Very true, but there's more to it: the same thing also holds when you're a manager trying to assess those who work for you. Granted, the fact that someone dresses more sloppily than others doesn't automatically make them better at their job, of course, but my own experience seems to support the hypothesis that there is still some truth to it.
Those who are exceptionally good at their job can afford to dress more sloppily - their bosses will be willing to overlook these things, considering the quality of their work. When someone dresses extremely neatly, on the other hand, it might be that he doesn't have any other redeeming qualities really.
Of course, this only goes for people who're not dealing with customers etc.
1) You can delete them, yes, but when you sign on the next time, they're back. Just happened to me. 2) What's your point? 3) That's absolute bullshit. Of *course* I have a right to complain - the idea that I don't (or, for that matter, that anyone doesn't) is so idiotic that I won't even reply to the rest of your post.
Regarding security through obscurity, I think your comment shows a rather common misconception, namely that every kind of obscurity that might be construed as improving security (rightfully or not) is automatically bad, and (as a corollary) that security through obscurity is automatically bad.
I don't think that's true, though. Security through obscurity is not real security, but and you should never rely on it - never alone, of course, and also not in conjunction with other security mechanisms -, but that doesn't mean it can't be useful.
It's doubtful that it would be in the case you mention, of course - obscurity, for hash functions, cryptographic algorithms etc., usually just means that they aren't well-studied (at least not as much as others) and might have weaknesses nobody has found yet, but in *general*, obscurity can provide an additional deterrent against attacks that can be useful, especially in real-world applications where not everything is black and white.
Here's an example: a few years ago, I was running the SSH server on one of my computers on a non-standard port. From a theoretical point of view, that doesn't change anything: somebody doing a port scan would still find it easily, so if a weakness were found in SSH (the protocol) or OpenSSH (the implementation), my server would've been just as vulnerable as any other server out there. But still, if a script kid had decided to take a tool that scans for vulnerable SSH servers and roots them, mine probably would've escaped; and the constant password brute-forcing attempts from Asian IPs stopped as well. So while using a non-standard port was utilising obscurity, it did make me more secure, in real-life terms (even though the same wasn't true in terms of theoretical security).
How does this apply here? Not at all, really, as I said above - you're better of using a well-tested hash function like SHA-512 (why restrict yourself to SHA-256? The extra bits will keep you safe for a little longer when SHA-256 is broken - and it *will* be broken, eventually) than an obscure hash function that noone ever heard about.
But the automatic reaction that IT professionals seem to have that obscurity is *always* bad is rubbish. As long as you don't rely on it (that is, as long as your system would still be secure even if the obscurity were gone), it's not only not bad, but in fact can be a valuable tool.
On an not entirely unrelated side note... is it just me, or is 30 seconds not really a long time when it comes to brushing your teeth? I got taught to brush mine for five minutes after each meal when I was a kid.
I think that's unlikely. Modern-day gorillas actually have very small penises (about 1 to 2 inches when erect); other apes (like chimpanzees) have bigger ones, but they're still not as big as human penises, especially not relative to the animals' body size.
Of course, there's no data for this particular species, but I don't see an a priori reason why they should be different from pretty much all the primates we know in this regard.
Actually, I think there is a difference that goes beyond the fact that nobody ever ran an MPI benchmark on seti@home. It's hard to pinpoint exactly, but suffice to say that I think it's the same reason why the Internet is not a LAN, if you catch my drift.
I've got to second that as well. I browsed mp3.com quite a bit in its old days, and there is one band now which I'm really hooked on who first published some mp3s on there before their first album came out. Nowadays, I own all of their CDs, have attended all the concerts I could, and also bought a couple of other paraphernalia, such as posters, t-shirts, and so on.
So I can definitely say from first-hand experience that the internet *is* beneficial for bands as well. What's more, it shows that a band actually cares about its music and its fans, first and foremost; I'm certainly much more willing to spend money on a CD when I know that the artist is actually creating music because out of a passion, rather than just because they want to get rich cheap.
Still, it's easy to see why the big media companies like Sony etc. are concerned - they can make more money if everyone's just buying a few overhyped, overpriced CDs instead of listening to a wide variety of stuff. Bitchney Spears exists for a reason - if a company can sell the same amount of CDs when it offers 20 CDs by 5 "artists" as it would if it offered 10000 CDs by 1000 *real* artists, then they're gonna go for the former choice, as that will mean there's less costs involved and their own winnings will be bigger.
And while there's nothing wrong with trying to make money in principle, it *is* wrong to burn artistic integrity on the altar of capitalism.
The real problem, though, is that it's not clear what individual music lovers can do to remedy all this. Sure, you can say "I'm not gonna buy CDs from the major labels anymore, at least not if it's Bitchney Spears or Jennifer Lopez or similar crap", but that's just giving them ammunition against P2P and other distribution methods used by independent artists - which is what they really care about. I don't think the major labels actually mind you trading Bitchney Spears mp3s *that* much (most people who really actually like that kind of crap will still buy the CDs); what they fear is the proliferation of a means of distribution that would threaten their monopoly. It's just like with Microsoft - M$ has actually profited from copyright infringement quite a bit in the past, and owes much of its current monopoly to the rampant copying of DOS and Windows, and I think it is not their biggest concern these days, either. If they had to choose between a world where copyright infringement happens but where they have a monopoly and a world where there'd be no copyright infringement but no monopoly for them, either, they would choose the former, and the record labels are similar: P2P isn't a threat because it can be used to commit copyright infringement, but because it could completely overthrow the traditional distribution channels - which they control with an iron grip.
If you've ever wondered why the *AA has gone after Napster and Kazaa and Grokster, but not after the more "traditional" methods of copyright infringement - or, for that matter, after the people who sell bootleg copies on the streets -, that's why.
The only real answer to all this is that we need to stand up against the FUD - we need to speak out and make it known that we're not buying Bitchney Spears CDs because we've already got them as mp3s, but because we're seriously not interested in them; and we need to speak out for P2P and make sure the politicians understand that it's not only not a copyright infringement tool, but rather an important part of what our digital future will look like.
Gun makers aren't sued when people are shot, and crowbar manufacturers aren't sued when houses are broken into. Why should P2P software makers be sued when their software is used for illegal purposes?
Of course, considering that the whole ideal of democracy is just a farce in this country today, where it's not the voters' will that counts but rather the money that politicians are bribed with in the name of free speech (how can campaign donations be free speech, anyway? they're not even *speech* of *any* kind, for goodness' sake!), we may not be 100% successful. But I think we can make sure that distribution channels for independent artists will remain somewhat open, at least, and that's better than nothing.
Skype has had three published vulnerabilities this year; two very recent ones that are marked as such in the changelog, and one in March or so that was labelled as a "bugfix". Nothing ground-shattering, but there have been some, yes.
Ray Kurzweil is overrated. Talking about "technological change so rapid and profound it represents a rupture in the fabric of human history" is melodramatic, but little else, and giving it a cute name like "singularity" just underlines that he's not really talking (or trying to talk) to a technical audience but rather to a wider group of people who'll be more inclined to get lulled in by big words without thinking about what what he says actually means.
And in any case, whatever you make of what he said, we're definitely not at a point yet where technological change would have *any* profound effects on us whatsoever.
Actually, even using things like this as "addition evidence" is problematic, IMO. If you have enough evidence to convict someone, go ahead and do it - but you won't need their browser/search history. And if you don't have enough evidence to convict someone... well, then the fact that they did search for a specific term cannot (or at least should not) be grounds for a conviction.
As you point out, many people search for strange terms out of curiosity, just to see what comes up, and that is enough to ensure that you cannot extract any evidence with regard to any crime whatsoever from the fact that someone search for a certain string (unless of course the act of searching for a certain string itself would be a crime).
And it's not just "I'm gonna search for something strange out of curiosity" searches, either. In fact, I think it's important to distinguish between syntax and semantics in general; even if you know that someone searched for information on a certain topic, that does not mean you know why they did. Someone googling for a term like "child rape" might be anything - a child abuser, possibly, yes, but it could also be a law student, a crime fiction writer, a relative of an abused person (or, for that matter, an actual abused person), someone curious, or just about anyone.
Convicting someone because of a certain search history would be like convicting them because they said "we need a new government". Sure, they *might* have intentions to blow up the current one, but if you don't have any other evidence supporting that, then you have to assume that they're just someone expressing their political opinion.
I think that's something important to keep in mind when doing jury duty, too.
Slow news day, is it? Honestly, this is one of the most ridiculous (i.e., uninteresting, uninspired, un-newsworthy) stories I've seen on Slashdot in quite a while.
I didn't test it, but it's pretty much just ripped from the Quantum::Superpositions docs, so I suppose it should work, modulo any bugs I might have introduced.
It sure makes you wonder what the two-week window is actually good for, though. I mean... the whole thing was done in order to make sure that there'd be a time for submitting new stuff, and a time for shaking out bugs, and so that people would be able to tell the two apart.
So, why the fuss about last-minute merges now? If they're still in the two-week window, they should be fine; if they're not, well, then they're too late and won't get merged, but that was already clear anyway. And stuff that's not up to par quality-wise yet will (should) not be merged at all, anyway - it's not as if the code quality requirements were lowered for the two-week merge window.
What Linus seems to be doing is to effectively reduce the two-week window to a "something-less-than-two-weeks" window where noone knows exactly how much the difference is, but it does not get rid of the underlying problem: there still is a deadline, and people will still submit lots of stuff just before the deadline's there. It doesn't matter whether it's two weeks or 13 days or whatever.
The whole *point* of the "merge for two weeks, then stop merging and focus on bug fixes" was to be able live with this, so to speak. If you can't fight them, make them join you; if you can't prevent people from submitting stuff in the last minute, make sure that there's enough time *after* the last minute so that last-minute merges won't hurt you. If Linus finds it necessary to crack down on last-minute merges now - which, as I said above, is not really possible in practice (the only way to do it would be to not merge anything at all anymore, but that's obviously not a practical solution) - because there are too many, that just shows that patch pressure is too high already; further increasing it won't help. Rather, you have to look at *why* patch pressure is so high, and do something about that. For example, why not extend the two-week window to three or four weeks? It might mean that new kernel versions appear less often, but in these days of git and distributed development where tree changes are so easy to push/pull and where every distributor uses their own, heavily-patched version of the kernel, anyway, why does it matter so much? Linus has always taken a stance that quality is more important than meeting arbitrary deadlines, I think.
Or maybe I'm misunderstanding what he actually wanted to say - I did RTFA, but zdnet is not exactly what I'd call a high-quality source for kernel development news. Caveat lector...
You moderators might think that's Funny, but it's actually a very interesting point. If I can, basically, say "you're not allowed to come anywhere near my software" in the EULA as a spyware maker, why can't I say the same thing as an anti-spyware maker?
What's nice about this is that it works out no matter whether such a clause would be accepted: if it is accepted, then the spyware maker would have violated the anti-spyware product's EULA by looking at how it classifies the spyware. If it's not accepted, on the other hand, then the corresponding clause in the spyware's EULA would also not be accepted.
Myself, I think that such clauses aren't valid, but I also think that even if a court thinks they are, it'd be pretty impossible to actually get a case, as they could trivially be circumvented. For example, if I visit a friend and use their computer to do something in Photoshop, am I then bound by Photoshop's EULA? Of course not; I didn't buy the program, I didn't install it, I didn't agree to anything. My friend might be (or not), but I certainly am not. A spyware maker could do the same thing: just don't install the spyware yourself, but rather classify it after it infected someone else's computer. (On a side note, I doubt that most spyware actually presents a EULA to the user where he can clearly see what is going to happen, where he's given the opportunity to say "no, thanks" and where, if he does, the spyware will not be installed, anyway).
Just wait until they legalise torture again in the UK as well.
"Oh, but can't you see, Smarty2120? You're just making our job more difficult for us when you refuse to hand out the passphrases to your keys, and then we might get angry... and you don't want that Smarty, do you?"
Slashdot Mirror
Very true, but there's more to it: the same thing also holds when you're a manager trying to assess those who work for you. Granted, the fact that someone dresses more sloppily than others doesn't automatically make them better at their job, of course, but my own experience seems to support the hypothesis that there is still some truth to it.
Those who are exceptionally good at their job can afford to dress more sloppily - their bosses will be willing to overlook these things, considering the quality of their work. When someone dresses extremely neatly, on the other hand, it might be that he doesn't have any other redeeming qualities really.
Of course, this only goes for people who're not dealing with customers etc.
Actually, the quote that's being referred to's from Skinner, not Chalmers.
You must be so proud.
1) You can delete them, yes, but when you sign on the next time, they're back. Just happened to me.
2) What's your point?
3) That's absolute bullshit. Of *course* I have a right to complain - the idea that I don't (or, for that matter, that anyone doesn't) is so idiotic that I won't even reply to the rest of your post.
Actually...
Regarding security through obscurity, I think your comment shows a rather common misconception, namely that every kind of obscurity that might be construed as improving security (rightfully or not) is automatically bad, and (as a corollary) that security through obscurity is automatically bad.
I don't think that's true, though. Security through obscurity is not real security, but and you should never rely on it - never alone, of course, and also not in conjunction with other security mechanisms -, but that doesn't mean it can't be useful.
It's doubtful that it would be in the case you mention, of course - obscurity, for hash functions, cryptographic algorithms etc., usually just means that they aren't well-studied (at least not as much as others) and might have weaknesses nobody has found yet, but in *general*, obscurity can provide an additional deterrent against attacks that can be useful, especially in real-world applications where not everything is black and white.
Here's an example: a few years ago, I was running the SSH server on one of my computers on a non-standard port. From a theoretical point of view, that doesn't change anything: somebody doing a port scan would still find it easily, so if a weakness were found in SSH (the protocol) or OpenSSH (the implementation), my server would've been just as vulnerable as any other server out there. But still, if a script kid had decided to take a tool that scans for vulnerable SSH servers and roots them, mine probably would've escaped; and the constant password brute-forcing attempts from Asian IPs stopped as well. So while using a non-standard port was utilising obscurity, it did make me more secure, in real-life terms (even though the same wasn't true in terms of theoretical security).
How does this apply here? Not at all, really, as I said above - you're better of using a well-tested hash function like SHA-512 (why restrict yourself to SHA-256? The extra bits will keep you safe for a little longer when SHA-256 is broken - and it *will* be broken, eventually) than an obscure hash function that noone ever heard about.
But the automatic reaction that IT professionals seem to have that obscurity is *always* bad is rubbish. As long as you don't rely on it (that is, as long as your system would still be secure even if the obscurity were gone), it's not only not bad, but in fact can be a valuable tool.
Just food for thought.
On an not entirely unrelated side note... is it just me, or is 30 seconds not really a long time when it comes to brushing your teeth? I got taught to brush mine for five minutes after each meal when I was a kid.
I think that's unlikely. Modern-day gorillas actually have very small penises (about 1 to 2 inches when erect); other apes (like chimpanzees) have bigger ones, but they're still not as big as human penises, especially not relative to the animals' body size.
Of course, there's no data for this particular species, but I don't see an a priori reason why they should be different from pretty much all the primates we know in this regard.
That's why whales don't exist, either, right?
Oh, that definitely. But it'll still be a network of individual machines, not one supercomputer.
Actually, I think there is a difference that goes beyond the fact that nobody ever ran an MPI benchmark on seti@home. It's hard to pinpoint exactly, but suffice to say that I think it's the same reason why the Internet is not a LAN, if you catch my drift.
European or African duck?
I've got to second that as well. I browsed mp3.com quite a bit in its old days, and there is one band now which I'm really hooked on who first published some mp3s on there before their first album came out. Nowadays, I own all of their CDs, have attended all the concerts I could, and also bought a couple of other paraphernalia, such as posters, t-shirts, and so on.
So I can definitely say from first-hand experience that the internet *is* beneficial for bands as well. What's more, it shows that a band actually cares about its music and its fans, first and foremost; I'm certainly much more willing to spend money on a CD when I know that the artist is actually creating music because out of a passion, rather than just because they want to get rich cheap.
Still, it's easy to see why the big media companies like Sony etc. are concerned - they can make more money if everyone's just buying a few overhyped, overpriced CDs instead of listening to a wide variety of stuff. Bitchney Spears exists for a reason - if a company can sell the same amount of CDs when it offers 20 CDs by 5 "artists" as it would if it offered 10000 CDs by 1000 *real* artists, then they're gonna go for the former choice, as that will mean there's less costs involved and their own winnings will be bigger.
And while there's nothing wrong with trying to make money in principle, it *is* wrong to burn artistic integrity on the altar of capitalism.
The real problem, though, is that it's not clear what individual music lovers can do to remedy all this. Sure, you can say "I'm not gonna buy CDs from the major labels anymore, at least not if it's Bitchney Spears or Jennifer Lopez or similar crap", but that's just giving them ammunition against P2P and other distribution methods used by independent artists - which is what they really care about. I don't think the major labels actually mind you trading Bitchney Spears mp3s *that* much (most people who really actually like that kind of crap will still buy the CDs); what they fear is the proliferation of a means of distribution that would threaten their monopoly. It's just like with Microsoft - M$ has actually profited from copyright infringement quite a bit in the past, and owes much of its current monopoly to the rampant copying of DOS and Windows, and I think it is not their biggest concern these days, either. If they had to choose between a world where copyright infringement happens but where they have a monopoly and a world where there'd be no copyright infringement but no monopoly for them, either, they would choose the former, and the record labels are similar: P2P isn't a threat because it can be used to commit copyright infringement, but because it could completely overthrow the traditional distribution channels - which they control with an iron grip.
If you've ever wondered why the *AA has gone after Napster and Kazaa and Grokster, but not after the more "traditional" methods of copyright infringement - or, for that matter, after the people who sell bootleg copies on the streets -, that's why.
The only real answer to all this is that we need to stand up against the FUD - we need to speak out and make it known that we're not buying Bitchney Spears CDs because we've already got them as mp3s, but because we're seriously not interested in them; and we need to speak out for P2P and make sure the politicians understand that it's not only not a copyright infringement tool, but rather an important part of what our digital future will look like.
Gun makers aren't sued when people are shot, and crowbar manufacturers aren't sued when houses are broken into. Why should P2P software makers be sued when their software is used for illegal purposes?
Of course, considering that the whole ideal of democracy is just a farce in this country today, where it's not the voters' will that counts but rather the money that politicians are bribed with in the name of free speech (how can campaign donations be free speech, anyway? they're not even *speech* of *any* kind, for goodness' sake!), we may not be 100% successful. But I think we can make sure that distribution channels for independent artists will remain somewhat open, at least, and that's better than nothing.
Skype has had three published vulnerabilities this year; two very recent ones that are marked as such in the changelog, and one in March or so that was labelled as a "bugfix". Nothing ground-shattering, but there have been some, yes.
Actually, that was (is) *his* name, not hers.
Ray Kurzweil is overrated. Talking about "technological change so rapid and profound it represents a rupture in the fabric of human history" is melodramatic, but little else, and giving it a cute name like "singularity" just underlines that he's not really talking (or trying to talk) to a technical audience but rather to a wider group of people who'll be more inclined to get lulled in by big words without thinking about what what he says actually means.
And in any case, whatever you make of what he said, we're definitely not at a point yet where technological change would have *any* profound effects on us whatsoever.
Kill art? I doubt it - if Bitchney Spears hasn't managed to kill it yet, then an automated tool to create a "perfect hit" won't do so, either.
In fact, I'd go so far as to say that Bitchney Spears is actually indistinguishable from such a tool... isomorphic, if you will.
Actually, even using things like this as "addition evidence" is problematic, IMO. If you have enough evidence to convict someone, go ahead and do it - but you won't need their browser/search history. And if you don't have enough evidence to convict someone... well, then the fact that they did search for a
specific term cannot (or at least should not) be grounds for a conviction.
As you point out, many people search for strange terms out of curiosity, just to see what comes up, and that is enough to ensure that you cannot extract any evidence with regard to any crime whatsoever from the fact that someone search for a certain string (unless of course the act of searching for a certain string itself would be a crime).
And it's not just "I'm gonna search for something strange out of curiosity" searches, either. In fact, I think it's important to distinguish between syntax and semantics in general; even if you know that someone searched for information on a certain topic, that does not mean you know why they did. Someone googling for a term like "child rape" might be anything - a child abuser, possibly, yes, but it could also be a law student, a crime fiction writer, a relative of an abused person (or, for that matter, an actual abused person), someone curious, or just about anyone.
Convicting someone because of a certain search history would be like convicting them because they said "we need a new government". Sure, they *might* have intentions to blow up the current one, but if you don't have any other evidence supporting that, then you have to assume that they're just someone expressing their political opinion.
I think that's something important to keep in mind when doing jury duty, too.
That's not a theme, that's Gnome...
What's your point, Mr. Xenophobe?
Slow news day, is it? Honestly, this is one of the most ridiculous (i.e., uninteresting, uninspired, un-newsworthy) stories I've seen on Slashdot in quite a while.
What do you mean, "will [...] become"? It already is.
How about this (primality-testing in O(1) - on a quantum computer, at least)?
I didn't test it, but it's pretty much just ripped from the Quantum::Superpositions docs, so I suppose it should work, modulo any bugs I might have introduced.
It sure makes you wonder what the two-week window is actually good for, though. I mean... the whole thing was done in order to make sure that there'd be a time for submitting new stuff, and a time for shaking out bugs, and so that people would be able to tell the two apart.
So, why the fuss about last-minute merges now? If they're still in the two-week window, they should be fine; if they're not, well, then they're too late and won't get merged, but that was already clear anyway. And stuff that's not up to par quality-wise yet will (should) not be merged at all, anyway - it's not as if the code quality requirements were lowered for the two-week merge window.
What Linus seems to be doing is to effectively reduce the two-week window to a "something-less-than-two-weeks" window where noone knows exactly how much the difference is, but it does not get rid of the underlying problem: there still is a deadline, and people will still submit lots of stuff just before the deadline's there. It doesn't matter whether it's two weeks or 13 days or whatever.
The whole *point* of the "merge for two weeks, then stop merging and focus on bug fixes" was to be able live with this, so to speak. If you can't fight them, make them join you; if you can't prevent people from submitting stuff in the last minute, make sure that there's enough time *after* the last minute so that last-minute merges won't hurt you. If Linus finds it necessary to crack down on last-minute merges now - which, as I said above, is not really possible in practice (the only way to do it would be to not merge anything at all anymore, but that's obviously not a practical solution) - because there are too many, that just shows that patch pressure is too high already; further increasing it won't help. Rather, you have to look at *why* patch pressure is so high, and do something about that. For example, why not extend the two-week window to three or four weeks? It might mean that new kernel versions appear less often, but in these days of git and distributed development where tree changes are so easy to push/pull and where every distributor uses their own, heavily-patched version of the kernel, anyway, why does it matter so much? Linus has always taken a stance that quality is more important than meeting arbitrary deadlines, I think.
Or maybe I'm misunderstanding what he actually wanted to say - I did RTFA, but zdnet is not exactly what I'd call a high-quality source for kernel development news. Caveat lector...
You moderators might think that's Funny, but it's actually a very interesting point. If I can, basically, say "you're not allowed to come anywhere near my software" in the EULA as a spyware maker, why can't I say the same thing as an anti-spyware maker?
What's nice about this is that it works out no matter whether such a clause would be accepted: if it is accepted, then the spyware maker would have violated the anti-spyware product's EULA by looking at how it classifies the spyware. If it's not accepted, on the other hand, then the corresponding clause in the spyware's EULA would also not be accepted.
Myself, I think that such clauses aren't valid, but I also think that even if a court thinks they are, it'd be pretty impossible to actually get a case, as they could trivially be circumvented. For example, if I visit a friend and use their computer to do something in Photoshop, am I then bound by Photoshop's EULA? Of course not; I didn't buy the program, I didn't install it, I didn't agree to anything. My friend might be (or not), but I certainly am not. A spyware maker could do the same thing: just don't install the spyware yourself, but rather classify it after it infected someone else's computer. (On a side note, I doubt that most spyware actually presents a EULA to the user where he can clearly see what is going to happen, where he's given the opportunity to say "no, thanks" and where, if he does, the spyware will not be installed, anyway).
Just wait until they legalise torture again in the UK as well.
"Oh, but can't you see, Smarty2120? You're just making our job more difficult for us when you refuse to hand out the passphrases to your keys, and then we might get angry... and you don't want that Smarty, do you?"