I've posted an open letter to Mark Helprin on my (admittedly crappy) blog. Tomorrow morning when I go into work, I will print it out and mail it to him. In the mean time, is there anything I should add or take away?
I see you've been drinking the Redmond Red flavour of Kool-Aid. UNIX is a common OS and it's been around for 37 years and networked for all that time. Why is there no AV software market for UNIX? What are the two most common implementation languages for Monkeysoft viruses? Monkeysoft has been on the Internet since about 1995. How much time have Monkeysoft users lost to viruses? Whose OS is the most 'botted? Microsoft was the first company to attain a critical mass. Remember also that worms and similar malware haven't even been around for 20 years, and the first one was released for UNIX.
If you replace "common" with "most vulnerable", your statement makes sense. You have a whitewashed view of security. Linux and Mac are as vulnerable as Windows. Maybe Linux users are more clueful, but if you find holes in, say, OpenOffice or GhostScript or GIMP or mplayer (I'll bet there's more than one), you can trick a power user a decent percent of the time. And occasionally there are remote root holes (or remote holes plus local root holes); several machines in the Harvard CS department got rooted this way last year.
Of course, it can be harder to convince a Linux user to download and run a program directly off the web, since distros have package managers. But I've downloaded and compiled several programs in the past year, and I haven't looked through the thousands of lines of source of any of them (a casual look won't do it, you'll need to go over them with a fine-toothed comb and a static analysis tool).
Sure... and if it runs with root or root-like privileges, it can do serious damage. Guess which OS lets that happen? For almost any purposes, it doesn't matter if the malware gets root. Consider a Linux desktop: if a malicious program gets access to your account, it can steal your files, keylog you (it can get root that way if you ever su or sudo), or install a modded Firefox or extension which sends your bank account info to the attacker. It can send mail, it can attack other machines, it can listen on the network, it can make itself autolaunch via cron or login scripts.
Sure, it can't affect other users, but on most desktop machines, there's only one user anyway. It can't listen on low ports or sniff or spoof packets. It can't install a rootkit, but it can hide itself from the user it's installed on (it can change environment variables to cause your programs to link with a hacked libc, and it can alias the statically linked ones). These things are a big deal on servers, but on desktops they aren't.
So what happens to your strategy when a weakness is announced? Do you tell your auditors that it was good enough five years ago? Yes, actually. At least today, hash breaks generally allow you to create two documents with the same hash (a collision), not to create a second document with the same hash as a given first one (a second preimage). Of course, there could be such a weakness, but if the hash is long enough (SHA256? SHA512?), it's unlikely. And you could always use two hashes, which would both have to be broken...
Let's put it another way... You give me a SHA1 hash and five years. If the money's right, I'll give you back a dataset that matches that hash within that five years... People always say this about crypto, but the vast majority of the time, it doesn't actually happen. Cryptanalytic attacks that can break real systems with a realistic amount of compute power are fairly rare; attacks that break offline systems are extremely rare. And remember, you can't brute-force a second preimage for a 128-bit hash (much less a 160- or 256-bit one) with any currently-forseeable technology.
No amount of money can enable a brute force attack here. If the survival of the human race depended on a 128-bit brute force attack, I doubt that we could do it in five years. (Standard calculation: if you could produce 4 billion chips per second, each of which could try 4 billion keys per second, it would take more than a century to go through half of a 128-bit key space.)
Also, we have NEVER wondered how to write a particular algorithm, then found the solution in some patent disclosure document. Do you realize how absurd that sounds? The interesting (engineer-readable) form of the disclosure isn't in the patent anyway. It's in a white paper somewhere; the argument is that people are more likely to publish such white papers if they can also get a patent.
And there are certainly algorithms that people want to implement that are patented and written up in white papers. Secure remote passwords come to mind.
So you're saying someone that REALLY wants to try and take out a nuke site is just going to say "Oh crap, no satellite images. I guess we'll just have to drive a truck through the gate!" The only thing the satellite images do is cut time off the initial work (understanding the layout) They will find a way to map the installation without it, then the real planning>>execution can take place. Certainly any will try to map the facility. They might succeed, or they might be caught casing the joint and be put under surveillance. They might infiltrate the facility, or they might be caught by a background check. If they just snoop around, there will probably be information in the fly-over photo that they're missing or have in lower quality. In other words, high-resolution photos of the site (fly-overs more than satellite shots) not only cut time off the initial work, they also reduce risk and increase correctness.
Someone else has already pointed out that other nations will keep distributing these images, guaranteed. The almighty US isn't the only one with spy satellites. I was mainly talking about flyovers (which have much more resolution than satellite photos), as that was what GGP was talking about. Other nations had better not be doing flyovers of our facilities and publishing the data. And obviously, once pictures are out, we can't get rid of them, but we can try to reduce the number of new facilities that get photographed, and in what resolution they get photographed.
This is a logical fallacy. Not that the world isn't a cryptosystem (although that would explain a lot) but you're implying that security through obscurity doesn't work in the real world, because it isn't a system of cryptography, where the system doesn't work.
Security through obscurity doesn't work in crypto or in meatspace. You didn't read what I wrote, did you? Kerckhoff's principle (the original statement of "security through obscurity is bad") says basically that obscurity shouldn't be the main line of defense. Having it as a defense at all is a trade-off: you expend effort maintaining obscurity, have fewer eyes on the system to find problems, but you may reduce your vulnerability to attackers. It's not security through obscurity, but security assisted by obscurity. It's a defense in depth.
In cryptosystems, because in most cases the system will be available for analysis offline, obscurity buys you very little against a determined attacker. There are a lot of cryptographers that might find problems in your system, and if you want it to be secure against a determined and technically capable attacker, it ought to survive scrutiny from them too. Note that, despite these trade-offs, governments keep their ciphers secret. This secrecy is an entirely reasonable defense in depth if you employ as many cryptographers as those governments do.
Because the physical world is not a cryptosystem, this trade-off is different. An attacker has to be physically present to break through your obscurity, and that exposes him to risk: it makes the defense in depth more valuable. Furthermore, it is not as easy to change security measures on a physical installation. Finally, there are more physical security experts available than cryptographers, so you may be able to get an adequate design without opening it to the public. Therefore, there are more situations where obscurity is appropriate.
For the most part BSD-licensed work is protected _from_ copyright. It's placed out there for common usage, and the people who created it get an amount of credit for it, but someone else can't come along and claim _their_ copyright over it. That's the main point in BSD-licensing. That simply isn't true. If I make a derivative work GFoozler of your application KFooMaker, then I control the copyright of GFoozler. It's a derivative of your work, so you have some control over its distribution, but it's still my derivative work. I can license the resulting code or binaries under any license I want, and distribute them under any terms I want, so long as I don't violate your right to control derivatives of your work. Assuming you BSD licensed KFooMaker, all I have to do it preserve the relevant copyright notices and attribution; I can arbitrarily restrict copying and usage of GFoozler and its source, just as if you had put your code in the public domain.
Under no circumstances (BSD licensed, public domain or otherwise) can I claim (in a legal sense) to own the copyright on your work (unless I bought it off you) nor can I control its distribution (unless we made a contract to that effect, or it's already a derivative of my work, or...).
They are already trying to ban picture taking by civilians at various locations (what is this fucking North Korea?) and the flyovers will be next:( Once upon a time, it was considered acceptable that some information was unavailable to the public. For instance, the layout of nuclear facilities, the locations and materiel of defensive bases, or the site layouts and security measures of critical but vulnerable civilian infrastructure (dams, nuclear plants, hazardous waste facilities, fuel refineries, chemical plants, etc). It used to be that taking high-resolution pictures of such installations, systematically mapping the civilian and military infrastructure, and giving them out to foreign governments was considered treason. This was true for years in the USA, Canada, and wherever else in addition to "fucking North Korea." It seems reasonable that this should continue to be true.
The general public has basically no need for this sort of information, but a hypothetical attacker does. There may not actually be many terrorists or spies in the US right now, but there's a decent chance that there are some, and in the past they've been very interested in this stuff. Maybe they can get it anyway, but let's make them at least risk exposure to do their reconnaissance, OK?
You can rant all you want about security through obscurity, but the real world isn't a cryptosystem. The attacker has less time to study your nuclear site security offline (at least, as long as photographing it is illegal). Furthermore, Kerckhoff's principle doesn't say that systems shouldn't be obscure, just that their security shouldn't depend on it. Obscurity is still a valid defense in depth.
either something is copyrighted or it isn't. even public domain and BSD licensed stuff is protected - you can't go and claim your the copyright holder to a BSD'd work BSD-licensed work is protected by copyright. However, the only restriction placed on distribution and derivative works is attribution. So abandoning copyright in favor of attribution-right (as mentioned in the article) would be very much like mandatory BSD-style licensing.
Work in the public domain is, by definition, not protected by copyright. You can't claim that you're the copyright holder of a public domain work, at least not in contexts where you're legally obligated to tell the truth, because it isn't true. None of this would change if copyright were abolished.
The point of the article is not that if computers were perfectly secure, we wouldn't need security add-ons. It's true, but it's unlikely to happen in the foreseeable future.
The point is that Windows and other systems should include any necessary security software, and Microsoft (and their contractors) should be responsible for maintaining that software. That way, users and IT departments don't have to be experts in security software to keep their networks secure. It would also hopefully be more efficient, as the security engineers and the original designers could work more closely together. That is, while Windows would be more expensive, you wouldn't have to by antivirus and antispyware tools. It would also be more secure for most people, because the guy configuring the system would know what he's doing.
This change would balance Microsoft's incentives by making them more responsible for the security of their products. It would balance security companies' incentives because they would gain less from having an insecure infrastructure, and (hopefully) gain more from securing that infrastructure.
It's not clear from the article how Microsoft could do this without raising antitrust issues, though.
Haha, thanks. I don't really expect it to have much effect. I have a friend who's a radical libertarian, and it took me a whole summer to convince him that private citizens shouldn't own Stinger missiles, and that deathtraps are the same as murder. I didn't even try on free speech...
So? By blocking the door, I'm not physically interacting with you at all (unless you try to force your way past me, but suppose you don't). How directly do I have to interact with you to give me agency? Am I allowed to hire people to murder you? The line you're trying to draw doesn't make sense: any place you draw it is dogmatically arbitrary.... the bottom line is drawn by the fact that there is no constitutional basis for restricting speech whatsoever, and so any law that does so is, of course, unconstitutional.
This is only true if you think that the Constitution isn't subject to interpretation. But the USA inherited the British common law on slander and libel (though it interprets them less favorably for the plaintiff). So even the Framers didn't intend this section to be taken as literally as you say.
I'll agree that the current government has overstepped its mandate, and I'll oppose to the degree that's practical, but don't tell me that fraud, slander and reckless endangerment should be legal.
This means every part of the government from the Supreme court at the top to the most menial, minor functionary at the bottom. Remember, the people who resisted the king were patriots. Not traitors.
They were traitors as well as patriots. That's sometimes the price you pay. Some of them were also thieves, adulterers, and spies. None of them were gods.
You seem to be very stubbornly clinging to a very strange worldview, so I'll try to be as clear as possible here.
Most humans are not omniscient. They do not have instant access to full information on the entire state of the world. As a result, they often have to trust information from sources other than their senses. Frequently, such sources are other humans. This is true even when life and death hinge on the information being correct. Some people, such as doctors, chemists, engineers, police officers and soldiers, give out such information on a daily basis. For others, it happens less frequently, but it can still happen to anyone ("fire!", for example).
Because they're not omniscient, most people's actions depend on the information they're given, if they have any reason to trust it, or if the risk of disregarding it is great. This is called "rationality." Most humans are approximately rational. This is a fact of life, and not a side effect of oppressive governments.
Humans who know each other almost always have some degree of trust. Humans also trust random strangers who they don't know. For instance, when asking a stranger for directions, one usually assumes that the stranger will give directions to the correct place, rather than a part of town in which one is likely to be shot. Similarly, one trusts waiters at restaurants ("this doesn't contain peanuts"). We also trust machines under the partial control of other humans, from stoplights to elevators to bridges. People who believe that others are likely to deliberately give them lethal misinformation are called "paranoid," and they tend to be put in mental institutions. Paranoia is not rational: the probability that someone is trying to screw you over is, in most circumstances, vanishingly small, and compensating for it is difficult. Naivete isn't rational either, but in most circumstances it is closer to rational than paranoia.
Actions that are intended to cause rational agents grievous harm are usually classified as crimes. This is the case whether the harm is direct (strangling them), semi-direct (sabotaging their car), or indirect (giving out lethal misinformation).
A society in which non-contractually-provided information is disregarded, as you suggest, would be terrible. Imagine that I'm a chemist, and am running a dangerous experiment in my lab. Clearly, this should be legal, or else chemistry wouldn't get done. If I take reasonable precautions to prevent people from wandering into the chem lab and being killed, I should have no liability if they do it anyway. That is, setting up such an experiment should be legal if appropriate information is present. On the other hand, if I put a sign on the door which says "free soft drinks in here!", and someone walks in, then I have set a deathtrap and should be jailed (or should deathtraps be legal?).
On a related note, you seem to be under the impression that only direct responsibility for a crime is possible. If you walk in to a room, and I block the door while my buddy beats you to death, I am certainly culpable for your death even though I never dealt you a blow (my buddy is also culpable, and possibly more so). This is because I intentionally took actions which helped to cause your death. Why is speech any different?
Finally, I still don't understand how failing to intervene when someone is about to accidentally injure himself can be a crime, but giving someone misinformation that causes him to injure himself is not. Maybe I'm just brainwashed.
In the USA, all speech is protected, because (a) the constitution prohibits any restrictions on speech, and (b) the constitution has not been amended to say otherwise.... This is in no way ambiguous or subject to "interpretation." Following the law to the letter is almost always a terrible idea. This is particularly true for the Constitution, which was written over 200 years ago, and more for elegance than for technicality. This is a good thing: for the Constitution to be followed to the letter, it would have to be 1000 times longer, and its complexity would be staggering. It has always been subject to interpretation; for example, fraud, slander and libel have always been illegal in the United States. Interpretation cuts both ways: art, mail and flag-burning are protected as "speech" (provided, of course, that they aren't illegal for other reasons, like arson laws).
"Yelling fire" isn't a good example anyway. You're allowed to "bear arms", but except in extreme circumstances, you aren't allowed to kill or injure people with them. This is constitutional: the laws against murder are independent of whether you did it with a gun. Similarly, you aren't allowed to kill or injure people with words, which is what happens if you yell "fire" in a crowded place.
I haven't seen any demos of it, but my impression was that Van Eck Phreaking has terrible, terrible quality. You'd be much better off pointing a camera at the display, since you don't really have to be covert here.
Also, restricted content probably won't play on standard CRTs; it'll require some kind of HDMI nastiness, that'll mostly (if not exclusively) be implemented on LCDs.
Some students are in school to, y'know, learn stuff. Not to get a fancy piece of paper with the name of their school. For them, the term paper is very important, as it provides a substantial task into which they can focus the knowledge and understanding they accumulated over the semester.
Of course, sometimes term papers are painful even for the best. Sometimes students who care about some of their classes cheat in the others. But I'm sure that at almost every university in the US, most of the students do most of their work most of the time.
For off-the-shelf desktop use, it's hard to beat the Mac Mini. Core duo, notebook hard drive, notebook optical drive, draws like 50 watts at idle. I hear the Acer L320 is going to be similar. No graphics in the Mini, but maybe there will be in the Acer. Good graphics cards are pretty much guaranteed to have high power consumption these days; I'm not sure if you can idle them down.
For light-duty serving, I've been very happy with the latest round of VIA boards (and I've heard the slightly cheaper Jetway variants work just as well). I have an EPIA EN12000EG fanless board running in one of those $30 mini-tower cases from Fry's (or something). The board draws something like 13 watts at idle, and 25 under load. This includes the CPU, RAM and chipset. If you can spin down the hard drives, they'll only be a few watts more, and adding in the PSU inefficiency, it'll be maybe 40 watts AC.
If you just want to serve stuff, you can toss in a 2.5" SATA hard drive (or two, for RAID) and no optical, and fit the whole thing into a case smaller than a Mac Mini, for a lower price than the Mini, with less power consumption than a Mini, even with 2x160GB notebook drives. Or you can put in an optical drive, and it'll be slightly bigger than the Mini.
I've used one of the previous round of these as a desktop machine. Its audio is decent, and as long as you're mostly browsing the CPU is fast enough (compile jobs are slow, but they're much more tolerable with the new C7 proc). The integrated graphics suck, so you won't be gaming on it.
Wow. I always thought that the benefits of those encrypted Seagate drives were marginal, but I'd never have guessed that you could breach them with just a few credit card numbers.
What is worse to you: having all your data stolen/erased once or having all your passwords sniffed, everything you type spied for months and regularly sent to some bad guy and having all your personal data sent and then, at one point, deleted?
I haven't used Windows seriously for a while now, but I'm pretty sure you can keylog people without root. If nothing else, you can replace their Explorer or Firefox with a modified one that keylogs them, but I bet you can do better by loading the right DLLs into it. OK, fine, you might not get the login password, but even if this is different from your other passwords, the attacker still gets everything it protects. And if you bank online, he gets your bank routing number, account number and password. If you shop online, he gets your credit card number. If you file taxes online, he gets your income information, your banking data or credit card, and your SSN.
Furthermore, you can easily zombify a PC without root. You just have to make a daemon that runs as the user on login. Sure, it won't affect other users, but most home machines only have one user account on them. From there you can remote-control the machine, send spam, serve child porn (just not on port 80), proxy attacks against other machines, the works. You don't get to forge IP addresses or sniff packets, but that doesn't matter for most attacks, especially not on home networks.
The level of short-sightedness of your comment is quite sad. Oh, and my data are backup up daily to a server running in a VM and weekly burned on DVD. If deleting your user dir is "digital death" for you, you'd better learn 101 about backups and also, probably, invest in some RAID setup (you do realize that, if a trojan destroying your data would be "digital death" [sic] to you, a nasty hard disk could "digitally kill you" right?)
GP mentioned "apart from backups". But most people don't keep good backups either.
And anyway, on most systems, once you've got a remote non root exploit it is usually easy to combine it with a local root exploit... So it is true that I don't care very much about wether the exploit is root or not: I'd consider a Unix with a seamingly non-root exploit exploited to have been completely rooted and so do I for Windows machine.
Right. So if your local account gets hacked, and you somehow discover this, you still have to R&R because you can't be sure that they didn't get root.
The GP can go buy anything he wants instead of an OLPC, but in the end all he's got is a bland generic x86 PC/laptop. This is the first time I've ever seen any attempt at major innovation in a PC. It's a shame really... if other companies put this much effort into trying something original, the world probably wouldn't still be stuck using a UI from 14 years ago.
14? The original Mac came out in 1984, making mainstream window/mouse/button GUIs 23 this year.
I think a lot of the XO's innovation is about making it educationally and socially useful on a tiny screen for Kru-speaking children who have never even seen a computer before.
Anyway, if you're looking for major innovations, how about the Newton, and the subsequent lines of tablet and/or palmtop PCs? That's just one off the top of my head...
Slashdot Mirror
... but there's a hole in the middle of my cup holder. The ice cream just falls through.
I've posted an open letter to Mark Helprin on my (admittedly crappy) blog. Tomorrow morning when I go into work, I will print it out and mail it to him. In the mean time, is there anything I should add or take away?
Of course, it can be harder to convince a Linux user to download and run a program directly off the web, since distros have package managers. But I've downloaded and compiled several programs in the past year, and I haven't looked through the thousands of lines of source of any of them (a casual look won't do it, you'll need to go over them with a fine-toothed comb and a static analysis tool). Sure... and if it runs with root or root-like privileges, it can do serious damage. Guess which OS lets that happen? For almost any purposes, it doesn't matter if the malware gets root. Consider a Linux desktop: if a malicious program gets access to your account, it can steal your files, keylog you (it can get root that way if you ever su or sudo), or install a modded Firefox or extension which sends your bank account info to the attacker. It can send mail, it can attack other machines, it can listen on the network, it can make itself autolaunch via cron or login scripts.
Sure, it can't affect other users, but on most desktop machines, there's only one user anyway. It can't listen on low ports or sniff or spoof packets. It can't install a rootkit, but it can hide itself from the user it's installed on (it can change environment variables to cause your programs to link with a hacked libc, and it can alias the statically linked ones). These things are a big deal on servers, but on desktops they aren't.
No amount of money can enable a brute force attack here. If the survival of the human race depended on a 128-bit brute force attack, I doubt that we could do it in five years. (Standard calculation: if you could produce 4 billion chips per second, each of which could try 4 billion keys per second, it would take more than a century to go through half of a 128-bit key space.)
And there are certainly algorithms that people want to implement that are patented and written up in white papers. Secure remote passwords come to mind.
Security through obscurity doesn't work in crypto or in meatspace. You didn't read what I wrote, did you? Kerckhoff's principle (the original statement of "security through obscurity is bad") says basically that obscurity shouldn't be the main line of defense. Having it as a defense at all is a trade-off: you expend effort maintaining obscurity, have fewer eyes on the system to find problems, but you may reduce your vulnerability to attackers. It's not security through obscurity, but security assisted by obscurity. It's a defense in depth.
In cryptosystems, because in most cases the system will be available for analysis offline, obscurity buys you very little against a determined attacker. There are a lot of cryptographers that might find problems in your system, and if you want it to be secure against a determined and technically capable attacker, it ought to survive scrutiny from them too. Note that, despite these trade-offs, governments keep their ciphers secret. This secrecy is an entirely reasonable defense in depth if you employ as many cryptographers as those governments do.
Because the physical world is not a cryptosystem, this trade-off is different. An attacker has to be physically present to break through your obscurity, and that exposes him to risk: it makes the defense in depth more valuable. Furthermore, it is not as easy to change security measures on a physical installation. Finally, there are more physical security experts available than cryptographers, so you may be able to get an adequate design without opening it to the public. Therefore, there are more situations where obscurity is appropriate.
Under no circumstances (BSD licensed, public domain or otherwise) can I claim (in a legal sense) to own the copyright on your work (unless I bought it off you) nor can I control its distribution (unless we made a contract to that effect, or it's already a derivative of my work, or
I am not a lawyer, and this is not legal advice.
The general public has basically no need for this sort of information, but a hypothetical attacker does. There may not actually be many terrorists or spies in the US right now, but there's a decent chance that there are some, and in the past they've been very interested in this stuff. Maybe they can get it anyway, but let's make them at least risk exposure to do their reconnaissance, OK?
You can rant all you want about security through obscurity, but the real world isn't a cryptosystem. The attacker has less time to study your nuclear site security offline (at least, as long as photographing it is illegal). Furthermore, Kerckhoff's principle doesn't say that systems shouldn't be obscure, just that their security shouldn't depend on it. Obscurity is still a valid defense in depth.
Work in the public domain is, by definition, not protected by copyright. You can't claim that you're the copyright holder of a public domain work, at least not in contexts where you're legally obligated to tell the truth, because it isn't true. None of this would change if copyright were abolished.
The point of the article is not that if computers were perfectly secure, we wouldn't need security add-ons. It's true, but it's unlikely to happen in the foreseeable future.
The point is that Windows and other systems should include any necessary security software, and Microsoft (and their contractors) should be responsible for maintaining that software. That way, users and IT departments don't have to be experts in security software to keep their networks secure. It would also hopefully be more efficient, as the security engineers and the original designers could work more closely together. That is, while Windows would be more expensive, you wouldn't have to by antivirus and antispyware tools. It would also be more secure for most people, because the guy configuring the system would know what he's doing.
This change would balance Microsoft's incentives by making them more responsible for the security of their products. It would balance security companies' incentives because they would gain less from having an insecure infrastructure, and (hopefully) gain more from securing that infrastructure.
It's not clear from the article how Microsoft could do this without raising antitrust issues, though.
Haha, thanks. I don't really expect it to have much effect. I have a friend who's a radical libertarian, and it took me a whole summer to convince him that private citizens shouldn't own Stinger missiles, and that deathtraps are the same as murder. I didn't even try on free speech...
Because speech can't block a door, obviously.
... the bottom line is drawn by the fact that there is no constitutional basis for restricting speech whatsoever, and so any law that does so is, of course, unconstitutional.
So? By blocking the door, I'm not physically interacting with you at all (unless you try to force your way past me, but suppose you don't). How directly do I have to interact with you to give me agency? Am I allowed to hire people to murder you? The line you're trying to draw doesn't make sense: any place you draw it is dogmatically arbitrary.
This is only true if you think that the Constitution isn't subject to interpretation. But the USA inherited the British common law on slander and libel (though it interprets them less favorably for the plaintiff). So even the Framers didn't intend this section to be taken as literally as you say.
I'll agree that the current government has overstepped its mandate, and I'll oppose to the degree that's practical, but don't tell me that fraud, slander and reckless endangerment should be legal.
This means every part of the government from the Supreme court at the top to the most menial, minor functionary at the bottom. Remember, the people who resisted the king were patriots. Not traitors.
They were traitors as well as patriots. That's sometimes the price you pay. Some of them were also thieves, adulterers, and spies. None of them were gods.
You seem to be very stubbornly clinging to a very strange worldview, so I'll try to be as clear as possible here.
Most humans are not omniscient. They do not have instant access to full information on the entire state of the world. As a result, they often have to trust information from sources other than their senses. Frequently, such sources are other humans. This is true even when life and death hinge on the information being correct. Some people, such as doctors, chemists, engineers, police officers and soldiers, give out such information on a daily basis. For others, it happens less frequently, but it can still happen to anyone ("fire!", for example).
Because they're not omniscient, most people's actions depend on the information they're given, if they have any reason to trust it, or if the risk of disregarding it is great. This is called "rationality." Most humans are approximately rational. This is a fact of life, and not a side effect of oppressive governments.
Humans who know each other almost always have some degree of trust. Humans also trust random strangers who they don't know. For instance, when asking a stranger for directions, one usually assumes that the stranger will give directions to the correct place, rather than a part of town in which one is likely to be shot. Similarly, one trusts waiters at restaurants ("this doesn't contain peanuts"). We also trust machines under the partial control of other humans, from stoplights to elevators to bridges. People who believe that others are likely to deliberately give them lethal misinformation are called "paranoid," and they tend to be put in mental institutions. Paranoia is not rational: the probability that someone is trying to screw you over is, in most circumstances, vanishingly small, and compensating for it is difficult. Naivete isn't rational either, but in most circumstances it is closer to rational than paranoia.
Actions that are intended to cause rational agents grievous harm are usually classified as crimes. This is the case whether the harm is direct (strangling them), semi-direct (sabotaging their car), or indirect (giving out lethal misinformation).
A society in which non-contractually-provided information is disregarded, as you suggest, would be terrible. Imagine that I'm a chemist, and am running a dangerous experiment in my lab. Clearly, this should be legal, or else chemistry wouldn't get done. If I take reasonable precautions to prevent people from wandering into the chem lab and being killed, I should have no liability if they do it anyway. That is, setting up such an experiment should be legal if appropriate information is present. On the other hand, if I put a sign on the door which says "free soft drinks in here!", and someone walks in, then I have set a deathtrap and should be jailed (or should deathtraps be legal?).
On a related note, you seem to be under the impression that only direct responsibility for a crime is possible. If you walk in to a room, and I block the door while my buddy beats you to death, I am certainly culpable for your death even though I never dealt you a blow (my buddy is also culpable, and possibly more so). This is because I intentionally took actions which helped to cause your death. Why is speech any different?
Finally, I still don't understand how failing to intervene when someone is about to accidentally injure himself can be a crime, but giving someone misinformation that causes him to injure himself is not. Maybe I'm just brainwashed.
"Yelling fire" isn't a good example anyway. You're allowed to "bear arms", but except in extreme circumstances, you aren't allowed to kill or injure people with them. This is constitutional: the laws against murder are independent of whether you did it with a gun. Similarly, you aren't allowed to kill or injure people with words, which is what happens if you yell "fire" in a crowded place.
I haven't seen any demos of it, but my impression was that Van Eck Phreaking has terrible, terrible quality. You'd be much better off pointing a camera at the display, since you don't really have to be covert here.
Also, restricted content probably won't play on standard CRTs; it'll require some kind of HDMI nastiness, that'll mostly (if not exclusively) be implemented on LCDs.
Some students are in school to, y'know, learn stuff. Not to get a fancy piece of paper with the name of their school. For them, the term paper is very important, as it provides a substantial task into which they can focus the knowledge and understanding they accumulated over the semester.
Of course, sometimes term papers are painful even for the best. Sometimes students who care about some of their classes cheat in the others. But I'm sure that at almost every university in the US, most of the students do most of their work most of the time.
For off-the-shelf desktop use, it's hard to beat the Mac Mini. Core duo, notebook hard drive, notebook optical drive, draws like 50 watts at idle. I hear the Acer L320 is going to be similar. No graphics in the Mini, but maybe there will be in the Acer. Good graphics cards are pretty much guaranteed to have high power consumption these days; I'm not sure if you can idle them down.
For light-duty serving, I've been very happy with the latest round of VIA boards (and I've heard the slightly cheaper Jetway variants work just as well). I have an EPIA EN12000EG fanless board running in one of those $30 mini-tower cases from Fry's (or something). The board draws something like 13 watts at idle, and 25 under load. This includes the CPU, RAM and chipset. If you can spin down the hard drives, they'll only be a few watts more, and adding in the PSU inefficiency, it'll be maybe 40 watts AC.
If you just want to serve stuff, you can toss in a 2.5" SATA hard drive (or two, for RAID) and no optical, and fit the whole thing into a case smaller than a Mac Mini, for a lower price than the Mini, with less power consumption than a Mini, even with 2x160GB notebook drives. Or you can put in an optical drive, and it'll be slightly bigger than the Mini.
I've used one of the previous round of these as a desktop machine. Its audio is decent, and as long as you're mostly browsing the CPU is fast enough (compile jobs are slow, but they're much more tolerable with the new C7 proc). The integrated graphics suck, so you won't be gaming on it.
Wow. I always thought that the benefits of those encrypted Seagate drives were marginal, but I'd never have guessed that you could breach them with just a few credit card numbers.
There have been two remote exploits in the default configuration of OpenBSD in the last *TEN* years, that should say a lot.
Yeah. It says the default configuration runs OpenSSH and that's it. Oh, and they only count root exploits.
Of course, firewalls should be running a Spartan OS. So OpenBSD is absolutely terrific for the task.
What is worse to you: having all your data stolen/erased once or having all your passwords sniffed, everything you type spied for months and regularly sent to some bad guy and having all your personal data sent and then, at one point, deleted?
I haven't used Windows seriously for a while now, but I'm pretty sure you can keylog people without root. If nothing else, you can replace their Explorer or Firefox with a modified one that keylogs them, but I bet you can do better by loading the right DLLs into it. OK, fine, you might not get the login password, but even if this is different from your other passwords, the attacker still gets everything it protects. And if you bank online, he gets your bank routing number, account number and password. If you shop online, he gets your credit card number. If you file taxes online, he gets your income information, your banking data or credit card, and your SSN.
Furthermore, you can easily zombify a PC without root. You just have to make a daemon that runs as the user on login. Sure, it won't affect other users, but most home machines only have one user account on them. From there you can remote-control the machine, send spam, serve child porn (just not on port 80), proxy attacks against other machines, the works. You don't get to forge IP addresses or sniff packets, but that doesn't matter for most attacks, especially not on home networks.
The level of short-sightedness of your comment is quite sad. Oh, and my data are backup up daily to a server running in a VM and weekly burned on DVD. If deleting your user dir is "digital death" for you, you'd better learn 101 about backups and also, probably, invest in some RAID setup (you do realize that, if a trojan destroying your data would be "digital death" [sic] to you, a nasty hard disk could "digitally kill you" right?)
GP mentioned "apart from backups". But most people don't keep good backups either.
And anyway, on most systems, once you've got a remote non root exploit it is usually easy to combine it with a local root exploit... So it is true that I don't care very much about wether the exploit is root or not: I'd consider a Unix with a seamingly non-root exploit exploited to have been completely rooted and so do I for Windows machine.
Right. So if your local account gets hacked, and you somehow discover this, you still have to R&R because you can't be sure that they didn't get root.
The GP can go buy anything he wants instead of an OLPC, but in the end all he's got is a bland generic x86 PC/laptop. This is the first time I've ever seen any attempt at major innovation in a PC.
It's a shame really... if other companies put this much effort into trying something original, the world probably wouldn't still be stuck using a UI from 14 years ago.
14? The original Mac came out in 1984, making mainstream window/mouse/button GUIs 23 this year.
I think a lot of the XO's innovation is about making it educationally and socially useful on a tiny screen for Kru-speaking children who have never even seen a computer before.
Anyway, if you're looking for major innovations, how about the Newton, and the subsequent lines of tablet and/or palmtop PCs? That's just one off the top of my head...
I think the problem is that it's hard to use without looking at the screen.