Good thinking but I'm afraid they're far ahead of you.
Firstly, secure chips are not a new technology and have been refined over many years as they're commonly used in smart cards (for instance satellite tv cams), and financial applications like VISA authentication modules. Light sensors are one of the most well known tamper-proofing devices but there are many more. Your suggestion of using infra-red light is interesting and might work, I am not an SEM expert, however even entry-level secure chips are protected by a wire mesh these days designed to interfere with the operation of the microscopes.
I think you also underestimate the complexity of reverse engineering a chip. Chip layouts are synthesised artificially and are not logical. It is like trying to decompile a program from the machine code, except that whereas lots of people have the knowledge required to attempt the latter very few have the knowledge to do the hardware equivalent. When you say "use that information combined with the layout of the chip" you toss aside potentially years of effort with a sentence.
The basic idea in this thread is correct - putting DRM into well designed hardware that doesn't take shortcuts (like the original xbox did) significantly raises the bar for attackers. One of the reasons pure software DRM has never worked well is because so many people have the tools and knowledge to take apart a program, and because programs aren't well defended at all except through obscurity. The same is not true of hardware. That's why things like LaGrande are being built.
In fact AACS contains a variety of traitor-tracing algorithms designed to find the player key used to decrypt a title even if that player key is never published. How well the mechanism works I could not say, as I don't think it's been used yet. But suffice it to say, AACS is significantly more advanced than CSS and takes into account many different attack scenarios.
I don't get what the big deal with this story is. A badly written player was cracked. Its keys will be revoked, a software update will be offered. Protecting keys in memory is theoretically impossible, but in practice you can make it very difficult such that only a few people have the time, patience and skill to extract the keys. The Microsoft WM DRM splits the keys into pieces and scatters it throughout the heap, meaning you can't use the approach muslix used - you actually have to reverse engineer large parts of the code to find out how the key is split up and where the pieces go, a significantly harder proposition. WM DRM has been cracked in the past, but that was before they started splitting up the keys.
You hope he suffers dearly? Wait, I read on Slashdot only a few days ago that some DoD Warez guy had been caught and was going to jail, but actually he should only be given a small fine because he hadn't actually hurt anybody, he'd just broken the law over and over again with full knowledge of what he was doing.
I think it's pretty amazing that peoples attitudes to piracy have got so bad that a major criminal gets peoples sympathy but this guy should "suffer dearly". Doubly amazing because I so often see people here defending the right to use weapons against people caught breaking and entering.
By that definition all kinds of thugs would not be in jail. Drug dealers often don't directly "physically injure" people, they're just guys in suits with swanky apartments and shady connections. Financial fraudsters - like the guy who broke Barings bank - would walk despite wiping out millions of peoples savings. I know Slashdot is a haven of piracy-sympathisers, but why is jail suddenly reserved for those who physically injure people, just because now it's a warez guy?
It doesn't matter if the number of carbon atoms in the system is the same. The point is that the carbon has changed form - as methane it is a far worse greenhouse gas than CO2 would be.
No, I think you might be right. I'm not saying the Slashcode model is perfect - far from it. But, I think it does a pretty good job, and is better than a petition site:) The Digg model might work better, I don't know much about that site.
The problem is the whole idea of petitions is flawed.
Firstly, yes people can be stupid. When polled they say things like, the environment is very important to me. We should drive less. We need less traffic on our roads, it is too dangerous for our children. But when measures are introduced to discourage driving suddenly it's not OK anymore. Suddenly it's a "tax on the poor". The people implementing the scheme say it'll replace fuel duty and so most people won't pay more - why shouldn't I believe them? Many congested roads cannot be upgraded, so the petitions solution is facile and won't work - financially encouraging people to avoid congested areas (or discouraging them from going to congested areas, depending on your point of view) seems sane to me.
Secondly, there's no way to vote against a petition. You can only sign FOR it. What if I think the petition is stupid? There's no way for me to express that.
Thirdly, it eliminates intelligent debate. There are a whole range of subtle arguments and perspectives on the issues being petitioned about, but the system reduces it down to a "yes" or "unknown" perspective, which is worthless. A large Slashdot style debating site would be far more useful and effective.
Finally, a petition site is an easy cop-out for the people signing it. All you have to do is type in your name and be angry. You don't have to support your point of view at all. Politicians are expected to argue their case but for "the people" it is enough simply to go around saying "XYZ thing sucks because . Wanna sign?" and most people will say "Sure!" rather than "Hm, let me research the issues and get back to you on that one".
Put bluntly, if I were PM I'd either shut down or ignore such petition sites and try and arrange a decent forum (slashcode based?) for online debate instead. The quality of insight into an issue (and peoples feelings) I derive from discussions on Slashdot is way higher than from reading a random bunch of petitions... and when I check the facts behind peoples comments I generally find them to be accurate. At least, more accurate than a typical petition justification.
I don't have statistics, only my own experiences as an upstream software developer. I have spent a significant number of hours, days, weeks, whatever, on fixing bugs introduced by packagers who did not understand the software they were packaging. Debian was particularly bad at this because it was nearly impossible to get the packages fixed. But at other times Red Hat, Gentoo, Slackware and Mandrake were also affected by packaging related bugs. This is not news to people who have developed complex software packages for Linux.
The other not cool thing is the way people are identified by URLs rather than email addresses.... a whole load of people don't really seem to grok URLs and now we are expecting them to remember more or less arbitrary "web page addresses" that do not in fact identify web pages? WTF? The stupid thing is this could be fixed by a simple rewrite convention, but they never seem to have bothered making one. I (and many others) raised it on the openid lists way back when it was just a 5-minute thing put together by the LiveJournal guy... he seemed to have some religious attachment to actually using URLs instead of more people-friendly email addresses:(
I think Linux needs a distributed packaging system. A system where ISV's can plug-in their "feed url" as well. Perhaps even like RSS does it, place a feed icon at the website. A local cronjob and central update server then check all feeds to provide software updates for really all installed software. I really wish something like that would emerge.
Well, autopackage does have this. It doesn't use RSS but a similar XML based schema designed for software updates specifically. Nobody ever completed the auto-update code IIRC though, so right now those feeds are only used for dependency resolution.
Looking at the download page of a random project, I think something is wrong there. Why can't there be just one installer? What is so different between all RPM or DEB-based distributions you need separate packages for each one of them?
There are lots and lots of small differences that add up into a big headache. 99% of the time, these differences aren't competitive advantages, that is, you wouldn't use one distro over another because of these decisions (not even when combined). But the people making the popular distros of today reject the idea of inter-distro compatibility.... their view is they need the ability to make incompatible changes at any time in order to compete with each other. It has been said "there's a reason Ubuntu doesn't have Linux in the name", and that pretty much sums up the prevalent attitude today.
That, in a nutshell, is why you can't have one installer. Or rather you can, if you build something like autopackage which is 90% code designed to work around or abstract differences between distributions. But it requires a tremendous amount of effort to keep it working - you are in effect always running at full speed to stand still - because when it comes to the crunch distros care more about being able to (say) tweak their menu system over having non-repository software.
Too bad so many Mac applications don't follow OS X's conventions then, isn't it?
You only get auto-update for software in the repositories. Some software is not. You might say, it does not follow the Linux conventions. So, why are you blaming OS X for apps that don't follow the conventions, when Linux has the same problem?
Note also that fixing this for the developers on MacOS is pretty easy, just include the Sparkle library. Fixing it on Linux is really hard, and it's out of the developers hands. Basically if you are included correctly and kept up to date in a distro, it's a matter of luck.
They're watching for tailgaters. The Mountain View complex is entirely open, and there have been big problems in the past with employees of other companies wandering over to use the free canteens - not to mention trying to get into TGIF. If it was like most office buildings where there was one main entrance it wouldn't be necessary, and indeed in the Zurich office there are no guards.
AFAIK the X protocol was never designed with security in mind. So sending commands to another program might also impicitly mean the ability to check the state of that program.
Yes. That's why it's a protected operation and requires signing.
No, that's the whole point. If you have the card (stolen it) but not the PIN it is useless, regardless of what you do with a terminal. If you have a PIN (hacked terminal) but not the card, it's still useless. The simplest way to hack Chip'n'PIN for now is simply to bend the chip so it breaks, causing the terminals to fall back to magstripes.
I guess our freedoms were fundamentally restricted by CDs back when they were a pain to copy, or by books because I can't just
"derive an experiment" whenever I feel like it. Whatever. The restrictions are in place because 99% of people can't resist the lure of free stuff. End of story.
Lots of phones run third party apps, including consumer phones (think J2ME applets/games). The definition of "smartphone" is pretty vague, actually, I don't know anybody except tech review magazines and the odd phone geeks that seriously try and use it. For the man on the street, there are phones and then there are PDAs, and a few are kinda both but not many people use them.
implies that Linux is non-free. And that's not acceptable to the community.
What if Novell are right, and Linux is indeed non-free? I rate the chances of Linux not infringing on at least one Microsoft patent as zero. The GPL is not compatible with reality anymore unfortunately - it has this starry eyed notion of freedom that no longer exists in the software world. Trying to enforce those patent clauses is ridiculous, it would make virtually every piece of GPLd software out there non-free. For them to add wording to the GPLv3 banning the implication that GPLd software may be patent infringing is yet another reason to avoid the new license.
I think it is purely common sense for the community to reject patches supplied by Novell.
Seems to me that it's purely common sense that Linux is already "tainted" by the IP of a gazillion different companies.
He could have just retired to the carribean, bought out an island and enjoyed his wealth. But he didn't and so let's give him a cheer just for that.
He pretty much already did that. Look at his house, for instance. I believe he also owns his own cruise liner. Now he's basically bought everything he could ever want and is still the richest man in the world, what else is there left to do?
Re:Where's the need come from?
on
Water From Wind
·
· Score: 1
Water shortages are predicted worldwide within 10-20 years, typically because we're exhausting natural aquifers. See the Ogallala aquifer for an example of that.
No, the TPM can't do that, at least not according to the specs I've read. It can prove or disprove that you are running Windows to a remote party but it cannot prevent you from booting whatever you want on your hardware.
Slashdot Mirror
Good thinking but I'm afraid they're far ahead of you.
Firstly, secure chips are not a new technology and have been refined over many years as they're commonly used in smart cards (for instance satellite tv cams), and financial applications like VISA authentication modules. Light sensors are one of the most well known tamper-proofing devices but there are many more. Your suggestion of using infra-red light is interesting and might work, I am not an SEM expert, however even entry-level secure chips are protected by a wire mesh these days designed to interfere with the operation of the microscopes.
I think you also underestimate the complexity of reverse engineering a chip. Chip layouts are synthesised artificially and are not logical. It is like trying to decompile a program from the machine code, except that whereas lots of people have the knowledge required to attempt the latter very few have the knowledge to do the hardware equivalent. When you say "use that information combined with the layout of the chip" you toss aside potentially years of effort with a sentence.
The basic idea in this thread is correct - putting DRM into well designed hardware that doesn't take shortcuts (like the original xbox did) significantly raises the bar for attackers. One of the reasons pure software DRM has never worked well is because so many people have the tools and knowledge to take apart a program, and because programs aren't well defended at all except through obscurity. The same is not true of hardware. That's why things like LaGrande are being built.
In fact AACS contains a variety of traitor-tracing algorithms designed to find the player key used to decrypt a title even if that player key is never published. How well the mechanism works I could not say, as I don't think it's been used yet. But suffice it to say, AACS is significantly more advanced than CSS and takes into account many different attack scenarios.
I don't get what the big deal with this story is. A badly written player was cracked. Its keys will be revoked, a software update will be offered. Protecting keys in memory is theoretically impossible, but in practice you can make it very difficult such that only a few people have the time, patience and skill to extract the keys. The Microsoft WM DRM splits the keys into pieces and scatters it throughout the heap, meaning you can't use the approach muslix used - you actually have to reverse engineer large parts of the code to find out how the key is split up and where the pieces go, a significantly harder proposition. WM DRM has been cracked in the past, but that was before they started splitting up the keys.
You hope he suffers dearly? Wait, I read on Slashdot only a few days ago that some DoD Warez guy had been caught and was going to jail, but actually he should only be given a small fine because he hadn't actually hurt anybody, he'd just broken the law over and over again with full knowledge of what he was doing.
I think it's pretty amazing that peoples attitudes to piracy have got so bad that a major criminal gets peoples sympathy but this guy should "suffer dearly". Doubly amazing because I so often see people here defending the right to use weapons against people caught breaking and entering.
By that definition all kinds of thugs would not be in jail. Drug dealers often don't directly "physically injure" people, they're just guys in suits with swanky apartments and shady connections. Financial fraudsters - like the guy who broke Barings bank - would walk despite wiping out millions of peoples savings. I know Slashdot is a haven of piracy-sympathisers, but why is jail suddenly reserved for those who physically injure people, just because now it's a warez guy?
Why would the majority of Slashdotters care about that when they are not eligible to vote in California?
Ads are optional in the Premium edition, so, yes you can do that if you want.
It doesn't matter if the number of carbon atoms in the system is the same. The point is that the carbon has changed form - as methane it is a far worse greenhouse gas than CO2 would be.
No, I think you might be right. I'm not saying the Slashcode model is perfect - far from it. But, I think it does a pretty good job, and is better than a petition site :) The Digg model might work better, I don't know much about that site.
The problem is the whole idea of petitions is flawed.
Put bluntly, if I were PM I'd either shut down or ignore such petition sites and try and arrange a decent forum (slashcode based?) for online debate instead. The quality of insight into an issue (and peoples feelings) I derive from discussions on Slashdot is way higher than from reading a random bunch of petitions ... and when I check the facts behind peoples comments I generally find them to be accurate. At least, more accurate than a typical petition justification.
I don't have statistics, only my own experiences as an upstream software developer. I have spent a significant number of hours, days, weeks, whatever, on fixing bugs introduced by packagers who did not understand the software they were packaging. Debian was particularly bad at this because it was nearly impossible to get the packages fixed. But at other times Red Hat, Gentoo, Slackware and Mandrake were also affected by packaging related bugs. This is not news to people who have developed complex software packages for Linux.
The other not cool thing is the way people are identified by URLs rather than email addresses .... a whole load of people don't really seem to grok URLs and now we are expecting them to remember more or less arbitrary "web page addresses" that do not in fact identify web pages? WTF? The stupid thing is this could be fixed by a simple rewrite convention, but they never seem to have bothered making one. I (and many others) raised it on the openid lists way back when it was just a 5-minute thing put together by the LiveJournal guy ... he seemed to have some religious attachment to actually using URLs instead of more people-friendly email addresses :(
Gaim will tell you but it won't actually do the update. If your distro hasn't updated yet, you are hosed.
The guards are outside the buildings, not in them.
Well, autopackage does have this. It doesn't use RSS but a similar XML based schema designed for software updates specifically. Nobody ever completed the auto-update code IIRC though, so right now those feeds are only used for dependency resolution.
There are lots and lots of small differences that add up into a big headache. 99% of the time, these differences aren't competitive advantages, that is, you wouldn't use one distro over another because of these decisions (not even when combined). But the people making the popular distros of today reject the idea of inter-distro compatibility .... their view is they need the ability to make incompatible changes at any time in order to compete with each other. It has been said "there's a reason Ubuntu doesn't have Linux in the name", and that pretty much sums up the prevalent attitude today.
That, in a nutshell, is why you can't have one installer. Or rather you can, if you build something like autopackage which is 90% code designed to work around or abstract differences between distributions. But it requires a tremendous amount of effort to keep it working - you are in effect always running at full speed to stand still - because when it comes to the crunch distros care more about being able to (say) tweak their menu system over having non-repository software.
You only get auto-update for software in the repositories. Some software is not. You might say, it does not follow the Linux conventions. So, why are you blaming OS X for apps that don't follow the conventions, when Linux has the same problem?
Note also that fixing this for the developers on MacOS is pretty easy, just include the Sparkle library. Fixing it on Linux is really hard, and it's out of the developers hands. Basically if you are included correctly and kept up to date in a distro, it's a matter of luck.
They're watching for tailgaters. The Mountain View complex is entirely open, and there have been big problems in the past with employees of other companies wandering over to use the free canteens - not to mention trying to get into TGIF. If it was like most office buildings where there was one main entrance it wouldn't be necessary, and indeed in the Zurich office there are no guards.
Yes. That's why it's a protected operation and requires signing.
No, that's the whole point. If you have the card (stolen it) but not the PIN it is useless, regardless of what you do with a terminal. If you have a PIN (hacked terminal) but not the card, it's still useless. The simplest way to hack Chip'n'PIN for now is simply to bend the chip so it breaks, causing the terminals to fall back to magstripes.
I guess our freedoms were fundamentally restricted by CDs back when they were a pain to copy, or by books because I can't just "derive an experiment" whenever I feel like it. Whatever. The restrictions are in place because 99% of people can't resist the lure of free stuff. End of story.
Lots of phones run third party apps, including consumer phones (think J2ME applets/games). The definition of "smartphone" is pretty vague, actually, I don't know anybody except tech review magazines and the odd phone geeks that seriously try and use it. For the man on the street, there are phones and then there are PDAs, and a few are kinda both but not many people use them.
What if Novell are right, and Linux is indeed non-free? I rate the chances of Linux not infringing on at least one Microsoft patent as zero. The GPL is not compatible with reality anymore unfortunately - it has this starry eyed notion of freedom that no longer exists in the software world. Trying to enforce those patent clauses is ridiculous, it would make virtually every piece of GPLd software out there non-free. For them to add wording to the GPLv3 banning the implication that GPLd software may be patent infringing is yet another reason to avoid the new license.
Seems to me that it's purely common sense that Linux is already "tainted" by the IP of a gazillion different companies.
He pretty much already did that. Look at his house, for instance. I believe he also owns his own cruise liner. Now he's basically bought everything he could ever want and is still the richest man in the world, what else is there left to do?
Water shortages are predicted worldwide within 10-20 years, typically because we're exhausting natural aquifers. See the Ogallala aquifer for an example of that.
No, the TPM can't do that, at least not according to the specs I've read. It can prove or disprove that you are running Windows to a remote party but it cannot prevent you from booting whatever you want on your hardware.