If they want to make something really ubiquitous, they should publish all of the specs and let them be made by anyone who wants to.
I also agree that a PDA that costs a year's salary is the last thing a third world person needs. If they want to make a cheap linux box for that market, it should be a small laptop with a keyboard, that runs on D cells (WAY cheaper per unit of energy than AA cells). That's far more useful for important applications like email, and should be cheaper to make because not as much custom hardware is needed.
Most GPS instruments (i.e. handheld gizmos with displays) have NMEA output, which gives the time and position through a serial port in ascii. This is very easy to interface to a computer (just plug it in and write some trivial decoding software) but woefully inaccurate (up to a substantial fraction of a second). That's partly because the serial port in a GPS is considered part of the user interface, whic h runs as a low priority task.
For accurate time you want a 1 PPS output. GPS chipsets and embedded modules (like that $24.95 thing that appears to be sold out) usually have that. The higher quality modules 1 PPS output is good to within a few microseconds, but the cheaper ones can be off by 25-50 microseconds.
Here is the famous
W3IWI Totally Accurate Clock available in kit form from TAPR for the princely sum of $139.00 for non-TAPR-members. That's a pretty good deal--that $24.95 module was a stupendous deal and had to be some kind of surplus closeout.
Even if the government could detect that images or audio files were being used as a covert channel, they would be unable to break the underlying encryption. It would be vastly easier for them to just imprison and torture people into revealing their activities than to assume a technological attack.
That's the point. In order to imprison and torture people you have to know who to imprison and torture (unless you do it to everyone). You torture people if they do things that attract your suspicion. So the idea of steganography is to avoid attracting suspicion.
If the opponent figures out you're using it, you are toast.
Cryptography is broken if the attacker can read a message, but steganography is broken if the attacker can detect the message. The consequences of either type of break are just as bad. So using detectable steganography is as bad as using weak cryptography.
There are lots of strong cryptography programs like PGP out there, and well-informed users also know that there's a lot of cryptographic snake oil and understand what snake oil is. But many of the same people think they can blatantly mess around with GIF color tables (etc.) and not get noticed.
They are wrong and they are asking for trouble.
I haven't seen a steganography program yet whose use in messages isn't pretty easy to detect if you know how the program works. Steganography programs are almost all snake oil. I'd want to see very convincing evidence that the Hacktivision program isn't snake oil before letting anyone trust their life to it.
Steganography is a lot harder than it sounds. It's easy to hide a message in an image file and have the image still look normal on the screen to a casual observer. It's a hell of a lot harder to keep an opponent from detecting the message by analyzing the file knowing how your program works.
I am afraid unless Hacktivismo is really careful and knows what they're doing, their program may get some human rights workers tortured and killed. By careful, I mean don't even mess with embedding messages in jpg images. It might be reasonably safe to embed them in audio or video streams at very low bit rates, like one bit per several seconds of 44 khz 16 bit PCM audio or mini-DV video. And even that would take sophisticated encoding to keep detection difficult.
Reference: Security Engineering by Ross Anderson, reviewed on Slashdot a few months ago.
It's only about 100 MW total. A fullblown power station produces at least 10 times that much. The capacity could help in some emergencies but mainly it's an uneconomical way of making electricity turned suddenly profitable by Enron-spawned manipulated price increases.
Be very glad that your PC is insecure--it means that after you buy it, you can break into it and install whatever software you want. What YOU want, not what Sony or Warner or AOL wants.
--John Gilmore (quoted in Ross Anderson, Security Engineering p. 413)
Looks like Microsoft wants to fix that and make sure you can't control your own computer. That which is not forbidden will be compulsory.
I'm sorry but this is one thing Microsoft and/or Netscape did right. The practice of including detached PGP signatures on download sites is useless--they have to be manually verified, and hardly anyone bothers.
GNU/Linux downloads should be in signed archives like Netscape JAR files. JAR files are basically ZIP archives with a signature file stored inside the.zip in a standard place. When you unpack the archive, the unpacker checks the signature the same way a browser checks an SSL web site.
JAR files use a certificate chain ending in a certificate authority (usually a commercial one) but maybe the signed-download scheme could be signed against a certificate on the official developer's website. Of course that wouldn't be unspoofable, but it would be as secure as the current scheme of having a PGP public key on the developer website and signing against that. The main benefit is the checking would happen automatically, so it would be much harder to put crap into downloads. If someone makes a modified version, they would have to sign it themselves (with a signature pointing back to their own website) or else the unpacker would print a message saying the code was unsigned and the user should check it carefully before using it.
Because FIPS 140-1 and 140-2 are standards for hardware cryptography. They are in fact pretty simple and a device with a small embedded processor running open source software can fulfill its requirements easily, by making the device meet certain criteria about tamper resistance and so forth. However, it's the whole device that gets certified, not simply the software inside it.
Note that certification costs quite a lot, like $50K or so. And of course you can't let users tamper with the firmware (i.e. by changing it) and have the device stay certified. It might be ok for the user to take the device apart and change the firmware resulting in an uncertified device, but if certification wasn't needed the user wouldn't have needed to buy the device to begin with.
I'd have to experiment to be sure, but I think the referer would be the page that linked to fuckgm.com, not fuckgm.com itself. That is, the referring page would be the one that was actually in the viewer's browser when the viewer clicked fuckgm.com. It wouldn't get changed by a simple redirect.
.CX registration costs $38 US for the first year, but after that it's $38 US per two- year registration, or about $19/year. This is a much better deal than many other ccTLD's that offer domains to the public.
You said you have perl programmers so you might want to look at Mason. I don't know if it does what you need but I haven't seen anyone mention it yet, so check it out.
Meganetnews's prices are attractive but their AUP is emphatic that you can't use any kind of automated news client--they don't want you sucking or archiving newsgroups and they repeat this several times. I personally don't see how anyone can use 5000MB per day without an automatic client so I don't know who they're kidding, but they seem to state that provision seriously. I think it's crazy--if you pay for the bandwidth you should be able to use it any way you want. Specifically I want to make automated personal archives of some low to medium volume newsgroups, maybe 5 MB/day total, and it's not allowed even if I'm willing to pay for 100 times that much traffic.
On the other hand, their privacy policy is just about the best I've ever seen. My guess is they'd never notice my 5 MB/day archiving script. And if their only recourse is to shut off my account if they do notice it, I might just take a chance with it. They'd certainly make more money from me than they make from someone really downloading 100 MB/day manually.
The trouble with laminating an inkjet print is that anyone can do it. The idea of a badge printer is that it's a specialized piece of equipment that prints directly on plastic. It makes the badges harder to forge. Sure, the classic rich and determined attacker probably can get a badge printer, but the average dipwad won't bother. It's like the anti-counterfeiting gizmos in currency that stops you from making convincing $100 bills in an ordinary xerox machine. It's not foolproof, but it raises the bar of entry and shuts out a lot of riff-raff.
The thing about drug dealers is unfortunate. It should be easy to program a "convergence" phone (Danger Labs, Handspring Treo, etc.) to send and receive encrypted SMS messages. Yes there is obvious abuse potential. However, it's probably easier to nail an SMS user (who after all is personally carrying a phone even if it's prepaid and not registered to him) than an IM or email user (internet cafes) or a one-way pager user (unlike a cell phone which talks to a network, there's no way to locate a receive-only pager).
I thought holding the antenna too close to your head with a normal cell phone increased your exposure. Having the phone in your tooth sounds like really asking for it. Maybe the tooth phone could do double duty though. If your food has gotten cold, the phone microwaves could re-heat it while you're chewing.
What about the Canadian case
where farmer
Percy Schmeiser
was convicted of patent infringement
because genetically modified canola seeds
had blown onto his fields and grown there?
It's under appeal, but doesn't look good.
The GM Canola apparently spreads like a weed and is growing everywhere. And once it hits your property, Monsanto claims the right to rip up your crop if you don't pay them for a patent license.
The best general overview I've seen is the
169k pdf file linked from
here.
If the Scientific American article is correct, it looks like US patent law is (for once) less screwed up than at least part of the rest of the world's.
Psion has never made a machine with a full sized keyboard AFAIK. They've just machines with keyboards that are very good by PDA standards. I want something that I can type on all day long.
The closest thing to it was the HP Omnibook 300 with the 10 MB flash card option, and that cost something like $2000, so of course it didn't sell.
To be a worthy successor, a "smart keyboard" should
Cost under $500, so the Omnibook 300 is out.
Have a full sized keyboard--Poqet, WinCE pocket PC's etc. are out.
Turn on instantly (no boot delay) and not make noise (i.e. no hard disk). Subnotebooks are out.
Run for 10+ hours on a battery charge. Subnotebooks are out again. Preferably it should run on standard AA cells and not depend on a charger; this Dana thing fails on that count, but it's not fatal.
Weigh under 2 pounds--the TRS 100 could get away with 4 pounds because there were no alternatives til the 3-pound TRS 102--but these days subnotes are too heavy.
Run a reasonably standard OS with free development tools--PalmOS is sort of ok, WinCE loses. Linux would be better but you can't have everything.
I don't think anything has been made since the TRS 102 days (well maybe the Sinclair Z88) which meets all these criteria, even though it could have been done easily.
I don't understand the allure of the Palm Pilot. I've never seen a pen-based PDA remotely as useable as the HP 100lx, which is still my favorite.
Something like this has been needed for over a decade. A diskless mini-laptop with a useable keyboard and very long battery life, good for basic text typing and email checking, without battery-hungry color displays or Quake 3-capable processors. My only obvious complaint is it would be good if it had a little more screen resolution, to hold a 25x80 telnet/ssh window. But I already want one. Wow!
The NY DMCA ruling will hopefully be overturned. Anyway, source=speech isn't so bad. Publish source so the world can see your bugs and make its own evaluation, and you're protected. Keep the source secret (like Microsoft) so people have to rely on your representations, and you're responsible for whatever happens.
That's consistent with the book situation--you're free to publish that quack investment book because anyone who reads it can decide for themselves whether it's crap.
I should have mentioned this in the earlier post but wasn't thinking about binary-only programs. A binary is more like a pill, where you can't tell what's inside--you can only swallow it and see what happens. With source code, where you tell the reader what you know, and short of actual malice (similar to libel etc.) you should be protected.
And requiring programmers to be licensed is no more legitimate than requiring journalists to be licensed.
There can certainly be some kind of liability for bad code that you deliver to clients under a contractual relationship, just like there can be malpractice if your doctor gives you bad advice.
But liability for a program that you've published on the net or sold retail? That's as bad as liability for publishing a book advising people to plan their finances by astrology or go on some quack diet to prevent cancer. Those books are published all the time and it's (rightfully) up to the buyer to take the advice or not take it.
Most buyers simply know better than to believe such stuff. And sooner or later they will hopefully know better than to run Windows. It's just a matter of the field getting more mature.
Mainframes often have several hundred MB (or maybe several GB by now) of SRAM (20 ns latency or so) along with many GB of DRAM. If this 64 GB on the Cray is SRAM that's more impressive. But even SRAM (20 ns is 40 cycles access time) is orders of magnitude slower than on-chip cache memory (1-2 cycles). So the Cray has the same locality issues as a PC.
They say 8 cpu's, 64 GB ram, 1 TB disk, 64 GFlops peak performance. That hardly sounds like a supercomputer by today's standards. A single processor AMD Athlon is capable of (I think) around 8 peak gigaflops (2 Ghz * 4 SIMD operations using SSE instructions). Similarly the 8 GB of RAM and 125 GB of disk per CPU is in midrange workstation territory. While there's probably a much higher bandwidth memory system than you could get out of an 8-16 node Athlon cluster, it's not clear what problems this Cray unit will really be used for that couldn't as easily be done with a rack full of PC's or workstations.
Remember Digital-8 cameras record 11 GB of digitized audio/video data on an ordinary 2-hour 8mm video tape that costs about $2. And yes, you can put your mp3's there, by encoding their bits as video frames and sending them to the camera through your computer's firewire port. There are a few programs on sourceforge that use those cameras for ordinary file backup. At $500 for the camera and lower $/GB media cost than even CD-R, it's not a bad deal.
Slashdot Mirror
I also agree that a PDA that costs a year's salary is the last thing a third world person needs. If they want to make a cheap linux box for that market, it should be a small laptop with a keyboard, that runs on D cells (WAY cheaper per unit of energy than AA cells). That's far more useful for important applications like email, and should be cheaper to make because not as much custom hardware is needed.
For accurate time you want a 1 PPS output. GPS chipsets and embedded modules (like that $24.95 thing that appears to be sold out) usually have that. The higher quality modules 1 PPS output is good to within a few microseconds, but the cheaper ones can be off by 25-50 microseconds.
Here is the famous W3IWI Totally Accurate Clock available in kit form from TAPR for the princely sum of $139.00 for non-TAPR-members. That's a pretty good deal--that $24.95 module was a stupendous deal and had to be some kind of surplus closeout.
Cryptography is broken if the attacker can read a message, but steganography is broken if the attacker can detect the message. The consequences of either type of break are just as bad. So using detectable steganography is as bad as using weak cryptography.
There are lots of strong cryptography programs like PGP out there, and well-informed users also know that there's a lot of cryptographic snake oil and understand what snake oil is. But many of the same people think they can blatantly mess around with GIF color tables (etc.) and not get noticed. They are wrong and they are asking for trouble. I haven't seen a steganography program yet whose use in messages isn't pretty easy to detect if you know how the program works. Steganography programs are almost all snake oil. I'd want to see very convincing evidence that the Hacktivision program isn't snake oil before letting anyone trust their life to it.
I am afraid unless Hacktivismo is really careful and knows what they're doing, their program may get some human rights workers tortured and killed. By careful, I mean don't even mess with embedding messages in jpg images. It might be reasonably safe to embed them in audio or video streams at very low bit rates, like one bit per several seconds of 44 khz 16 bit PCM audio or mini-DV video. And even that would take sophisticated encoding to keep detection difficult.
Reference: Security Engineering by Ross Anderson, reviewed on Slashdot a few months ago.
It's only about 100 MW total. A fullblown power station produces at least 10 times that much. The capacity could help in some emergencies but mainly it's an uneconomical way of making electricity turned suddenly profitable by Enron-spawned manipulated price increases.
GNU/Linux downloads should be in signed archives like Netscape JAR files. JAR files are basically ZIP archives with a signature file stored inside the .zip in a standard place. When you unpack the archive, the unpacker checks the signature the same way a browser checks an SSL web site.
JAR files use a certificate chain ending in a certificate authority (usually a commercial one) but maybe the signed-download scheme could be signed against a certificate on the official developer's website. Of course that wouldn't be unspoofable, but it would be as secure as the current scheme of having a PGP public key on the developer website and signing against that. The main benefit is the checking would happen automatically, so it would be much harder to put crap into downloads. If someone makes a modified version, they would have to sign it themselves (with a signature pointing back to their own website) or else the unpacker would print a message saying the code was unsigned and the user should check it carefully before using it.
Because FIPS 140-1 and 140-2 are standards for hardware cryptography. They are in fact pretty simple and a device with a small embedded processor running open source software can fulfill its requirements easily, by making the device meet certain criteria about tamper resistance and so forth. However, it's the whole device that gets certified, not simply the software inside it.
Note that certification costs quite a lot, like $50K or so. And of course you can't let users tamper with the firmware (i.e. by changing it) and have the device stay certified. It might be ok for the user to take the device apart and change the firmware resulting in an uncertified device, but if certification wasn't needed the user wouldn't have needed to buy the device to begin with.
I'd have to experiment to be sure, but I think the referer would be the page that linked to fuckgm.com, not fuckgm.com itself. That is, the referring page would be the one that was actually in the viewer's browser when the viewer clicked fuckgm.com. It wouldn't get changed by a simple redirect.
.CX registration costs $38 US for the first year, but after that it's $38 US per two- year registration, or about $19/year. This is a much better deal than many other ccTLD's that offer domains to the public.
You said you have perl programmers so you might want to look at Mason. I don't know if it does what you need but I haven't seen anyone mention it yet, so check it out.
On the other hand, their privacy policy is just about the best I've ever seen. My guess is they'd never notice my 5 MB/day archiving script. And if their only recourse is to shut off my account if they do notice it, I might just take a chance with it. They'd certainly make more money from me than they make from someone really downloading 100 MB/day manually.
The trouble with laminating an inkjet print is that anyone can do it. The idea of a badge printer is that it's a specialized piece of equipment that prints directly on plastic. It makes the badges harder to forge. Sure, the classic rich and determined attacker probably can get a badge printer, but the average dipwad won't bother. It's like the anti-counterfeiting gizmos in currency that stops you from making convincing $100 bills in an ordinary xerox machine. It's not foolproof, but it raises the bar of entry and shuts out a lot of riff-raff.
The thing about drug dealers is unfortunate. It should be easy to program a "convergence" phone (Danger Labs, Handspring Treo, etc.) to send and receive encrypted SMS messages. Yes there is obvious abuse potential. However, it's probably easier to nail an SMS user (who after all is personally carrying a phone even if it's prepaid and not registered to him) than an IM or email user (internet cafes) or a one-way pager user (unlike a cell phone which talks to a network, there's no way to locate a receive-only pager).
I thought holding the antenna too close to your head with a normal cell phone increased your exposure. Having the phone in your tooth sounds like really asking for it. Maybe the tooth phone could do double duty though. If your food has gotten cold, the phone microwaves could re-heat it while you're chewing.
It's under appeal, but doesn't look good. The GM Canola apparently spreads like a weed and is growing everywhere. And once it hits your property, Monsanto claims the right to rip up your crop if you don't pay them for a patent license. The best general overview I've seen is the 169k pdf file linked from here.
If the Scientific American article is correct, it looks like US patent law is (for once) less screwed up than at least part of the rest of the world's.
Psion has never made a machine with a full sized keyboard AFAIK. They've just machines with keyboards that are very good by PDA standards. I want something that I can type on all day long.
To be a worthy successor, a "smart keyboard" should
- Cost under $500, so the Omnibook 300 is out.
- Have a full sized keyboard--Poqet, WinCE pocket PC's etc. are out.
- Turn on instantly (no boot delay) and not make noise (i.e. no hard disk). Subnotebooks are out.
- Run for 10+ hours on a battery charge. Subnotebooks are out again. Preferably it should run on standard AA cells and not depend on a charger; this Dana thing fails on that count, but it's not fatal.
- Weigh under 2 pounds--the TRS 100 could get away with 4 pounds because there were no alternatives til the 3-pound TRS 102--but these days subnotes are too heavy.
- Run a reasonably standard OS with free development tools--PalmOS is sort of ok, WinCE loses. Linux would be better but you can't have everything.
I don't think anything has been made since the TRS 102 days (well maybe the Sinclair Z88) which meets all these criteria, even though it could have been done easily.I don't understand the allure of the Palm Pilot. I've never seen a pen-based PDA remotely as useable as the HP 100lx, which is still my favorite.
Something like this has been needed for over a decade. A diskless mini-laptop with a useable keyboard and very long battery life, good for basic text typing and email checking, without battery-hungry color displays or Quake 3-capable processors. My only obvious complaint is it would be good if it had a little more screen resolution, to hold a 25x80 telnet/ssh window. But I already want one. Wow!
That's consistent with the book situation--you're free to publish that quack investment book because anyone who reads it can decide for themselves whether it's crap.
I should have mentioned this in the earlier post but wasn't thinking about binary-only programs. A binary is more like a pill, where you can't tell what's inside--you can only swallow it and see what happens. With source code, where you tell the reader what you know, and short of actual malice (similar to libel etc.) you should be protected.
There can certainly be some kind of liability for bad code that you deliver to clients under a contractual relationship, just like there can be malpractice if your doctor gives you bad advice.
But liability for a program that you've published on the net or sold retail? That's as bad as liability for publishing a book advising people to plan their finances by astrology or go on some quack diet to prevent cancer. Those books are published all the time and it's (rightfully) up to the buyer to take the advice or not take it.
Most buyers simply know better than to believe such stuff. And sooner or later they will hopefully know better than to run Windows. It's just a matter of the field getting more mature.
Mainframes often have several hundred MB (or maybe several GB by now) of SRAM (20 ns latency or so) along with many GB of DRAM. If this 64 GB on the Cray is SRAM that's more impressive. But even SRAM (20 ns is 40 cycles access time) is orders of magnitude slower than on-chip cache memory (1-2 cycles). So the Cray has the same locality issues as a PC.
They say 8 cpu's, 64 GB ram, 1 TB disk, 64 GFlops peak performance. That hardly sounds like a supercomputer by today's standards. A single processor AMD Athlon is capable of (I think) around 8 peak gigaflops (2 Ghz * 4 SIMD operations using SSE instructions). Similarly the 8 GB of RAM and 125 GB of disk per CPU is in midrange workstation territory. While there's probably a much higher bandwidth memory system than you could get out of an 8-16 node Athlon cluster, it's not clear what problems this Cray unit will really be used for that couldn't as easily be done with a rack full of PC's or workstations.
Remember Digital-8 cameras record 11 GB of digitized audio/video data on an ordinary 2-hour 8mm video tape that costs about $2. And yes, you can put your mp3's there, by encoding their bits as video frames and sending them to the camera through your computer's firewire port. There are a few programs on sourceforge that use those cameras for ordinary file backup. At $500 for the camera and lower $/GB media cost than even CD-R, it's not a bad deal.
If not, what is being done about it?