I agree that Security Through Obscurity is far, far from adequate, but it is not useless. It can be useful as part of a security scheme that depends on other, stronger defenses.
The less the opponents know about you, the tougher it is for them to recognize your vulnerabilities.
>... > The code included a function specifically for > a_times_b_mod_c using arbitrarily large numbers, > and we used this function in the interest of > speed. Unfortunately, there was a bug which > caused the function to return a 0 result a > little more often than expected (with C being > "almost certainly" prime, it should almost never > return a 0). >... > When we got rid of the special function and > instead used the overloaded * and % operators, > everything worked fine. >... > The moral of the story? I suppose it's just > this: the "many eyeballs" theory quickly breaks > down in the face of esoteric algorithms.
I have to ask: why were you confident that the * and % operators work correctly? Did you even look at the code for them?
Diffie's point is that, when you can see the algorithm, you have the _option_ to analyze, understand, and verify it.
It's up to you to exercise the option, and most importantly, apply resources to that task appropriate to the risks you face.
If you don't have the option to excercise, you just have to hope that the function provider applied the appropriate amount of _their_ resources to mitigate _your_ risk.
> Doesn't the use it or loose it rule apply anyhow
IANAL, but I read Slashdot;-)
"Use it or lose it" applies to trademark rights,
"We'll just rewrite the code" applies to copyright.
Patents protect ideas, not writing, and the tragedy of the submarine patent is that prior art has to be, well, prior. Reinvention after the patent doesn't nullify the patent.
When I recently bought a laptop, the thought crossed my mind several times: This could be my last free-as-in-speech system.
As long as 1.7 GHZ is a decent speed for Linux-type software, I'll be able to run any software I like, even after the commodity PC's start dis-trust-ing me.
I prefer to have my computer to be a slave to me, not the other way around;-)
Point taken, that the BSA is not serving the interests of fair use any more than the movie moguls.
However, when two titans are fighting, they distract each other.
This opens opportunities for the little creatures to sneak by with what would otherwise attract resistance from the titans.
For example, while congress-critters are trying to sort out the mixed messages from the lobbyist crowd, they might give a little more weight to the public's messages.
The opportunity lies in a carefully tuned message that plays on the combined weaknesses of the conflicting commercial interests.
> Okay, now for the controversial part: > Ground the space shuttles. > The shuttle builds the ISS. The ISS is no more. > The shuttle is needed no more. > There are better ways to put satelites in orbit.
Never heard of a classified shuttle mission, eh?
Those other missions, the "sexy" ones, make a nice excuse for spending all that money to fly the shuttle.
> will lack the consciousness, > intellect and capacity for thought of a brain, > but will be equivalent in calculating > speed and power.
Um, consciousness, intellect, and capacity for thought are what make the human brain powerful.
As far as floating-point operations (Flops), I found that a 1980's SR-50 calculator was much faster than my human brain.
They are better off measuring the power against animal brains, but don't get too high up into the primates, because I bet this computer couldn't figure out how to use the box and the stick to get the bananas down from the ceiling.
> The second is the Registered Traveler ID. > This system is a voluntary system for frequent > flyers to bypass the tedious and sometimes > invasive security procedures at airports and > train stations.
Well, I'll again paraphrase Lessig's "Code and the Laws of Cyberspace."
There are basically four ways to regulate something: 1) Make a law 2) Change the infrastructure 3) Establish social norms 4) Apply market forces
A "voluntary" system for frequent flyers, to allow someone to bypass the search stations, creates a two-tier infrastructure: A: People who get to go right to their plane, B: People who have to stand in line to get searched.
Now, once having established the two-tier system, what do you think will happen with tier "B"? To "save money," there will be fewer search stations and personnel. You'll have to plan to wait hours in line, and get particularly invasive searches.
What will happen with tier "A"? You get to go right to your plane, without delay, without intrusion.
Let's imagine the Gov't really wants you to get the card. (Not a big stretch of imagination, IMHO.) They make choice "B" so burdensome that you'll be compelled to choose "A" instead. The Gov't will point out that your rights are not being violated, since you aren't being denied travel if you choose not to go the "A" route. You can always exercise your privacy rights in the 2 to 4-hour "B" lines.
That's how to use infrastructure instead of law to compel the population to get their passenger ID's. Make the rights-preserving alternative so onerous that no one really wants to use it.
Read Lessig's book, it's an eye-opener (as he intended it to be).
Draw the line between liberty and safety where it was on September 10, 2001.
It was not lack of security infrastructure that "allowed" the 9/11 attack. We had the infrastructure in place.
The hostile conspiracy had been testing the vigilance (or lack thereof) of the airport security screenings to _measure_ their complacency.
The hostile conspiracy was using techniques to keep their plans secret that would still work even if the present levels of internet monitoring and envelope steaming had been in place.
We have not really gained security. Observe that the perpetrator of the Anthrax letters still hasn't been identified, much less caught. Observe that the 2nd worst attack on U.S. territory, in OK City, was perpetrated by a U.S. citizen who used a rented panel truck. Safety still is just as illusory as it was before 9/11.
What has changed is that we've sacrificed liberty (or had it sacrificed for us) to create the image of security, without any real gains in security. Heavens, even Ashcroft admitted that U.S. agression abroad would probably increase our risk of terrorist attacks on U.S. soil. Security is not the objective. Control is the objective.
Draw the line between security and safety where it was before. We'd spent 35 years of hard civil liberties work to keep the words "national security" from being carte blanche for the abuse of our civil rights. Now we've got to regain that progress all over again. We _will_ regain it, even if it takes another 35 years to relearn the lessons.
When will we ever learn the lessons that Microsoft has to teach us?
Microsoft Justice(TM) and Microsoft Congress(TM) are the market leaders. More people pay more money for Microsoft Government(TM) products than any other brand.
Don't be fooled by the also-ran brands. You'll find that you'll end up thinking harder and making more decisions with those so-called "open", no-owner forms of representation.
If the legal corruption problems with Microsoft-based government were as bad as they're made out to be, why are Microsoft Government(TM) products raking in so many profits?
is something I heard on National Public Radio's _Morning_Edition_. One of Bob Edwards' humourous little zingers: that a batch of Sex Pistols' CD-ROMS were mistakenly labelled and sold as Lawrence Welk.
Mr. Edwards cleverly mused whether there was another batch of Welk mis-labelled as Sex Pistols, and whether the Sex Pistols fans were just as shocked...
Agreed, and don't forget that the equipment that's used to store the antimatter, as well as the engine itself, have to be light enough to push around in space without burning up too much energy on the brakes.
..."I would like to be placed on your federally mandated Do Not Call List. I would like written notification of this, and a copy of your Do Not Call policy mailed to me."
Yeah, but then I have to give them my address.
It's bad enough already that they have my phone number.
Lessig made the point, in depth in his _Code and the laws of Cyberspace_ book. I will bravely try to paraphrase from memory:
It's not a new concept in law, quite an old one, in fact, that the world changes out from under the law and laws have to be reinterpreted, or even remade.
He uses the example of wiretapping laws that were created when the land-line telephone went into widespread use. Until then, you couldn't be a party to a conversation without physically being present, either to hear the conversation or to read it.
Search and siezure applied to physical space, and the founding fathers had intended the limits on search and siezure to protect conversations (especially conversations about influencing the government). Telephones came along, and a guy up on a pole could listen to a conversation in a private residence down the block, without a warrant to enter the premesis.
Lessig explained that the decisions about wiretap law presented the judiciary with a choice - should the law protect the physical space (wiretaps okay) or should the law protect the conversations in the physical space (wiretaps not okay).
There are legal terms for each of these alternatives, although I don't remember them. History is that the judiciary went with the intent, not the letter, of the law set down by people who had no concept that something called a telephone would ever be invented. The judiciary could have justified the decision either way; they had to make a choice. (Whether we like the choice or not is incidental; they're judges and they have the power to make unpopular choices.)
The invention of the telephone directly caused a need for new law to be made, in order to interpret an older law that was being superceeded by the technology.
That's why you sometimes have to make/change law for new technology.
Read Lessig's book. He's a good writer and he is on the forefront of adapting our laws to the planetary network.
I wonder why "for limited times to authors and inventors the exclusive right to their respective writings and discoveries" gives rights to publishers or heirs?
> Besides, eventually Linux will not be 'allowed' to run on this processor.
_That_ would be an antitrust suit that would sail through the courts.
IANAL, but I thinkI was taught that when one company tells you what other companies you _must_ do business with, it's much more clearly illegal (in the USA) than having market dominance.
Slashdot Mirror
> ... "Security through Obscurity" is useless.
I agree that Security Through Obscurity is far, far from adequate, but it is not useless. It can be useful as part of a security scheme that depends on other, stronger defenses.
The less the opponents know about you, the tougher it is for them to recognize your vulnerabilities.
And there are _always_ vulnerabilities.
> ... ... ...
> The code included a function specifically for
> a_times_b_mod_c using arbitrarily large numbers,
> and we used this function in the interest of > speed. Unfortunately, there was a bug which > caused the function to return a 0 result a
> little more often than expected (with C being
> "almost certainly" prime, it should almost never
> return a 0).
>
> When we got rid of the special function and
> instead used the overloaded * and % operators,
> everything worked fine.
>
> The moral of the story? I suppose it's just
> this: the "many eyeballs" theory quickly breaks
> down in the face of esoteric algorithms.
I have to ask: why were you confident that the * and % operators work correctly? Did you even look at the code for them?
Diffie's point is that, when you can see the algorithm, you have the _option_ to analyze, understand, and verify it.
It's up to you to exercise the option, and most importantly, apply resources to that task appropriate to the risks you face.
If you don't have the option to excercise, you just have to hope that the function provider applied the appropriate amount of _their_ resources to mitigate _your_ risk.
As a Western-state voter, I fully intend to lie to any exit pollers who ask me how I voted.
The networks seem to have this parallel election going on, so they can tell who won the election before the votes are counted.
Out in the West, they tell us who won before we even get to the polls.
Pox on that. There's only one real election. I abhor the parallel straw vote, and I look forward to any opportunities to thwart it.
> Doesn't the use it or loose it rule apply anyhow
;-)
IANAL, but I read Slashdot
"Use it or lose it" applies to trademark rights,
"We'll just rewrite the code" applies to copyright.
Patents protect ideas, not writing, and the tragedy of the submarine patent is that prior art has to be, well, prior. Reinvention after the patent doesn't nullify the patent.
> Until I hear that this is false, I'm boycotting SCO.
If everybody behaves this way, we can kill a vendor just by starting a rumor.
The SCO patent story is _unsubstantiated_. It says so in the story and on the front page of Slashdot.
Shaken, not stirred.
When I recently bought a laptop, the thought crossed my mind several times: This could be my last free-as-in-speech system.
;-)
As long as 1.7 GHZ is a decent speed for Linux-type software, I'll be able to run any software I like, even after the commodity PC's start dis-trust-ing me.
I prefer to have my computer to be a slave to me, not the other way around
Pardon the off-topic comment, but if you object to the e-file fees, don't use e-file.
The IRS really, really wants e-file to take off, because it saves them loads of money.
The best protest for the fees is to keep sending them paper returns until e-file is free.
Point taken, that the BSA is not serving the interests of fair use any more than the movie moguls.
However, when two titans are fighting, they distract each other.
This opens opportunities for the little creatures to sneak by with what would otherwise attract resistance from the titans.
For example, while congress-critters are trying to sort out the mixed messages from the lobbyist crowd, they might give a little more weight to the public's messages.
The opportunity lies in a carefully tuned message that plays on the combined weaknesses of the conflicting commercial interests.
> Okay, now for the controversial part:
> Ground the space shuttles.
> The shuttle builds the ISS. The ISS is no more. > The shuttle is needed no more.
> There are better ways to put satelites in orbit.
Never heard of a classified shuttle mission, eh?
Those other missions, the "sexy" ones, make a nice excuse for spending all that money to fly the shuttle.
Ever wonder what else they're up to up there?
...governments terrorizing citizens in the name of the war on terrorism.
As powerful as a human brain, but:
> will lack the consciousness,
> intellect and capacity for thought of a brain,
> but will be equivalent in calculating
> speed and power.
Um, consciousness, intellect, and capacity for thought are what make the human brain powerful.
As far as floating-point operations (Flops), I found that a 1980's SR-50 calculator was much faster than my human brain.
They are better off measuring the power against animal brains, but don't get too high up into the primates, because I bet this computer couldn't figure out how to use the box and the stick to get the bananas down from the ceiling.
> The second is the Registered Traveler ID.
> This system is a voluntary system for frequent
> flyers to bypass the tedious and sometimes
> invasive security procedures at airports and
> train stations.
Well, I'll again paraphrase Lessig's "Code and the Laws of Cyberspace."
There are basically four ways to regulate something:
1) Make a law
2) Change the infrastructure
3) Establish social norms
4) Apply market forces
A "voluntary" system for frequent flyers, to allow someone to bypass the search stations, creates a two-tier infrastructure:
A: People who get to go right to their plane,
B: People who have to stand in line to get searched.
Now, once having established the two-tier system, what do you think will happen with tier "B"? To "save money," there will be fewer search stations and personnel. You'll have to plan to wait hours in line, and get particularly invasive searches.
What will happen with tier "A"? You get to go right to your plane, without delay, without intrusion.
Let's imagine the Gov't really wants you to get the card. (Not a big stretch of imagination, IMHO.) They make choice "B" so burdensome that you'll be compelled to choose "A" instead. The Gov't will point out that your rights are not being violated, since you aren't being denied travel if you choose not to go the "A" route. You can always exercise your privacy rights in the 2 to 4-hour "B" lines.
That's how to use infrastructure instead of law to compel the population to get their passenger ID's. Make the rights-preserving alternative so onerous that no one really wants to use it.
Read Lessig's book, it's an eye-opener (as he intended it to be).
> What OS didn't need security fixes after it was released.
...
I can't resist:
CPM, Multics, MVS, System-40,
(i.e. any OS that died before the Internet)
Draw the line between liberty and safety where it was on September 10, 2001.
It was not lack of security infrastructure that "allowed" the 9/11 attack. We had the infrastructure in place.
The hostile conspiracy had been testing the vigilance (or lack thereof) of the airport security screenings to _measure_ their complacency.
The hostile conspiracy was using techniques to keep their plans secret that would still work even if the present levels of internet monitoring and envelope steaming had been in place.
We have not really gained security. Observe that the perpetrator of the Anthrax letters still hasn't been identified, much less caught. Observe that the 2nd worst attack on U.S. territory, in OK City, was perpetrated by a U.S. citizen who used a rented panel truck. Safety still is just as illusory as it was before 9/11.
What has changed is that we've sacrificed liberty (or had it sacrificed for us) to create the image of security, without any real gains in security. Heavens, even Ashcroft admitted that U.S. agression abroad would probably increase our risk of terrorist attacks on U.S. soil. Security is not the objective. Control is the objective.
Draw the line between security and safety where it was before. We'd spent 35 years of hard civil liberties work to keep the words "national security" from being carte blanche for the abuse of our civil rights. Now we've got to regain that progress all over again. We _will_ regain it, even if it takes another 35 years to relearn the lessons.
When will we ever learn the lessons that Microsoft has to teach us?
Microsoft Justice(TM) and Microsoft Congress(TM) are the market leaders. More people pay more money for Microsoft Government(TM) products than any other brand.
Don't be fooled by the also-ran brands. You'll find that you'll end up thinking harder and making more decisions with those so-called "open", no-owner forms of representation.
If the legal corruption problems with Microsoft-based government were as bad as they're made out to be, why are Microsoft Government(TM) products raking in so many profits?
Go with the market leader!
is something I heard on National Public Radio's _Morning_Edition_. One of Bob Edwards' humourous little zingers: that a batch of Sex Pistols' CD-ROMS were mistakenly labelled and sold as Lawrence Welk.
Mr. Edwards cleverly mused whether there was another batch of Welk mis-labelled as Sex Pistols, and whether the Sex Pistols fans were just as shocked...
Agreed, and don't forget that the equipment that's used to store the antimatter, as well as the engine itself, have to be light enough to push around in space without burning up too much energy on the brakes.
..."I would like to be placed on your federally mandated Do Not Call List. I would like written notification of this, and a copy of your Do Not Call policy mailed to me."
Yeah, but then I have to give them my address.
It's bad enough already that they have my phone number.
There seems to be a loophole for political campaigns.
Shocking (NOT).
"Projected Sales-Tax-Revenue Losses in 2006" heads the chart in the Denver Post article.
A "Revenue Loss." What a crock.
Root
Mean
Square
Lessig made the point, in depth in his _Code and the laws of Cyberspace_ book. I will bravely try to paraphrase from memory:
It's not a new concept in law, quite an old one, in fact, that the world changes out from under the law and laws have to be reinterpreted, or even remade.
He uses the example of wiretapping laws that were created when the land-line telephone went into widespread use. Until then, you couldn't be a party to a conversation without physically being present, either to hear the conversation or to read it.
Search and siezure applied to physical space, and the founding fathers had intended the limits on search and siezure to protect conversations (especially conversations about influencing the government). Telephones came along, and a guy up on a pole could listen to a conversation in a private residence down the block, without a warrant to enter the premesis.
Lessig explained that the decisions about wiretap law presented the judiciary with a choice - should the law protect the physical space (wiretaps okay) or should the law protect the conversations in the physical space (wiretaps not okay).
There are legal terms for each of these alternatives, although I don't remember them. History is that the judiciary went with the intent, not the letter, of the law set down by people who had no concept that something called a telephone would ever be invented. The judiciary could have justified the decision either way; they had to make a choice. (Whether we like the choice or not is incidental; they're judges and they have the power to make unpopular choices.)
The invention of the telephone directly caused a need for new law to be made, in order to interpret an older law that was being superceeded by the technology.
That's why you sometimes have to make/change law for new technology.
Read Lessig's book. He's a good writer and he is on the forefront of adapting our laws to the planetary network.
I wonder why
"for limited times to authors and inventors the exclusive right to their respective writings and discoveries"
gives rights to publishers or heirs?
> Besides, eventually Linux will not be 'allowed' to run on this processor.
_That_ would be an antitrust suit that would sail through the courts.
IANAL, but I thinkI was taught that when one company tells you what other companies you _must_ do business with, it's much more clearly illegal (in the USA) than having market dominance.