I realize you're picking linguistic nits here, but there is actually a serious answer to your question, and it's been known for a long time. If you want some sort of assurance that an email really comes from who it purports to come from, the email infrastructure as commonly deployed won't give you that. However, there are technologies that will.
PGP is one of them. With PGP, you can sign your message with public key cryptography. If you sign with your private key and upload your public key to a keyserver, the receiver can verify that the private key corresponding to that public key was used to sign the message. In other words, only a person who knows the private key could have signed the message.
By itself, this isn't enough to verify the sender's identity. I could create a key pair and use it with the name "Bill Gates", even though I am not, in fact, Bill Gates. To solve this, PGP has introduced the web of trust (S/MIME, which is similar, uses a trust hierarchy instead, like SSL). Roughly speaking, the web of trust allows you to say "I trust this person so much I'll also trust any keys he trusts". And then, if that person says a key belongs to Bill Gates, you'll believe it does.
The end result is that, if you get a message signed by a key you trust to belong to Bill Gates, then you can trust that the message was signed by Bill Gates. Anything else means it could as well be an impostor. And since the vast majority of email doesn't use PGP or any other mechanism to verify senders, the vast majority of email could as well be from impostors. In fact, I would go as far as to say this really is the case: the bulk of email is SPAM, and SPAM is usually not from the sender it claims to be from.
``Though, if anyone could tell me why my power went out at exactly midnight on that night, I'd love to know.''
Same here. Why would the system supplying the power be dependent on the time? For navigation systems, I can sort of see a case... not that it would be a good idea, but I can imagine how it could work (that is, fail). But this?
``But most worrying of all, it points out that the safety analyses so far have all been done by CERN itself.''
If we say it's dangerous, we don't get funding. We lose.
If we say it's safe and we're right, we get funding. We win.
If we say it's safe and we're wrong, we'll all be dead and it won't matter.
Therefore, we're gonna say it's safe.
Not saying that there is any risk that LHC will destroy Earth, nor that I believe CERN's analysis went that way, nor even that I believe that CERN really was the only party doing the safety analysis. But having one party assess the safety of its own planned activities, without any independent verification, is a bad idea.
You are ignoring the emotional factor. The reason the terrorists attack planes is for the emotional reaction. Yes, there are other attacks and targets that are likely to yield more casualties, but the number of casualties isn't what matters. What matters is the fear it inspires. (Although what that is ultimately meant to achieve, I don't know.)
``Not only that, but I heard a radio phone in show today where a TSA spokesman was asked why we never hear reports of successes. The response was that the TSA had been successful thousands of times in preventing people from traveling.''
This is a common theme with many government initiatives. When asked for evaluation, the response will be something along the lines of "the new powers have been applied X times". I have never understood why people even think this is a good metric. I don't want to know how much work you did (and, consequently, how much money you've spent and how much inconvenience you have caused), I want to know how you have made my life better.
If you want to report something that you have done "X times", report how many times you have prevented an attack/robbery/$bad_thing. By that metric, it seems that vigilance and plain old police work such as we had before 2001 are the most successful.
``A physical book has a sort of built-in DRM! If you give it away, you can't read it anymore. It can't easily be copied (it requires a lot of scanning and printing to do that). Isn't that kind of thing also part of the intention of DRM?''
There is a very important difference, though. DRM doesn't actually make it harder to copy the bits. It makes it harder to use them legitimately. If DRM applied to books, it would be easy to copy them, but you would only be able to read them using special glasses, and only be allowed to read it using approved glasses. It would be illegal to manufacture, use, or distribute alternative glasses that would enable you to read the book.
DRM is advertised as a means to prevent copying, but what it really prevents is normal usage. Illegal copying can continue as usual, but legitimate customers are hosed.
I've often wondered if it is possible to involve the community in hosting websites like Wikileaks and Wikipedia. A large part of the cost these organizations have is the hardware and bandwidth required to serve the content. However, this content is mostly static. It seems to me it ought to be easy to set up an extensive mirroring system for such content. It also seems to me that it ought to be able to set up a system where people can contribute a bit of disk space and other computer resources and form part of a sort of distributed hosting system. I think Freenet does something like this, and even optimizes things by moving frequently requested content closer to where it is being requested.
Can we set up such a system for the worldwide web? Is there any existing software package that makes this possible? Can we write one? Or can we perhaps modify open source web browsers so that distributed hosting can really work?
I think I speak for many others when I say that I have plenty of disk space, bandwidth, and CPU cycles available, but my capacity to support worthy causes financially is rather limited. So if I could contribute my computer resources, I think I could help out a lot more then I can by making donations. So if we have the technology to make that possible, let's start using it! And if we don't have the technology, let's build it!
I don't think Cygwin is "meant to be an interactive method of accessing a Windows machine by Unix commands" so much as it is a Unix/POSIX/GNU compatibility layer for Windows, similar to how WINE is a Windows compatibility layer for *nix. Both of them allow you, to a limited extent, to run software written for the other set of APIs.
Re:makes windows marginally bearable
on
Cygwin 1.7 Released
·
· Score: 2, Insightful
I just can't see any reason myself or an average Windows user would need a UNIX command line on their Windows computer. In fact, I think the whole point of Windows is to get away from the command line.
I don't see it that way. I don't see a point in getting away from the command line. Some things are most easily or quickly done or explained with the command line, just as other things are most easily or quickly done or explained using windows, icons, menus and a pointer. It's good to have good support for both in your system.
The way I see it, the point of Windows, from a customer's perspective, is to run Windows applications. That is the one thing Windows does better than any other operating system out there.
Just so you know, I use MaraDNS and I am very happy that you wrote it. As far as I am concerned, you have achieved my dream of writing some software that is really appreciated by those who use it. And since you have released it under an open-source license, this means you are one of the heroes of open-source. Congratulations, and thanks!
J2ME, Android, or some native API. Phone hardware has certainly gotten faster, but that's no reason to go bogging it down by requiring everything works through HTTP and web browsers. Seriously, what is that? We could have applications that flew on smartphones, if only vendors wouldn't force them to go through layers of nonsense.
``I don't think I believe this. A large organization, rolling out (say) 1000-10,000 "desktops" would seem to have strong motivation to minimize the cost of each desktop. If they can get a thin client for anywhere close to the actual value of hardware - say $150 - instead of the boutique TCs currently on the market for $300-$400, they could save upwards of $1M. That's not chump change.Even going to diskless thick clients ought to save $50 * 1000 = one employee salary. Plus centralized administration.''
The thing is, you have to calculate what they would save per seat. With the discounts a large organization can get, that probably isn't a whole lot. Say it's $100. So that's $100 saved for the one employee that is going to be working with it. The total cost of that employee can easily be 40 times that in a month. So if the investment in the PC or thin client is written off in 2 years, that $100 difference is about 0.1% of the cost of your employee. I call that chump change.
I don't think that argument holds water. After all, the parts that go in thin clients are the same parts that go in PCs, so that can't be the difference. Then there are some custom things, such as the case, but if you consider the countless PC cases, motherboards, etc. etc. already out there, I think that, even though total volume for PCs may be higher than total volume for thin clients, the volume for a given combination of parts that make up a PC isn't necessarily higher than the volume for a given combination of parts that make up a thin client. I think thin clients cost more simply because their target market will bear higher costs (if you are a large company or government agency, spending a hundred dollars more or less on your thin clients isn't such a big deal).
I think the explanation may be market segmentation. Thin clients are aimed at large organizations, where a few hundred dollars for a machine is chump change. They will happily buy greatly overpriced thin clients, because even the cost of an overpriced thin client on a desk is still dwarfed by the cost of the employee at the desk.
For home users, the picture is different, because they tend to see the computer in isolation. But the vast majority of home users wouldn't want to buy a thin client at any price, because they wouldn't know what to do with it.
If you want a cheap thin client, I would recommend to either buy one second hand (you can get them for under 100 dollars), or to just get whatever box you can and pretend it's a thin client.
I think that maintainability of code is helped most by writing the code in a way that closely follows the high-level model of the program. Neither C# nor Java are very good for that, because both require you to add a lot of boilerplate code and neither offers elegant metaprogramming. In other words, understanding the code is going to be hard because of the sheer amount of noise in it.
Sure, offering more powerful constructs such as macros would offer more ways to make the program a horrible mess, and some of the extra annotations that are in Java and C# code actually give some clue as to what is happening, so the knife cuts both ways. But I think bad programmers are going to write bad code in any language simply because they don't have the right mindset, whereas good programmers are going to write better code in a language that doesn't restrict them as much as C# and Java do.
``Java, I'd say has lost the war, even if there are a few more battles to be fought and C++ seems to be hanging on in there. However, I think I see a glimmer of hope (for the not-more-blinking-MS-stuff view) in scripting languages. MS hasn't targeted that yet, IronPython is still a 'toy' to MS. Maybe soon it'll start to battle cross-platform scripting languages too.''
Actually, I have a slightly different perception. The.NET ecosystem has done right what the Java one has done wrong, and incoporated the wealth of work already out there. One of the things I most resent the Java culture for is its focus on one language to the exclusion of all others, and the enormous amount of effort that has gone into reimplementing functionality that already existed outside the Java universe for the Java platform.
By contrast,.NET has, from the beginning, embraced existing programming language work and theory, existing functionality, and multiple languages. The result is that when the Java culture was still trying to shoehorn people into the Java language, have people cast their objects to and from the Object class, and duplicate functionality from outside the Java universe,.NET offered interoperability between a growing number of programming languages, a proper higher order type system, and interfacing with existing software.
Sure, the Java community has scrambled to catch up, and there are now generics and multiple programming languages plus the benefit of a decent open-source implementation for multiple platforms, but I don't think this would have happened if it wasn't for the threat and inspiration of.NET. We could have had all this years ago.
``These days it's hard to imagine creating a programming language that wouldn't adopt a VM of some kind.''
Hmm. Plenty of people I know are doing just that. But what I don't understand is why you would want to use a VM, particularly a VM that is hardly like the real machines we have at all. Because what you end up doing in that case is basically compile the abstractions of your programming language down to a different set of abstractions, and then you have to do basically the same trick again to get your code to run. Including, for various bytecodes, actually reverse-engineering the original abstractions from the bytecode to get to the most efficient native code.
Why not just leave the original abstractions in place and distribute the code as source code (possibly macro-expanded, optimized, FASL-encoded, etc.)?
Obviously Chase meant the top "non-embarassing to a big company" charities. Can you imagine if Chase had to donate $1M to the Marijuana Policy Project? I'm sure the board freaked out at the thought of "chase" and "MJ" being in the same sentence and said, "do whatever is necessary to make sure we don't get that association."
And yet here we are having a whole discussion about exactly that. And I'm sure/. isn't the only place on the Net where this is happening.
While on the topic, I have a question. Is releasing the source code to whatever copyleft software you are using actually enough for compliance? For example, suppose I made a device and used a modified Linux kernel, some kind of build from unmodified Busybox sources and some proprietary software, would offering a download of the modified Linux source code and a download of the Busybox source code exactly as the Busybox project supplies it be enough?
Note that while such releases would presumably allow one to build ones own kernel and Busybox based on the same sources being used in the product, there would be no scripts or instructions for re-creating the same kernel and Busybox binaries used in the product, let alone instructions for creating a complete, usable firmware image for the product.
There are plenty of nonfree alternatives. For example, VxWorks, QNX and Windows CE. And some companies actually use those in situations where other companies would use Linux + Busybox.
However, even nonfree software licenses are often violated. Too many people assume that once you have your copy, you can do whatever you want with it.
Slashdot Mirror
I realize you're picking linguistic nits here, but there is actually a serious answer to your question, and it's been known for a long time. If you want some sort of assurance that an email really comes from who it purports to come from, the email infrastructure as commonly deployed won't give you that. However, there are technologies that will.
PGP is one of them. With PGP, you can sign your message with public key cryptography. If you sign with your private key and upload your public key to a keyserver, the receiver can verify that the private key corresponding to that public key was used to sign the message. In other words, only a person who knows the private key could have signed the message.
By itself, this isn't enough to verify the sender's identity. I could create a key pair and use it with the name "Bill Gates", even though I am not, in fact, Bill Gates. To solve this, PGP has introduced the web of trust (S/MIME, which is similar, uses a trust hierarchy instead, like SSL). Roughly speaking, the web of trust allows you to say "I trust this person so much I'll also trust any keys he trusts". And then, if that person says a key belongs to Bill Gates, you'll believe it does.
The end result is that, if you get a message signed by a key you trust to belong to Bill Gates, then you can trust that the message was signed by Bill Gates. Anything else means it could as well be an impostor. And since the vast majority of email doesn't use PGP or any other mechanism to verify senders, the vast majority of email could as well be from impostors. In fact, I would go as far as to say this really is the case: the bulk of email is SPAM, and SPAM is usually not from the sender it claims to be from.
``Though, if anyone could tell me why my power went out at exactly midnight on that night, I'd love to know.''
Same here. Why would the system supplying the power be dependent on the time? For navigation systems, I can sort of see a case ... not that it would be a good idea, but I can imagine how it could work (that is, fail). But this?
``Out of the 8 items planted in the travellers' luggage only 7 were found successfully.''
I think that's a pretty good score, actually.
On the other hand, I think planting explosives in the luggage of unsuspecting, unconsenting travelers is inexcusable.
``But most worrying of all, it points out that the safety analyses so far have all been done by CERN itself.''
If we say it's dangerous, we don't get funding. We lose.
If we say it's safe and we're right, we get funding. We win.
If we say it's safe and we're wrong, we'll all be dead and it won't matter.
Therefore, we're gonna say it's safe.
Not saying that there is any risk that LHC will destroy Earth, nor that I believe CERN's analysis went that way, nor even that I believe that CERN really was the only party doing the safety analysis. But having one party assess the safety of its own planned activities, without any independent verification, is a bad idea.
``"Fixing security issues isn't always the right answer." Haven't I heard this before... from Microsoft?''
Yes. And the world is still turning, and Microsoft is still strong.
You are ignoring the emotional factor. The reason the terrorists attack planes is for the emotional reaction. Yes, there are other attacks and targets that are likely to yield more casualties, but the number of casualties isn't what matters. What matters is the fear it inspires. (Although what that is ultimately meant to achieve, I don't know.)
``Not only that, but I heard a radio phone in show today where a TSA spokesman was asked why we never hear reports of successes. The response was that the TSA had been successful thousands of times in preventing people from traveling.''
This is a common theme with many government initiatives. When asked for evaluation, the response will be something along the lines of "the new powers have been applied X times". I have never understood why people even think this is a good metric. I don't want to know how much work you did (and, consequently, how much money you've spent and how much inconvenience you have caused), I want to know how you have made my life better.
If you want to report something that you have done "X times", report how many times you have prevented an attack/robbery/$bad_thing. By that metric, it seems that vigilance and plain old police work such as we had before 2001 are the most successful.
That is, on GNU systems. Not all Unix systems support %s, and it isn't in the standard, either.
``A physical book has a sort of built-in DRM! If you give it away, you can't read it anymore. It can't easily be copied (it requires a lot of scanning and printing to do that). Isn't that kind of thing also part of the intention of DRM?''
There is a very important difference, though. DRM doesn't actually make it harder to copy the bits. It makes it harder to use them legitimately. If DRM applied to books, it would be easy to copy them, but you would only be able to read them using special glasses, and only be allowed to read it using approved glasses. It would be illegal to manufacture, use, or distribute alternative glasses that would enable you to read the book.
DRM is advertised as a means to prevent copying, but what it really prevents is normal usage. Illegal copying can continue as usual, but legitimate customers are hosed.
I've often wondered if it is possible to involve the community in hosting websites like Wikileaks and Wikipedia. A large part of the cost these organizations have is the hardware and bandwidth required to serve the content. However, this content is mostly static. It seems to me it ought to be easy to set up an extensive mirroring system for such content. It also seems to me that it ought to be able to set up a system where people can contribute a bit of disk space and other computer resources and form part of a sort of distributed hosting system. I think Freenet does something like this, and even optimizes things by moving frequently requested content closer to where it is being requested.
Can we set up such a system for the worldwide web? Is there any existing software package that makes this possible? Can we write one? Or can we perhaps modify open source web browsers so that distributed hosting can really work?
I think I speak for many others when I say that I have plenty of disk space, bandwidth, and CPU cycles available, but my capacity to support worthy causes financially is rather limited. So if I could contribute my computer resources, I think I could help out a lot more then I can by making donations. So if we have the technology to make that possible, let's start using it! And if we don't have the technology, let's build it!
I don't think Cygwin is "meant to be an interactive method of accessing a Windows machine by Unix commands" so much as it is a Unix/POSIX/GNU compatibility layer for Windows, similar to how WINE is a Windows compatibility layer for *nix. Both of them allow you, to a limited extent, to run software written for the other set of APIs.
I just can't see any reason myself or an average Windows user would need a UNIX command line on their Windows computer. In fact, I think the whole point of Windows is to get away from the command line.
I don't see it that way. I don't see a point in getting away from the command line. Some things are most easily or quickly done or explained with the command line, just as other things are most easily or quickly done or explained using windows, icons, menus and a pointer. It's good to have good support for both in your system.
The way I see it, the point of Windows, from a customer's perspective, is to run Windows applications. That is the one thing Windows does better than any other operating system out there.
``Wow... phrased like that, getting a girlfriend is like a side quest in the RPG of your life.''
It seems to me that this is not very far from the truth, actually.
Just so you know, I use MaraDNS and I am very happy that you wrote it. As far as I am concerned, you have achieved my dream of writing some software that is really appreciated by those who use it. And since you have released it under an open-source license, this means you are one of the heroes of open-source. Congratulations, and thanks!
J2ME, Android, or some native API. Phone hardware has certainly gotten faster, but that's no reason to go bogging it down by requiring everything works through HTTP and web browsers. Seriously, what is that? We could have applications that flew on smartphones, if only vendors wouldn't force them to go through layers of nonsense.
``I don't think I believe this. A large organization, rolling out (say) 1000-10,000 "desktops" would seem to have strong motivation to minimize the cost of each desktop. If they can get a thin client for anywhere close to the actual value of hardware - say $150 - instead of the boutique TCs currently on the market for $300-$400, they could save upwards of $1M. That's not chump change.Even going to diskless thick clients ought to save $50 * 1000 = one employee salary. Plus centralized administration.''
The thing is, you have to calculate what they would save per seat. With the discounts a large organization can get, that probably isn't a whole lot. Say it's $100. So that's $100 saved for the one employee that is going to be working with it. The total cost of that employee can easily be 40 times that in a month. So if the investment in the PC or thin client is written off in 2 years, that $100 difference is about 0.1% of the cost of your employee. I call that chump change.
I don't think that argument holds water. After all, the parts that go in thin clients are the same parts that go in PCs, so that can't be the difference. Then there are some custom things, such as the case, but if you consider the countless PC cases, motherboards, etc. etc. already out there, I think that, even though total volume for PCs may be higher than total volume for thin clients, the volume for a given combination of parts that make up a PC isn't necessarily higher than the volume for a given combination of parts that make up a thin client. I think thin clients cost more simply because their target market will bear higher costs (if you are a large company or government agency, spending a hundred dollars more or less on your thin clients isn't such a big deal).
I think the explanation may be market segmentation. Thin clients are aimed at large organizations, where a few hundred dollars for a machine is chump change. They will happily buy greatly overpriced thin clients, because even the cost of an overpriced thin client on a desk is still dwarfed by the cost of the employee at the desk.
For home users, the picture is different, because they tend to see the computer in isolation. But the vast majority of home users wouldn't want to buy a thin client at any price, because they wouldn't know what to do with it.
If you want a cheap thin client, I would recommend to either buy one second hand (you can get them for under 100 dollars), or to just get whatever box you can and pretend it's a thin client.
I think that maintainability of code is helped most by writing the code in a way that closely follows the high-level model of the program. Neither C# nor Java are very good for that, because both require you to add a lot of boilerplate code and neither offers elegant metaprogramming. In other words, understanding the code is going to be hard because of the sheer amount of noise in it.
Sure, offering more powerful constructs such as macros would offer more ways to make the program a horrible mess, and some of the extra annotations that are in Java and C# code actually give some clue as to what is happening, so the knife cuts both ways. But I think bad programmers are going to write bad code in any language simply because they don't have the right mindset, whereas good programmers are going to write better code in a language that doesn't restrict them as much as C# and Java do.
``Java, I'd say has lost the war, even if there are a few more battles to be fought and C++ seems to be hanging on in there. However, I think I see a glimmer of hope (for the not-more-blinking-MS-stuff view) in scripting languages. MS hasn't targeted that yet, IronPython is still a 'toy' to MS. Maybe soon it'll start to battle cross-platform scripting languages too.''
Actually, I have a slightly different perception. The .NET ecosystem has done right what the Java one has done wrong, and incoporated the wealth of work already out there. One of the things I most resent the Java culture for is its focus on one language to the exclusion of all others, and the enormous amount of effort that has gone into reimplementing functionality that already existed outside the Java universe for the Java platform.
By contrast, .NET has, from the beginning, embraced existing programming language work and theory, existing functionality, and multiple languages. The result is that when the Java culture was still trying to shoehorn people into the Java language, have people cast their objects to and from the Object class, and duplicate functionality from outside the Java universe, .NET offered interoperability between a growing number of programming languages, a proper higher order type system, and interfacing with existing software.
Sure, the Java community has scrambled to catch up, and there are now generics and multiple programming languages plus the benefit of a decent open-source implementation for multiple platforms, but I don't think this would have happened if it wasn't for the threat and inspiration of .NET. We could have had all this years ago.
``These days it's hard to imagine creating a programming language that wouldn't adopt a VM of some kind.''
Hmm. Plenty of people I know are doing just that. But what I don't understand is why you would want to use a VM, particularly a VM that is hardly like the real machines we have at all. Because what you end up doing in that case is basically compile the abstractions of your programming language down to a different set of abstractions, and then you have to do basically the same trick again to get your code to run. Including, for various bytecodes, actually reverse-engineering the original abstractions from the bytecode to get to the most efficient native code.
Why not just leave the original abstractions in place and distribute the code as source code (possibly macro-expanded, optimized, FASL-encoded, etc.)?
On the contrary. This way, you can give publicity to various causes that people care about, while still, eventually, being Politically Correct.
Obviously Chase meant the top "non-embarassing to a big company" charities. Can you imagine if Chase had to donate $1M to the Marijuana Policy Project? I'm sure the board freaked out at the thought of "chase" and "MJ" being in the same sentence and said, "do whatever is necessary to make sure we don't get that association."
And yet here we are having a whole discussion about exactly that. And I'm sure /. isn't the only place on the Net where this is happening.
While on the topic, I have a question. Is releasing the source code to whatever copyleft software you are using actually enough for compliance? For example, suppose I made a device and used a modified Linux kernel, some kind of build from unmodified Busybox sources and some proprietary software, would offering a download of the modified Linux source code and a download of the Busybox source code exactly as the Busybox project supplies it be enough?
Note that while such releases would presumably allow one to build ones own kernel and Busybox based on the same sources being used in the product, there would be no scripts or instructions for re-creating the same kernel and Busybox binaries used in the product, let alone instructions for creating a complete, usable firmware image for the product.
There are plenty of nonfree alternatives. For example, VxWorks, QNX and Windows CE. And some companies actually use those in situations where other companies would use Linux + Busybox.
However, even nonfree software licenses are often violated. Too many people assume that once you have your copy, you can do whatever you want with it.