being absorbed, but instead tunneled past it. They still traveled at the speed of light, but the distance they had to travel was decreased by the thickness of the block, resulting in a higher apparent speed.
First, you're exaggerating by quite a bit. Hyperbole does not help your case. Second, the problem you describe is trivially solved by simply not allowing such individuals to trespass on private property. (Your streets and sidewalks are private property, right?) If the property owners choose to ignore the problem your complaint is with them, not the drug addicts.
Finally, "getting hassled for change" is not harm, and the projected unpleasantness of your walk to work does not represent harm done to you, but rather to the property owners.
If these individuals were forcing you to help then you could argue that their actions caused you harm, and thus justify coercing them into repaying you for your loss. There is still no justification for placing a prior constraint on their actions short of a direct and immediate threat of irreversible damage. However, you are not being forced. "Society" -- meaning anyone other than the individuals in question -- has no obligation to "pick up the pieces". Their actions are causing you no harm. If you do intervene that is your choice, and any hardship you may suffer as a result is entirely your own responsibility.
Your unwillingness to look the other way and let people experience the consequences of their own choices does not justify employing threats or force to manipulate others into doing what you think is best for them.
One could just reuse the sectors originally belonging to the plaintext, in which case it looks no different than single-pass encryption.
As for "playing games" -- the doubly-encrypted file is at least as secure as if you had just used a double-length key, and if you can manage to obscure the fact that you used two passes you make it far more difficult for an attacker to succeed by brute force, since they don't even know to try attacking the inner encryption. It's more a matter of psychology than cryptology, perhaps, but provides a clear advantage nonetheless.
Better 64 hex digits than several megabytes worth of binary data.
AES-256 is a symmetric encryption algorithm, not public-key. There is no advantage to using a pseudo-random number generator as a pad, as you suggest, versus using the AES block cipher algorithm. The PRNG would likely be much easier to attack without resorting to brute force.
That is an interesting approach, and I will admit that it reveals that two files of similar sizes were encrypted (well, written) at nearly the same time, although one would still have to infer why -- it's not really a given that the only possibility is double-encryption, although it is likely enough. To carry it out, though, you'd have to have access not just to the encrypted file, but also to the original hard drive the file was encrypted on -- assuming the intermediate files were written to disk at all. Wiping the free space of the drive would also eliminate the necessary evidence in both the disk sectors and the filesystem.
Anyway, this isn't a weakness in the technique itself, but rather in the way a specific implementation fails to protect information about the encryption process. It's no different than allowing the key itself to be written to a swap file, for example. I believe I did say that one would have to protect the method used to the same extent as the key.
In practice, of course, I'd just use a single pass of AES-256, that being sufficient to ward off any realistic brute-force attacks.
There is such a thing as natural law, but morals have nothing to do with it. To call something a natural law is to say that a given action/circumstance always has certain consequences/effects, by its very nature. Essentially, natural laws are self-enforcing and cannot be broken by any human action. This would include such things as the laws of physics, the principle of rational self-interest, the law of supply and demand, etc.
Morality, and by extension moral obligations, are by their nature highly subjective things, and thus not a matter of natural law.
These offenses you speak of are carried out by China's government, whereas any trade we may have with China is really with China's people. This is an important distinction. If anything we should be encouraging commerce and communication with the people of China, while undermining any claim to legitimacy or authority China's government may attempt to assert over them.
But I can't remember a one-time pad, which has to be random data just as long as the original message. If I could do that I would just remember the message -- it'd be a lot easier. The whole point was to use an encryption algorithm with a key length shorter than the message, while preventing brute-force attacks from succeeding.
OTP would be easy and uninteresting, sure, but it's not an option here due to the key size. The real problem -- which you are attempting to redefine into nonexistence -- is much more difficult, and interesting to me, even if it is useless for communication.
Maybe not to security researchers, but it's certainly interesting to me if all I want to do is encrypt a single file such that attacks designed for standard encryption schemes won't work on it.
Like what, exactly? Obviously you'd have to be just as careful about revealing the real encryption method as you would normally be about revealing the key, but given that, how would anyone else know? (I'm assuming there is no dedicated two-pass program -- you just run the same single-pass encryption program twice.)