Use SSL for what its good for, end to end encryption with a party you haven't talked to before. Skip the rest of it or reduce it so something like domain name-only authentication where SSL is understood to only authenticate that you really are talking to the server with that name.
SSL without some form of authentication is pretty much useless. Self-signed certificates are vulnerable to a man-in-the-middle attack. So yes, domain name-only authentication is a minimum. And as far as I'm concerned, that's pretty much all the current CAs provide. Even then, they occassionally make mistakes, but even at the current prices you've gotta assume the occassional mistake will be made.
They provide something of value: They prevent the scare boxes from popping up when someone visits your ecommerce site. Its a classic protection scam: pay us to not do something harmful to you.
The scare boxes are there for a reason - because self-signed certificates are essentially worthless. Now granted there *is* a possible in-between solution, which is the one used by putty and most SSH clients. You pop up the scare box the first time you connect to a particular site, and then you memorize the key and only pop up the box again if the key changes.
Think about it though. If it's a "classic protection scam", how come even the open source software like firefox pops up the scare box? Surely not every open source programmer who is smart enough to hack firefox is in on the conspiracy.
What makes you think there has to be some sort of distinction between a company or coroporation, and a modern government?
Governments tend to have much less competition. Really that's about it, though. Both can be seen as voluntary - I could move to another country (or even out onto the high seas), and I can change my employer/vendors/etc., but changing employers is something that I've actually done a lot of times, changing my country is not.
Really, the main distinction is that the government has guns - and there are many corporations which have quite a few of those.
The real power of the government nowadays isn't so much the guns as it is the information - and corporations have quite a bit of that.
In the end, I said that I wouldn't be requesting an interview as I didn't want to work for a company that required access to all my supposedly private information (permanantley) to just get an interview.
This is the sort of under the radar dealing that can lead to all people having to wear RFID tags, just so they can be employed.
Obviously not. Many people, just like you, will refuse and find another job.
Implanted RFID tags aren't useful enough to companies, and they're too highly despised by workers, that there won't be at least some which don't require their employees to wear them. The only way that everyone is going to wear them is if the government *does* get involved, not if they stay out of things.
When they fire my ass for refusing to have body modifications (which, funnily enough, they expressly forbid in my contract of employment) I'll be taking the $100M compensation for unfair dismissal payout.
You must be paid an awful lot if your employment contract is worth $100 million.
And anyone who requires access to the datacenter to do their job, such as operators and sysadmins, cannot DO their job unless they get the implant. And if they cannot do the job, how are they expected to maintain employment?
I'm sure the company has other jobs which the people are qualified for and do not involve access to the datacenter. Only two employees got the chip, so surely there are available job positions which don't involve getting chipped.
I suppose the official reason for termination would be "uncooperative attitude." Certainly not "he refused to get chipped." Or maybe the company will concentrate on ways to make the employee so miserable, he just quits. Problem solved.
I doubt it. In either of those two situations the company would likely be responsible for paying unemployment compensation and/or severance pay. It seems like a much better solution for the company to just give the person an alternative job.
Sure, the person might wind up getting passed over for the next promotion, but if the company is smart that's about the extent of it.
If experienced users know how to use firewalls and proxies - then why is a censored local version needed? How does it add anything?
Not all users are experienced, and the Chinese censorship of Google is far from perfect. Imagine if no companies cooperated with the Chinese government. China would completely separate itself (Internet-wise) from the rest of the world, and communication would be that much more difficult. At the very least a censored Google is useful as a covert channel - one can embed messages in seemingly innocuous transmissions to get them past the censors. In reality things are simpler than that, because the censors can't possibly get everything. You need "legitimate" channels in order to communicate these techniques, and Google can help fill that role.
In reality, google has other options. It could, for example, make a free utility to help less-experienced users easily bypass the censorship and get to uncensored Google.com.
Yes, it could, but I'd argue that Google isn't in the best position for starting that kind of technological arms race with China - they'd have to give up too much because the Chinese government would almost surely retaliate against such a bold disregard for Chinese laws. Rather, I think it'd be smarter for such a task to be taken on by smaller (and probably anonymous) entities.
It could also take a stand, based on "do no evil" and use its vast online resources to speak out against the Chinese and other totalitarians, and educate people.
Again I don't see that as the place for Google. Speak out in what way? Google isn't a PR company, I really don't see what they're going to say that would make any difference. Sure, they could publicly condemn the laws, similar to the way the United States condemns laws of other countries that it doesn't agree with, but they've probably already done that, and really I don't think it makes much of a difference.
Google has a policy of complying with the laws of the countries in which it operates. I think that's a reasonable policy, especially for such a large company which has so much to lose (and relatively little bargaining power). Ultimately it is up to the people of China to fix the Chinese laws. We can help them, but only if we are able to communicate with them in the first place. It's not like Google is providing the Chinese government with weapons. No, they're providing the Chinese people with useful information (just not as much useful information as is possible).
But in the end, whether it's defending internet freedom or promising not to do evil, Google's core morals are no longer really a philosophy as much as a way of looking cool to the right people. Oh, how I wish they hadn't gone public...
Why do you think it matters whether or not they are a public company?
I was asked the question the other day, do U.S. corporations have the obligation to promote democracy? That's the wrong question. It would be great if they would promote democracy. But they do have a moral imperative and a duty not to promote dictatorship.
I think it's a much deeper philosophical question than that. It seems to me that Google has two choices: provide a censored search engine to China or provide no search engine at all. Now I can see arguments for both sides here, but I wouldn't say that either amounds to "promoting dictatorship".
This BBC article interviewing Chinese bloggers seems to agree: "The problem is not that Google is censoring its search service, it is that China doesn't have free speech." "There's too much Western media emphasis on internet censorship in China. Experienced bloggers know how to use proxy servers to get around the government firewall and access Google's main English language site." "I wish somebody would take the position of the typical Chinese internet user. If one is going to advocate a boycott, I would like the criteria to be the material improvement in the life of the typical Chinese internet user. I think talk of boycotting Google is a bad idea. People in China will not appreciate that because these are esoteric issues for them."
[Newspapers] can be held liable just for printing it.
Umm, that's the whole point of this discussion. The original poster is saying that newspapers shouldn't be held liable just for printing such an advertisement, and I'm agreeing with him.
The advertisement states "Unlimited," which should translate into "Everything we can do to make sure that you have three movies checked out to you at any one time." Having secret or public delays is not right, because that is the antithesis of "Unlimited." In otherwords, NetFlix is lying when they say "Unlimited."
It's unclear to me, from reading the article, whether or not they're actually lying. If all they're doing is giving priority, for the same movie, to someone who uses the service less, I think that's within their right (even if it's called "unlimited"). IOW, if you use the service excessively, so they give you movies further down on your list which are in lower demand (and if you don't have any low demand movies on your list and they don't have enough of the high demand ones to go around then you wait), I think that's OK.
As for those jackasses that are ripping the movies. Why?
Personally I do it for research purposes. For instance, so that I can refer to the movie if I need to look something up, and so that I can cut out clips to use on websites under the doctrine of fair use. I'd also like to run a program over my collection so that I can search in the subtitles of my movie collection for certain phrases.
1) what you are doing is illegal, not just on DMCA standpoint, but also because you don't even own the media. You are renting the movie. Renting voids any right for time-shifting, media shifting, backup, or any of the other excuses you think you have.
The DMCA specifically allows fair use, and even to the extent I exceed fair use I doubt I would be found criminally liable since I am not copying for commercial purposes.
If you want the movie that bad, either buy it or put it back in the Queue for when you want to watch it again.
We'll see what happens in the Google Print copyright case, since they're doing essentially the same thing as I am (except they're doing it for commercial purposes). If the judge in that case tells Google that they have to buy the books in order to scan them in, then I guess I'll reevaluate whether or not what I'm doing is legal.
Touche, however that was really my point:). Along the lines of the other poster, it'd be like bringing a copying machine to a library and making copies of all the books. Which is to say, it'd be illegal (at least civilly, but maybe not criminally), and according to many people it'd be morally wrong, but according to others (including myself) not at all morally wrong.
In real estate, there are quasi-governmental "checkers" of these protected classes who constantly attempt to rent and/or buy.
Wouldn't the job of the "checkers" be a lot easier if they could just look in the newspaper and see which advertisements explicitly say they intend to discriminate?
Part of it is just to make it hard to get _everyone's_ data.
It's been pretty much admitted to that the NSA is working hard, and spending lots of money, doing exactly this. Even to the extent they haven't admitted to it I'm fairly certain it's being done on a regular basis.
While cracking one guy's password may be easy to do if you really want to know what he's been doing, if that costs a couple million in computing resources (not precisely the hardware, but rather the computer time, cryptanalysts, etc) you're not going to be able to simply do it to everyone. So I guess the question is, how long does a password-based encryption need to be these days to cost at least $1M in computing resources to crack?
Well, it certainly depends on the algorithm, but let's look at an example... "L0phtCrack takes less than a second to process the default dictionary of nearly 30,000 words and about a minute and a half to process two additional characters in conjunction with the 30,000 word list (on a PIII 500)." (http://geodsoft.com/howto/password/cracking_passw ords.htm). That alone would probably crack a good portion if not a majority of Gmail users passwords (even if you pretend they're not going to use the same password they already use for Gmail, in which case the government could force Google to snoop it post https decryption).
Brute forcing is a bit harder, but with just a million dollars (which would be a pittance in terms of the estimated billions of dollars in NSA funding), the NSA could probably easily crack all 6-7 ASCII character or less passwords using standard brute force algorithms. Add in specialized hardware, which I'm sure they have, and maybe they could even do 8-10 or more. Reduce the size of the character set, which would make things more practical, and you could add one or two characters on to that. I don't know, but I personally wouldn't feel comfortable with anything short enough for me to memorize. Even then I guess I wouldn't feel completely comfortable, I mean, for all I know the NSA found a hole in RSA and/or proved NP=P (though I suspect such a revolutionary discovery would have leaked somehow). I guess what I'm saying is if you *really* care about the government discovering what you have on your computer, don't hook it up to the Internet.
I think it's pretty clear that "it probably wouldn't be all that hard to decrypt most of the passwords". I mean, just using a dictionary cracker like L0phtCrack would probably accomplish that. I'd personally go further, and suggest that the US government could probably crack the vast majority of passwords. The remaining ones wouldn't even have to be cracked, really. It'd be enough to target those people in other ways.
I'm saying "I'm pretty sure that if [Google] was doing this, someone would have noticed it...and complained about it."
I was pointing out that because we have access to the sources from the Mozilla Foundation we can actually check the code for stuff like this...
I know I haven't gone through the entire code for Firefox, have you?
I don't know about you, but I've never had access to any source code from the big G.
Fortunately there are other people in the world besides you. And besides, one doesn't need source code to find out about this. As was mentioned, one can monitor the traffic going in and out. Alternatively, one can review the compiled code.
I'm sure if Google was sending data to its servers even when you had the feature to do so turned off, someone would have noticed it and complained about it. It's just not that hard to monitor traffic on your system.
They could store the data encrypted (index data and documents), using a private key known only to the user.
Well, since most people don't carry usb keys with their private key everywhere, it'd have to be encrypted with a key generated from a password. Now given the fact that we're talking about the government here, it probably wouldn't be all that hard to decrypt most of the passwords.
And that assumes that all of the search technology is on the client-side, which might not be a very good implementation anyway, because it requires you to download the *entire* index on every computer.
Without that protection [copyright], you had less incentive to write another book, thereby depriving society of your creative output.
You may indeed have less incentive. Then again, you might have more, if your intent is more focussed on delivering your book to as many people as possible. But not everyone is unwilling to write a book in the absense of copyright law. In fact, even with the option of copyright law, many books are written which explicitly disclaim copyright.
Even today, creative people would like to make a living, or even get rich from their work.
I'd like to make a living and/or get rich sitting at home in my underwear posting on Slashdot. Doesn't mean the government should help me do that.
You cannot make that decision for the creator. [....] But that is my decision to make as the author, not yours as the (potential) consumer.
In the eyes of the law, at least in most jurisdictions, you are correct. But my comments really didn't have anything to do with the law.
Slashdot Mirror
The phisher in the end shouldn't be able to get any money from this.
The banks should have in place a system that secures your money much better than this.
What makes you think the phisher successfully got any money? The article only suggests that they got information, not money.
Use SSL for what its good for, end to end encryption with a party you haven't talked to before. Skip the rest of it or reduce it so something like domain name-only authentication where SSL is understood to only authenticate that you really are talking to the server with that name.
SSL without some form of authentication is pretty much useless. Self-signed certificates are vulnerable to a man-in-the-middle attack. So yes, domain name-only authentication is a minimum. And as far as I'm concerned, that's pretty much all the current CAs provide. Even then, they occassionally make mistakes, but even at the current prices you've gotta assume the occassional mistake will be made.
They provide something of value: They prevent the scare boxes from popping up when someone visits your ecommerce site. Its a classic protection scam: pay us to not do something harmful to you.
The scare boxes are there for a reason - because self-signed certificates are essentially worthless. Now granted there *is* a possible in-between solution, which is the one used by putty and most SSH clients. You pop up the scare box the first time you connect to a particular site, and then you memorize the key and only pop up the box again if the key changes.
Think about it though. If it's a "classic protection scam", how come even the open source software like firefox pops up the scare box? Surely not every open source programmer who is smart enough to hack firefox is in on the conspiracy.
A self-signed certificate doesn't provide very good encryption, since it is vulnerable to a man-in-the-middle attack.
What makes you think there has to be some sort of distinction between a company or coroporation, and a modern government?
Governments tend to have much less competition. Really that's about it, though. Both can be seen as voluntary - I could move to another country (or even out onto the high seas), and I can change my employer/vendors/etc., but changing employers is something that I've actually done a lot of times, changing my country is not.
Really, the main distinction is that the government has guns - and there are many corporations which have quite a few of those.
The real power of the government nowadays isn't so much the guns as it is the information - and corporations have quite a bit of that.
In the end, I said that I wouldn't be requesting an interview as I didn't want to work for a company that required access to all my supposedly private information (permanantley) to just get an interview.
This is the sort of under the radar dealing that can lead to all people having to wear RFID tags, just so they can be employed.
Obviously not. Many people, just like you, will refuse and find another job.
Implanted RFID tags aren't useful enough to companies, and they're too highly despised by workers, that there won't be at least some which don't require their employees to wear them. The only way that everyone is going to wear them is if the government *does* get involved, not if they stay out of things.
When they fire my ass for refusing to have body modifications (which, funnily enough, they expressly forbid in my contract of employment) I'll be taking the $100M compensation for unfair dismissal payout.
You must be paid an awful lot if your employment contract is worth $100 million.
And anyone who requires access to the datacenter to do their job, such as operators and sysadmins, cannot DO their job unless they get the implant. And if they cannot do the job, how are they expected to maintain employment?
I'm sure the company has other jobs which the people are qualified for and do not involve access to the datacenter. Only two employees got the chip, so surely there are available job positions which don't involve getting chipped.
I suppose the official reason for termination would be "uncooperative attitude." Certainly not "he refused to get chipped." Or maybe the company will concentrate on ways to make the employee so miserable, he just quits. Problem solved.
I doubt it. In either of those two situations the company would likely be responsible for paying unemployment compensation and/or severance pay. It seems like a much better solution for the company to just give the person an alternative job.
Sure, the person might wind up getting passed over for the next promotion, but if the company is smart that's about the extent of it.
If experienced users know how to use firewalls and proxies - then why is a censored local version needed? How does it add anything?
Not all users are experienced, and the Chinese censorship of Google is far from perfect. Imagine if no companies cooperated with the Chinese government. China would completely separate itself (Internet-wise) from the rest of the world, and communication would be that much more difficult. At the very least a censored Google is useful as a covert channel - one can embed messages in seemingly innocuous transmissions to get them past the censors. In reality things are simpler than that, because the censors can't possibly get everything. You need "legitimate" channels in order to communicate these techniques, and Google can help fill that role.
In reality, google has other options. It could, for example, make a free utility to help less-experienced users easily bypass the censorship and get to uncensored Google.com.
Yes, it could, but I'd argue that Google isn't in the best position for starting that kind of technological arms race with China - they'd have to give up too much because the Chinese government would almost surely retaliate against such a bold disregard for Chinese laws. Rather, I think it'd be smarter for such a task to be taken on by smaller (and probably anonymous) entities.
It could also take a stand, based on "do no evil" and use its vast online resources to speak out against the Chinese and other totalitarians, and educate people.
Again I don't see that as the place for Google. Speak out in what way? Google isn't a PR company, I really don't see what they're going to say that would make any difference. Sure, they could publicly condemn the laws, similar to the way the United States condemns laws of other countries that it doesn't agree with, but they've probably already done that, and really I don't think it makes much of a difference.
Google has a policy of complying with the laws of the countries in which it operates. I think that's a reasonable policy, especially for such a large company which has so much to lose (and relatively little bargaining power). Ultimately it is up to the people of China to fix the Chinese laws. We can help them, but only if we are able to communicate with them in the first place. It's not like Google is providing the Chinese government with weapons. No, they're providing the Chinese people with useful information (just not as much useful information as is possible).
But in the end, whether it's defending internet freedom or promising not to do evil, Google's core morals are no longer really a philosophy as much as a way of looking cool to the right people. Oh, how I wish they hadn't gone public...
Why do you think it matters whether or not they are a public company?
I was asked the question the other day, do U.S. corporations have the obligation to promote democracy? That's the wrong question. It would be great if they would promote democracy. But they do have a moral imperative and a duty not to promote dictatorship.
I think it's a much deeper philosophical question than that. It seems to me that Google has two choices: provide a censored search engine to China or provide no search engine at all. Now I can see arguments for both sides here, but I wouldn't say that either amounds to "promoting dictatorship".
This BBC article interviewing Chinese bloggers seems to agree: "The problem is not that Google is censoring its search service, it is that China doesn't have free speech." "There's too much Western media emphasis on internet censorship in China. Experienced bloggers know how to use proxy servers to get around the government firewall and access Google's main English language site." "I wish somebody would take the position of the typical Chinese internet user. If one is going to advocate a boycott, I would like the criteria to be the material improvement in the life of the typical Chinese internet user. I think talk of boycotting Google is a bad idea. People in China will not appreciate that because these are esoteric issues for them."
[Newspapers] can be held liable just for printing it.
Umm, that's the whole point of this discussion. The original poster is saying that newspapers shouldn't be held liable just for printing such an advertisement, and I'm agreeing with him.
The advertisement states "Unlimited," which should translate into "Everything we can do to make sure that you have three movies checked out to you at any one time." Having secret or public delays is not right, because that is the antithesis of "Unlimited." In otherwords, NetFlix is lying when they say "Unlimited."
It's unclear to me, from reading the article, whether or not they're actually lying. If all they're doing is giving priority, for the same movie, to someone who uses the service less, I think that's within their right (even if it's called "unlimited"). IOW, if you use the service excessively, so they give you movies further down on your list which are in lower demand (and if you don't have any low demand movies on your list and they don't have enough of the high demand ones to go around then you wait), I think that's OK.
As for those jackasses that are ripping the movies. Why?
Personally I do it for research purposes. For instance, so that I can refer to the movie if I need to look something up, and so that I can cut out clips to use on websites under the doctrine of fair use. I'd also like to run a program over my collection so that I can search in the subtitles of my movie collection for certain phrases.
1) what you are doing is illegal, not just on DMCA standpoint, but also because you don't even own the media. You are renting the movie. Renting voids any right for time-shifting, media shifting, backup, or any of the other excuses you think you have.
The DMCA specifically allows fair use, and even to the extent I exceed fair use I doubt I would be found criminally liable since I am not copying for commercial purposes.
If you want the movie that bad, either buy it or put it back in the Queue for when you want to watch it again.
We'll see what happens in the Google Print copyright case, since they're doing essentially the same thing as I am (except they're doing it for commercial purposes). If the judge in that case tells Google that they have to buy the books in order to scan them in, then I guess I'll reevaluate whether or not what I'm doing is legal.
Touche, however that was really my point :). Along the lines of the other poster, it'd be like bringing a copying machine to a library and making copies of all the books. Which is to say, it'd be illegal (at least civilly, but maybe not criminally), and according to many people it'd be morally wrong, but according to others (including myself) not at all morally wrong.
That too!
Well, like I said, this wouldn't get the password for every single person, just the vast majority. That should be good enough, though.
It should be perfectly legal to murder, rape and rob, because passing laws isn't going to make those things disappear.
Put that within the context of property rights, and you might just get some radical libertarians to agree with you.
In real estate, there are quasi-governmental "checkers" of these protected classes who constantly attempt to rent and/or buy.
Wouldn't the job of the "checkers" be a lot easier if they could just look in the newspaper and see which advertisements explicitly say they intend to discriminate?
While you're at it, why not switch to the 4-day work week. That way things aren't skewed to a particular timezone.
Copying Netflix movies is like bringing a doggie bag to an all-you-can-eat buffet.
No, it'd be like bringing a copying machine to an all-you-can-eat buffet.
Part of it is just to make it hard to get _everyone's_ data.
It's been pretty much admitted to that the NSA is working hard, and spending lots of money, doing exactly this. Even to the extent they haven't admitted to it I'm fairly certain it's being done on a regular basis.
While cracking one guy's password may be easy to do if you really want to know what he's been doing, if that costs a couple million in computing resources (not precisely the hardware, but rather the computer time, cryptanalysts, etc) you're not going to be able to simply do it to everyone. So I guess the question is, how long does a password-based encryption need to be these days to cost at least $1M in computing resources to crack?
Well, it certainly depends on the algorithm, but let's look at an example... "L0phtCrack takes less than a second to process the default dictionary of nearly 30,000 words and about a minute and a half to process two additional characters in conjunction with the 30,000 word list (on a PIII 500)." (http://geodsoft.com/howto/password/cracking_passw ords.htm). That alone would probably crack a good portion if not a majority of Gmail users passwords (even if you pretend they're not going to use the same password they already use for Gmail, in which case the government could force Google to snoop it post https decryption).
Brute forcing is a bit harder, but with just a million dollars (which would be a pittance in terms of the estimated billions of dollars in NSA funding), the NSA could probably easily crack all 6-7 ASCII character or less passwords using standard brute force algorithms. Add in specialized hardware, which I'm sure they have, and maybe they could even do 8-10 or more. Reduce the size of the character set, which would make things more practical, and you could add one or two characters on to that. I don't know, but I personally wouldn't feel comfortable with anything short enough for me to memorize. Even then I guess I wouldn't feel completely comfortable, I mean, for all I know the NSA found a hole in RSA and/or proved NP=P (though I suspect such a revolutionary discovery would have leaked somehow). I guess what I'm saying is if you *really* care about the government discovering what you have on your computer, don't hook it up to the Internet.
I think it's pretty clear that "it probably wouldn't be all that hard to decrypt most of the passwords". I mean, just using a dictionary cracker like L0phtCrack would probably accomplish that. I'd personally go further, and suggest that the US government could probably crack the vast majority of passwords. The remaining ones wouldn't even have to be cracked, really. It'd be enough to target those people in other ways.
Dude, what are you talking about?
I'm saying "I'm pretty sure that if [Google] was doing this, someone would have noticed it...and complained about it."
I was pointing out that because we have access to the sources from the Mozilla Foundation we can actually check the code for stuff like this...
I know I haven't gone through the entire code for Firefox, have you?
I don't know about you, but I've never had access to any source code from the big G.
Fortunately there are other people in the world besides you. And besides, one doesn't need source code to find out about this. As was mentioned, one can monitor the traffic going in and out. Alternatively, one can review the compiled code.
I'm sure if Google was sending data to its servers even when you had the feature to do so turned off, someone would have noticed it and complained about it. It's just not that hard to monitor traffic on your system.
They could store the data encrypted (index data and documents), using a private key known only to the user.
Well, since most people don't carry usb keys with their private key everywhere, it'd have to be encrypted with a key generated from a password. Now given the fact that we're talking about the government here, it probably wouldn't be all that hard to decrypt most of the passwords.
And that assumes that all of the search technology is on the client-side, which might not be a very good implementation anyway, because it requires you to download the *entire* index on every computer.
Ditto with Google.
Without that protection [copyright], you had less incentive to write another book, thereby depriving society of your creative output.
You may indeed have less incentive. Then again, you might have more, if your intent is more focussed on delivering your book to as many people as possible. But not everyone is unwilling to write a book in the absense of copyright law. In fact, even with the option of copyright law, many books are written which explicitly disclaim copyright.
Even today, creative people would like to make a living, or even get rich from their work.
I'd like to make a living and/or get rich sitting at home in my underwear posting on Slashdot. Doesn't mean the government should help me do that.
You cannot make that decision for the creator. [....] But that is my decision to make as the author, not yours as the (potential) consumer.
In the eyes of the law, at least in most jurisdictions, you are correct. But my comments really didn't have anything to do with the law.
I can't find a "Developing Nations" license anywhere.
Try using a search engine.