Just pick a few of the folks sharing gigabytes of stuff [...] and "make examples" out of them. Then everyone else will delete^H^H^H^H^Hencrypt their files with a quickness!
Reminds me of the late '60s / early '70s, when "the computing center" was a centralized empire at each university where everybody (except the administration) did their computing, and a 50 MB hard disk looked like a washing machine (and disk farms actually WERE sometimes referred to as "laundromats").
The big U where I was an inmate had a policy against "frivolous use of the computer" (which had been paid for by research grants on the condition that nobody got a cheaper rate on processor seconds, kilobyte months, or what-have-you than the grant that bought the box). So games were verbotten. Also: Obscenity was frowned upon (due in part to an unfortunate incident with typewriter pictures on a line printer just as the sponsors' tour party went by it).
Well, the typewriter-interface Star Trek game hit the timesharing machine - and quickly became a major consumer of CPU time. The center's personnel deleted a publicly-known copy. And another. And several more. And it turned into an arms race.
Encrypted copies all over the disk farm. HUNDREDS of 'em. Software to search the disks for more. People doing things like inserting the comment "Kirk Spock Klingon phaser Enterprise NCC-1801" in otherwise-unused lines of configuration files (for the joy of watching the use counts go up as the tools kept finding it and the staff kept looking at it only to discover that it was not part of a game). Conservative guesstimates were that AT LEAST one whole washingmachine's worth of storage was given over to encrpyted copies of the game.
And things started going wrong.
The last straw was twofold - two big mistakes within about a week of each other:
A student named "James Kirk" found his thesis work (in a file of the same name) deleted, with no backup. Oops.
And the medical school was just finishing a several-year, multi-million dollar project on the critical path to approval for a new drug. The drug was related to the endocrine system, so one of the tests was to dose rats with it when they were in the womb or young, then measure their penises to see if their size at maturity was affected. The project accumulated the data, as it was collected, in a file on the heavily-backed-up Computing Center disk farm. The file was named "Rat Penis Data".
One day the grad student went to enter the latest set of measurements - and found the file had been replaced with a self-righteous flame about misuse of the computer.
Of course the center staff hadn't done a backup of the "obscene" file just before the replacement. So even if the file were restored, the data since the last backup was lost, and atempting to re-enter it from paper records risked missing or double entries, even if all the paper could be sorted out. Project's results are now invalidated. Med school lost megabux. Drug company's product was set back by years.
Needless to say there was quite a bit of interdepartmental pressure to take the culprits out behind the woodshed for a sound thrashing. And rabid enforcement of such policies got a major setback.
But it was also the beginning of the end for the Center as an all-controlling computer empire.
Up to that point it, like such centers at most universities and corporations, had been in a position to veto other departments' computer purchases. The Regents (or the administration acting as their agents) would take such requests to the Comp Center for evaluation - and the evaluation would always be "they should use the timesharing system at the Center". And the other departments wouldn't push (or would sneak a PDP-n in as automation in some test instrument). Now the integrity of their data was at issue, and the Center had proven itself incompetent on this issue. So first the Medical Center and then other departments pushed for, and won, their own machines.
And the Center went on to salvage its position by specializing in networking. B-)
So, don't use OTPs in situations where the plaintext is likely to be known by an attacker and not the recipient. Situations like that are pretty rare.
Actually, they're quite common in situations where messages must be encrypted for security.
(By the way, the stipulation "where the plaintext is likely to be [not known] to the reciever" is redundant. The information theory definition of communication is surprising the receiver with message content he DIDN'T know in advance. If he already knew it you didn't communicate.)
OTPs make great authentication systems for insecure channels such as telnet.
Not really.
First: If he can figure out, say, the first command you're likely to run after logging in, he can substitute just that with something that will give him access or do what he wanted done. Game over.
Second: If you're just using it for authentication - like by signing a message digest of a known algorithm - he can substitute a message AND substitute a corrected digest. For some digests (like CRC and checksum) he can do this even if the whole message is OTP encrypted and he only knew the part he changed and the location and type of the digest.
The attack I'm talking about involves the man-in-the-middle KNOWING what "the number you were thinking of" AND intercepting your transmission AND substituting a forged transmission of his own. The first part - knowing "the number you were thinking of" - means he needs to get that by some OTHER route than your intercepted message.
I have your transmission. To construct the forgery I'll also need the number you're thinking of.
I suppose I COULD send Guido to beat it out of you. B-)
But that seems a bit extreme just to prove a point in a slashdot thread that is already off the front page.
I think we [should ask] "why isn't there an affordable public database of this material". Not just a server crammed with decisions, but also an affordable method of searching it.
I'd settle for the "server crammed with decisions", which IMHO the government should provide.
(After all, the government claims we're supposed to know and obey these laws - or at least won't accept ignorance as an excuse for breaking them. Yet it neither makes them available nor teaches them in the public schools. Make up your MINDS, guys!)
Once we have that server, indexing and annotating it can be a distributed project, or set of them, suitable for volunteers, law departments of universities, charatable trusts, and competing political and/or religious factions with axes to grind and points of view to purvey. (Or for other for-pay indexing startups.)
And if the government wants to buy the existing doc-to-data work of Lexus/Nexus, Westlaw, or what-have-you rather than do it over themselves, that's fine, too. For starters it would give them additional return on their investment to make up for what they might lose from the competition. And that would help short out claims of government intervention in private enterprise. They'd be left, in the new competitive marketplace, with their own indexing and annotation service (along with its years of experience, well-known brand name, and customer base familiar with the tools) and with their data-conversion investment paid off at a profit.
Only if it's NOT one-time-pad, but a pseudo-random generator cypher. Real one-time-pads are generated by a TRULY RANDOM process - such as well-shaken dice, shot noise in a diode, or nuclear decay. (Or they are generated by a not-quite-random process, like typists instructed to "hit random keys" or your keyed pseudo-random generator, and they are no longer theoretically unbreakable.)
Crack this...you can only make one guess...I'm thinking of a number between 0 and 255. I've just encrypted it with a pad. The encryption result is 6. Guess my number.
My point:
Tell me the number you were thinking of. I'll XOR it with 6 and get the chunk of your pad you were using. Then I'll XOR 23 with your pad chunk and use the result to convince your buddy that the number you were thinking of was actually 23.
THAT's the man-in-the-middle attack: Turning "attack at dawn" into "surrender at 5AM" by intercepting a known message and changing it to something else. One-time-pad (alone) is completely vulnerable to a man-in-the-middle who knows the plaintext.
Look, the idea behind a one-time-pad is that the attacker doesn't know the pad. Therefore, knowing what segment of the pad is being used does you no good.
Right.
And you can't "solve for the pad" because there are as many bits of entropy in the pad as there are bits of information in the message.
Wrong.
Encryption by one time pad is:
encrypted:= clear EXOR pad_segment
and decryption is:
clear:= encrypted EXOR pad_segment
The situation is:
- The bad guy already knows clear.
- The bad guy is a "man in the middle" - he can intercept encrypted, play with it, and substitute another of his own.
Then he sends encrypted_substitute in place of encrypted. This IS the man-in-the-middle attack as applied to one-time-pad.
Short of stealing the pad (which should have been thoroughly destroyed after use), there's no way of breaking an OTP scheme.
Right - there's no way of BREAKING one-time-pad. But a man-in-the-middle who knows the plaintext message (or part of it) by some other method automatically knows the part of the pad that encrypted that part of the message. So he can substitute anything he wants for any part he knows. (Knowing the message without knowing the pad is common - because the pad will be kept under tight security or intrusion-detection, while the information to be communicated arrives from outside.)
The GLOPS cycpher encryption is:
for (i:= 0 through blocks - 1) {
encrypted[i]:= (clear[i] GMULT pad_segments[i*2]) GADD pad_segments[i*2 + 1]; }
and decryption is:
for (i:= 0 through blocks - 1) {
clear[i]:= (encrypted[i] GSUB pad_segments[i*2 + 1]) GMULT GINVERSE(pad_segments[i*2]); }
(Note that pad_segments[] has been pre-filtered such that even entries are non-zero.)
Now the bad guy is stuck. Since he knows nothing about pad_segment except that the even entries are non-zero, he has just under TWICE as much entropy as information. Knowing the plaintext removes just over HALF the entropy, and he STILL has almost as much entropy as the message.
For a field of, say 256 members (i.e. encryption by bytes) he's left with 255 posibile pairs for (pad_segment[i*2], pad_segment[1*2 + 1]). That extra bit of knowlege (that pad_segment[i*2] is non-zero) corresponds EXACTLY to the knowlege that if he leaves the block alone he doesn't change the message - something he knew anyhow, given that he already knew the messge was encrypted in blocks.
Think of it as using ONE one-time pad to hide the message, and ANOTHER one-time pad to hide the first one from men-in-the-middle. B-)
Unlike message digests (which could be trivially reconstructed if you know the whole message) and signed message digests (which rely on signing such an easily-reconstructed digest with an encryption that is HARD but not THEORETICALLY IMPOSSIBLE to fake), the second part of GLOPS is, like one-time-pad, also theoretically unbreakable.
But there's nothing to prevent you from including a digest in the message before you apply GLOPS. B-)
Or just apply GLOPS to the message digest, for messages you only need to authenticate to your intended receiver. Then if you have a man-in-the-middle who broke your digest algorithm AND signature he STILL is stuck: He has to chose a substitute message that will hash to the same value (which will look suspicious) or substitute a random value for the digest (which is VERY unlikely to be correct).
A deficiency of one-time-pad is a man-in-the-middle with plaintext known. Given the known plaintext he can solve for the key and then use it to substitute an identical-length message of his own choosing.
This is a non-trivial problem, as the start of a message may be known to an attacker, in both manual systems (where messages often start out with stock stuff) and automated ones (where the start may be automated protocol headers or well-known payload starts, which is all he really wants to spoof). Further, the entire content may have been discovered by other means - means which still didn't give him the encryption key.
Substituting only the start can still spoof both manual and automated systems. With a manual system you can substitute a short, urgent message ("They're coming over the hill at us from the east armed with...") for the long-winded header. The tail disolves into noise, but that could be expected from a code-clerk (or machine) under attack, which might make a synchronization error in the key. For automated systems you can still spoof the checksum at the end even if you can't spoof the tail of the message. Tweak the protocol and you might, say, slip some malware's infection header into a known buffer-overflow bug behind a firewall.
A solution to that was proposed back in the '70s by (ahem) me: Use Gallois fields, TWICE as much one-time pad as message, and encrypt in small blocks by multiplying by the first block of key and adding the second. (You also discard any block of key that would result in a multiply-by-zero in the first step.)
For any product of N primes there is at least one gallois field, and two is prime, so there is at least one gallois field of 2^n members for any n, i.e. you can encrypt blocks of n bits for any value of n greater than 1. (For n=1 this degenerates to ordinary one-time pad, as the first block of key is always 1.)
Suppose you encrypt in 8-bit blocks. (What a coincidence!) Even if the man-in-the-middle knows the message, for each byte he can either leave it alone or make a random choice among the other possible bytes. He's reduced to a malicious noise-generator. (He can pick the worst spot(s) to inject noise, but that's the limit.)
I called this the "GLOPS" cycpher, by analogy with GLOPS codes (a term-of-art for codes composed of arbitrary pairings of typically 5-letter groups with messages). With a GLOPS code knowing "GLOPS" means "attack at dawn" doesn't tell you whether "GLOPT" means "attack at dusk", "send a gross of toilet paper", or anything else. Similarly, with a GLOPS cypher, knowing 0x33 means "A" in this position doesn't tell you anything about 0x34 (except that it isn't "A" - unlike a GLOPS code where GLOPT might ALSO mean "attack at dawn".)
Obviously, the above argument [GPL si, copyrighted music no] is absurd, but points out that Slashdot has a double standard.
No it does not.
Because Slashdot does not have any standards. It has a broad population of individual posters, who have their individual standards.
Some of them disagree with some aspect of how copyrights are used in the music industry, and some of them support the way copyright is used by the GPL. These are not necessarily the same people.
Now if you want to argue that those PARTICULAR SLASHDOT POSTERS who disagree with the music industry's use of copyright but agree with the GPL's use have a double standard, you might have a point worth discussing.
But to claim that SLASHDOT has a double standard is to propagate the same lie the media does when it says that an American family has 3.2 children of which 2.1 are illegitamate.
During the discovery phase of the trial, the defendent would have to produce the complete source code and build instructions for their product.
They might not have to. At the very least, the defendant could probably delay execution by arguing over whether they really had to produce their entire source code (on the basis of trade secret).
Secrecy isn't a defense to that requirement. The judge can just keep it under seal and only give it to the hired third-party expert, withholding it from the plantifs and from the public-domain trial documents.
why do people waste part of their eight hour day? Because they don't need eight hours every day to do their jobs. Maybe they need twelve one day and four the next.
Some jobs are EXPLICITLY patchy, too. For instance: Plant maintainence. If the maintainence crew isn't spending half it's time playing Eucre, you don't have enough maintainence men for when things break down.
This leads to pathologies, when management tries some organizational tweak that doesn't take this into account. For instance:
There was a steel mill whose bean-counters decreed that every interval on an employee's timecard had to show the project number on which the employee was working (so they could charge each customer the right amount, see?) Sounds reasonable, eh?
But what about the guys that build and fix up the plant equipment? Well, they made up "project numbers" for each piece of equipment, so they could allocate a cost for its use based on how much labor was spent setting it up and maintaining it. Still sounds reasonable, eh?
But where do the maintainence men bill their Eucre time, as they wait for something to break down and result in a fire-department style scramble? Oops!
Well, they had recently fixed this conveyor. So they happened to know its account number. So they used that account number for their downtime.
And everything worked fine for a few months. Until a bean-counter was looking over the records and discovered that this conveyor seemed to need a LOT of repair.
It's just impossible to focus on work for 8 hours straight, especially one that requires a lot of concentration, like programming. I've found that when I'm coding a difficult problem, I have to step away from the computer for a while and just sit and think about it.
And back in the days of time-and-motion studies (like the '50s and even before) it was discovered that this applies to ALL office jobs. Executive decision making, typing, filing, adding figures, you name it. If the employee takes several short breaks across the day (like 15 minutes every couple hours, if I recall correctly) the productivity during the rest of the time goes up, and the error rate goes down, to more than compensate - much more. Same applies to people on productions lines, too. (Only there a mistake may mean a man down with an injury rather than just a little rework to do.)
So the "coffee break" was invented. (Turns out a little caffeine increases the effect, too.)
And breakrooms were added to every office suite.
(Similarly, the 40-hour week is a 40-hour week at least partly because productivity drops drastically after 8 hours per day on a 5-day work week.)
Of course many hi-tek managers were promoted from the ranks (or self-promoted by entrepreneurial activity), with only a few hours of management training (if that). So they didn't get an education that included these facts.
Also, the Japanese have always used "comic books" for serious (sometimes mundane) stuff.
In US (and here in UK) comics are regarded as "kids Stuff" irrespective of their content
Nail on the head.
But a graphic novel bears the same relation to a written novel as a stage play to storytelling around the campfire, or as TV to radio. There's no reason it has to be children's entertainment.
And in fact it isn't just for kids - and hasn't been even since its inception. There's lots of find material out there, with a broad subject matter. I won't even begin to try to list it.
And even the "kid stuff" can be very deep. For instance: Barks' Donald Duck / Duckville / Uncle Scrooge / Gladstone Gander / Gyro Gearloose stories are a textbook education on economics (especially capitalism and why/how it works), including its relation to morality, social well-being, crime, cults, decision-making, etc. (I knew one entrepreneur who was quite a fan of it - having gotten much of his early education in economics from it - who called himself a "Barksist". B-) )
I think the problem in the US is that the general public's exposure to comics has been childrens' superhero-fantasy adventure material. So it is viewed as kid stuff and/or lowbrow - a view the media industry encourages, to prevent the loss of eyeball time.
But with the lowering of the standards of television and theater entertainment over the last few years, and the Manga phenomenon coming in from Japan, perhaps there's an opportunity to break that mental barrier on the general public's part. (There's LOTS of graphic material that's higher-brow and more thought-provoking than anything on the tube these days. B-) )
Meanwhile, if you have a friend who may be susceptable to some eye-opening (especially if he's an academic literature type), get him a copy of Scott McCloud's _Understanding Comics_, which is a very readable textbook on the structure, conventions, and operation of comics as a separate literature form.
Well... american comics have had soft pr0n for decades, buxom babes/buff dudes, all in skit-tight uniforms.
US comics have a non-trivial amount of pornographic titles, too. Some of it is high-quality storytelling, as well (i.e. Foglio's XXXenophile).
Perhaps this doesn't get much exposure because, in the US, comics are still (mistakenly) thought of as strictly pre- and early-adolescent entertainment. Thus material with adult content can get a comic store slammed as a corruptor of youth. So stores keep the seamy stuff in a back corner. Thus it gets little exposure, while even adult-level NON-pornographic stories get lumped with the stuff you'd expect to see on a restroom wall.
Pocket-sized, battery-powered Linux box w/20G hard drive, 802.11b port, small screen "console", and a way to attach (at least) an ethernet.
Add a GPS and you've got a warhiking setup.
Add intrusion tools plus automation and you've got an industrial espionage device, too. (Bad guy goes to an interview, hangs out in a waiting room, lobby, or parking lot, or hikes by on the sidewalk, while the pocket-sized box sucks down everything of interest on the internal net, or just sniffs packets for a while. 20G leaves plenty of room for netstumbler to crack the WEP.)
A quick search online found me a 128 meg USB pen drive for 50 bucks, the 32/64 meg ones are half that price.
I'm sorry, but the issue isn't the cost of the drive, the issue is the cost of the medium. (For "pen drives" the equivalent of the floppy "drive" is free - it's the USB port - and the equivalent of the floppy is the "pen drive" itself.)
So you're comparing a pen that costs $25 to a floppy that costs well under $1. Nope - not there yet.
When the PENS are cheaper than the FLOPPIES, and the BIOSes can boot from 'em, and the OSes (ALL of 'em) can treat the pen as a disk, THEN you can start to talk about replacing the floppies.
But they're STILL have a compatability issue with older machines. And you'll STILL have a cost issue buying pens to replace the current floppies.
I'm sorry, Dell. When USB pens are thinner and cheaper than floppies for greater capacity, or writable mini-CDs are cheaper and the drives at least as small and cheap, I'll think of migrating.
But they'll have to be WAY cheaper to make up for the compatability issues during the migration.
And that will be hard - because an external floppy drive is under $50 retail now, the floppies are still way cheaper than a calling-card writable CD (let alone a RAM pen), and the pens are thick while the CD drives are a larger form factor.
You need about a times-ten improvement in price-performance to justify a changeover.
Meanwhile, until all the machines are upgraded, you need the floppy for things like sneakernet and recovery disks. That might be a long time for older machines that are dedicated to some well-debugged application.
With your line of logic we should still be using the Bi-plane.
One of the things an experienced engineer is better at than a newbie is knowing WHEN to use a well-known, well-debugged solution, and WHEN to go invent a new one.
It is unthinking reinvention that led to abortions like BART, which I could deconstruct at length. Hint: Using aerospace engineers - whose only experience with wheels-on-surface is landing gear - to reinvent the train results in discarding nearly two centuries of well-debugged solutions and gives you a very rough ride. And an expensive one: The only manufacturer of new rolling stock is in France, and charges over 6 million bux for a single car.
Another case is the old AK-47 verses the M16 debate. Yes the M16 shoots straighter, and farther. But the AK-47 can be repaired in the field, has a higher rate of fire, and is dirt cheap to make. Depending on your needs, one works or the other.
If given proper ammunition the M16 does very well in the field and doesn't NEED repair. And the gas system is self-cleaning, so you don't need to take it down and clean it in the field. Just keep reloading and firing.
Unfortunately, immediately after its introduction an admiral decided to have a bunch of going-out-of-date ball powder for naval guns remanufactured into rounds for he M16. Now a single round of a big navy gun uses a LOT more powder than a single round of an M16 - so one lot of power redone as.222 can supply the whole war for several months, which is exactly what happened, JUST as they were going into general service.
Given the correct powder the M16's gas system is self-cleaning. But fouling isn't a big problem for a navy biggun, so not leaving a cloud of carbon wasn't high on the design parameters for ship gun powder. So the out-of-spec rounds smoked something fierce, to the point that firing a few boxes totally clogged the gas system, turning the M16 into a single-shot slide-action, typically at some inopportune moment when it was being used heavily.
So the M16 got a rep as a tight-tolerance jam-prone turkey. Once the problem with the out-of-spec powder was discovered (and a few heads quietly rolled) the M16s stopped jamming and no longer needed to be "repaired in the field".
AKs were designed by a (genius) wounded sergant in WWII, to be manufacturable with the level of steelmaking available in Russia while their still-primitive infrastructure was being pounded by the Germans. They are a solid, reliable, full-auto that could be built to tolerances achievable under such adverse conditions, enabling Russia to rearm its soldiers (which were mostly using bolt-actions at the time). The design stayed popular because it could be manufactured by any Soviet client state that was just starting to get steelmaking going. So it became the insurgents' weapon-of-choice.
But don't forget to clean them immediately after use, because much of the cold-war era ammo is corrosive-primed. And a rotted-out AK will die in action quite as effectively as a powder-fouled M16.
What does the National Institutes of Health have to do with this?:_|
NIH = Not Invented Here. (Implication: So let's ignore it and reinvent this wheel our own way. Like maybe without that obnoxious radial symmetry. Besides, a round wheel might violate some patent. So let's have lots of engineer fun and waste lots of money, instead of pulling an existing design off the shelf, filing off a few rough spots so it will fit, and installing it.)
NIH goes along with management that thinks you need young developers who are constantly creating (and will reinvent the bubble sort), rather than experienced developers who already have the answers in the can (and will pull down their copy of Knuth Vol III and pick the right sort for the job.)
Which is not to say that I agree with the poster's conclusion that they may be ignoring fine solutions in order to construct one of their own. Integrating the video and audio server and protocols - rather than grafting audio onto an existing video server (which is in turn grafted onto something originally designed for more static displays) - is the right solution for synchronized video/audio. And the integration may have different problems than gluing the bag onto the side of the kludge.
It's good to see him getting support from the Republicans in the form of McCain.
Who said McCain was a Republican?
Yes, he had the party's nomination. But he tends to bolt the party on votes - to the point that people expected him to switch parties if the Senate came out a tie or near-tie in the last election.
Conservatives have a term for politicians: RINO - for Republican In Name Only. McCain is the current poster-child for the breed.
Ripped off from here
Some of the other techniques described in articles linked from that site involve direct brain stimulation by VHF or microwave energy.
If they start going into general use - even intermittently - it may be time for the tinfoil hats.
Just imagine a Beowulf cluster of Maytags . . . !
Or a RAID of them.
(What WERE they keeping in those washing machines that got the authorities interested?)
Just pick a few of the folks sharing gigabytes of stuff [...] and "make examples" out of them. Then everyone else will delete^H^H^H^H^Hencrypt their files with a quickness!
Reminds me of the late '60s / early '70s, when "the computing center" was a centralized empire at each university where everybody (except the administration) did their computing, and a 50 MB hard disk looked like a washing machine (and disk farms actually WERE sometimes referred to as "laundromats").
The big U where I was an inmate had a policy against "frivolous use of the computer" (which had been paid for by research grants on the condition that nobody got a cheaper rate on processor seconds, kilobyte months, or what-have-you than the grant that bought the box). So games were verbotten. Also: Obscenity was frowned upon (due in part to an unfortunate incident with typewriter pictures on a line printer just as the sponsors' tour party went by it).
Well, the typewriter-interface Star Trek game hit the timesharing machine - and quickly became a major consumer of CPU time. The center's personnel deleted a publicly-known copy. And another. And several more. And it turned into an arms race.
Encrypted copies all over the disk farm. HUNDREDS of 'em. Software to search the disks for more. People doing things like inserting the comment "Kirk Spock Klingon phaser Enterprise NCC-1801" in otherwise-unused lines of configuration files (for the joy of watching the use counts go up as the tools kept finding it and the staff kept looking at it only to discover that it was not part of a game). Conservative guesstimates were that AT LEAST one whole washingmachine's worth of storage was given over to encrpyted copies of the game.
And things started going wrong.
The last straw was twofold - two big mistakes within about a week of each other:
A student named "James Kirk" found his thesis work (in a file of the same name) deleted, with no backup. Oops.
And the medical school was just finishing a several-year, multi-million dollar project on the critical path to approval for a new drug. The drug was related to the endocrine system, so one of the tests was to dose rats with it when they were in the womb or young, then measure their penises to see if their size at maturity was affected. The project accumulated the data, as it was collected, in a file on the heavily-backed-up Computing Center disk farm. The file was named "Rat Penis Data".
One day the grad student went to enter the latest set of measurements - and found the file had been replaced with a self-righteous flame about misuse of the computer.
Of course the center staff hadn't done a backup of the "obscene" file just before the replacement. So even if the file were restored, the data since the last backup was lost, and atempting to re-enter it from paper records risked missing or double entries, even if all the paper could be sorted out. Project's results are now invalidated. Med school lost megabux. Drug company's product was set back by years.
Needless to say there was quite a bit of interdepartmental pressure to take the culprits out behind the woodshed for a sound thrashing. And rabid enforcement of such policies got a major setback.
But it was also the beginning of the end for the Center as an all-controlling computer empire.
Up to that point it, like such centers at most universities and corporations, had been in a position to veto other departments' computer purchases. The Regents (or the administration acting as their agents) would take such requests to the Comp Center for evaluation - and the evaluation would always be "they should use the timesharing system at the Center". And the other departments wouldn't push (or would sneak a PDP-n in as automation in some test instrument). Now the integrity of their data was at issue, and the Center had proven itself incompetent on this issue. So first the Medical Center and then other departments pushed for, and won, their own machines.
And the Center went on to salvage its position by specializing in networking. B-)
So, don't use OTPs in situations where the plaintext is likely to be known by an attacker and not the recipient. Situations like that are pretty rare.
Actually, they're quite common in situations where messages must be encrypted for security.
(By the way, the stipulation "where the plaintext is likely to be [not known] to the reciever" is redundant. The information theory definition of communication is surprising the receiver with message content he DIDN'T know in advance. If he already knew it you didn't communicate.)
OTPs make great authentication systems for insecure channels such as telnet.
Not really.
First: If he can figure out, say, the first command you're likely to run after logging in, he can substitute just that with something that will give him access or do what he wanted done. Game over.
Second: If you're just using it for authentication - like by signing a message digest of a known algorithm - he can substitute a message AND substitute a corrected digest. For some digests (like CRC and checksum) he can do this even if the whole message is OTP encrypted and he only knew the part he changed and the location and type of the digest.
Tell me the number you were thinking of."
You're the man in the middle...you tell me!
You still don't get it.
The attack I'm talking about involves the man-in-the-middle KNOWING what "the number you were thinking of" AND intercepting your transmission AND substituting a forged transmission of his own. The first part - knowing "the number you were thinking of" - means he needs to get that by some OTHER route than your intercepted message.
I have your transmission. To construct the forgery I'll also need the number you're thinking of.
I suppose I COULD send Guido to beat it out of you. B-)
But that seems a bit extreme just to prove a point in a slashdot thread that is already off the front page.
I think we [should ask] "why isn't there an affordable public database of this material". Not just a server crammed with decisions, but also an affordable method of searching it.
I'd settle for the "server crammed with decisions", which IMHO the government should provide.
(After all, the government claims we're supposed to know and obey these laws - or at least won't accept ignorance as an excuse for breaking them. Yet it neither makes them available nor teaches them in the public schools. Make up your MINDS, guys!)
Once we have that server, indexing and annotating it can be a distributed project, or set of them, suitable for volunteers, law departments of universities, charatable trusts, and competing political and/or religious factions with axes to grind and points of view to purvey. (Or for other for-pay indexing startups.)
And if the government wants to buy the existing doc-to-data work of Lexus/Nexus, Westlaw, or what-have-you rather than do it over themselves, that's fine, too. For starters it would give them additional return on their investment to make up for what they might lose from the competition. And that would help short out claims of government intervention in private enterprise. They'd be left, in the new competitive marketplace, with their own indexing and annotation service (along with its years of experience, well-known brand name, and customer base familiar with the tools) and with their data-conversion investment paid off at a profit.
No, "keys" are used to generate "pads".
Only if it's NOT one-time-pad, but a pseudo-random generator cypher. Real one-time-pads are generated by a TRULY RANDOM process - such as well-shaken dice, shot noise in a diode, or nuclear decay. (Or they are generated by a not-quite-random process, like typists instructed to "hit random keys" or your keyed pseudo-random generator, and they are no longer theoretically unbreakable.)
Crack this...you can only make one guess...I'm thinking of a number between 0 and 255. I've just encrypted it with a pad. The encryption result is 6. Guess my number.
My point:
Tell me the number you were thinking of. I'll XOR it with 6 and get the chunk of your pad you were using. Then I'll XOR 23 with your pad chunk and use the result to convince your buddy that the number you were thinking of was actually 23.
THAT's the man-in-the-middle attack: Turning "attack at dawn" into "surrender at 5AM" by intercepting a known message and changing it to something else. One-time-pad (alone) is completely vulnerable to a man-in-the-middle who knows the plaintext.
Look, the idea behind a one-time-pad is that the attacker doesn't know the pad. Therefore, knowing what segment of the pad is being used does you no good.
:= clear EXOR pad_segment
:= encrypted EXOR pad_segment
:= clear EXOR encrypted
:= pad_segment EXOR clear_substitute
:= 0 through blocks - 1) {
:= 0 through blocks - 1) {
Right.
And you can't "solve for the pad" because there are as many bits of entropy in the pad as there are bits of information in the message.
Wrong.
Encryption by one time pad is:
encrypted
and decryption is:
clear
The situation is:
- The bad guy already knows clear.
- The bad guy is a "man in the middle" - he can intercept encrypted, play with it, and substitute another of his own.
So bad guy does:
pad_segment
Now he has pad_segment. Next he does:
encrypted_substitute
Then he sends encrypted_substitute in place of encrypted. This IS the man-in-the-middle attack as applied to one-time-pad.
Short of stealing the pad (which should have been thoroughly destroyed after use), there's no way of breaking an OTP scheme.
Right - there's no way of BREAKING one-time-pad. But a man-in-the-middle who knows the plaintext message (or part of it) by some other method automatically knows the part of the pad that encrypted that part of the message. So he can substitute anything he wants for any part he knows. (Knowing the message without knowing the pad is common - because the pad will be kept under tight security or intrusion-detection, while the information to be communicated arrives from outside.)
The GLOPS cycpher encryption is:
for (i
encrypted[i]:= (clear[i] GMULT pad_segments[i*2]) GADD pad_segments[i*2 + 1];
}
and decryption is:
for (i
clear[i]:= (encrypted[i] GSUB pad_segments[i*2 + 1]) GMULT GINVERSE(pad_segments[i*2]);
}
(Note that pad_segments[] has been pre-filtered such that even entries are non-zero.)
Now the bad guy is stuck. Since he knows nothing about pad_segment except that the even entries are non-zero, he has just under TWICE as much entropy as information. Knowing the plaintext removes just over HALF the entropy, and he STILL has almost as much entropy as the message.
For a field of, say 256 members (i.e. encryption by bytes) he's left with 255 posibile pairs for (pad_segment[i*2], pad_segment[1*2 + 1]). That extra bit of knowlege (that pad_segment[i*2] is non-zero) corresponds EXACTLY to the knowlege that if he leaves the block alone he doesn't change the message - something he knew anyhow, given that he already knew the messge was encrypted in blocks.
Think of it as using ONE one-time pad to hide the message, and ANOTHER one-time pad to hide the first one from men-in-the-middle. B-)
Unlike message digests (which could be trivially reconstructed if you know the whole message) and signed message digests (which rely on signing such an easily-reconstructed digest with an encryption that is HARD but not THEORETICALLY IMPOSSIBLE to fake), the second part of GLOPS is, like one-time-pad, also theoretically unbreakable.
But there's nothing to prevent you from including a digest in the message before you apply GLOPS. B-)
Or just apply GLOPS to the message digest, for messages you only need to authenticate to your intended receiver. Then if you have a man-in-the-middle who broke your digest algorithm AND signature he STILL is stuck: He has to chose a substitute message that will hash to the same value (which will look suspicious) or substitute a random value for the digest (which is VERY unlikely to be correct).
Umm, one-time-pads have no decryption "key", that is why you can't crack a one-time-pad...ever.
With one-time pad the segment of the pad in use IS the "key".
But if you don't like that usage, replace "solve for the key" with "solve for the segment of one-time pad used".
A deficiency of one-time-pad is a man-in-the-middle with plaintext known. Given the known plaintext he can solve for the key and then use it to substitute an identical-length message of his own choosing.
...") for the long-winded header. The tail disolves into noise, but that could be expected from a code-clerk (or machine) under attack, which might make a synchronization error in the key. For automated systems you can still spoof the checksum at the end even if you can't spoof the tail of the message. Tweak the protocol and you might, say, slip some malware's infection header into a known buffer-overflow bug behind a firewall.
This is a non-trivial problem, as the start of a message may be known to an attacker, in both manual systems (where messages often start out with stock stuff) and automated ones (where the start may be automated protocol headers or well-known payload starts, which is all he really wants to spoof). Further, the entire content may have been discovered by other means - means which still didn't give him the encryption key.
Substituting only the start can still spoof both manual and automated systems. With a manual system you can substitute a short, urgent message ("They're coming over the hill at us from the east armed with
A solution to that was proposed back in the '70s by (ahem) me: Use Gallois fields, TWICE as much one-time pad as message, and encrypt in small blocks by multiplying by the first block of key and adding the second. (You also discard any block of key that would result in a multiply-by-zero in the first step.)
For any product of N primes there is at least one gallois field, and two is prime, so there is at least one gallois field of 2^n members for any n, i.e. you can encrypt blocks of n bits for any value of n greater than 1. (For n=1 this degenerates to ordinary one-time pad, as the first block of key is always 1.)
Suppose you encrypt in 8-bit blocks. (What a coincidence!) Even if the man-in-the-middle knows the message, for each byte he can either leave it alone or make a random choice among the other possible bytes. He's reduced to a malicious noise-generator. (He can pick the worst spot(s) to inject noise, but that's the limit.)
I called this the "GLOPS" cycpher, by analogy with GLOPS codes (a term-of-art for codes composed of arbitrary pairings of typically 5-letter groups with messages). With a GLOPS code knowing "GLOPS" means "attack at dawn" doesn't tell you whether "GLOPT" means "attack at dusk", "send a gross of toilet paper", or anything else. Similarly, with a GLOPS cypher, knowing 0x33 means "A" in this position doesn't tell you anything about 0x34 (except that it isn't "A" - unlike a GLOPS code where GLOPT might ALSO mean "attack at dawn".)
Obviously, the above argument [GPL si, copyrighted music no] is absurd, but points out that Slashdot has a double standard.
No it does not.
Because Slashdot does not have any standards. It has a broad population of individual posters, who have their individual standards.
Some of them disagree with some aspect of how copyrights are used in the music industry, and some of them support the way copyright is used by the GPL. These are not necessarily the same people.
Now if you want to argue that those PARTICULAR SLASHDOT POSTERS who disagree with the music industry's use of copyright but agree with the GPL's use have a double standard, you might have a point worth discussing.
But to claim that SLASHDOT has a double standard is to propagate the same lie the media does when it says that an American family has 3.2 children of which 2.1 are illegitamate.
I mostly agree - great summary.
BUT:
During the discovery phase of the trial, the defendent would have to produce the complete source code and build instructions for their product.
They might not have to. At the very least, the defendant could probably delay execution by arguing over whether they really had to produce their entire source code (on the basis of trade secret).
Secrecy isn't a defense to that requirement. The judge can just keep it under seal and only give it to the hired third-party expert, withholding it from the plantifs and from the public-domain trial documents.
Can I register all the user IDs on my domains with a wildcard entry?
why do people waste part of their eight hour day? Because they don't need eight hours every day to do their jobs. Maybe they need twelve one day and four the next.
Some jobs are EXPLICITLY patchy, too. For instance: Plant maintainence. If the maintainence crew isn't spending half it's time playing Eucre, you don't have enough maintainence men for when things break down.
This leads to pathologies, when management tries some organizational tweak that doesn't take this into account. For instance:
There was a steel mill whose bean-counters decreed that every interval on an employee's timecard had to show the project number on which the employee was working (so they could charge each customer the right amount, see?) Sounds reasonable, eh?
But what about the guys that build and fix up the plant equipment? Well, they made up "project numbers" for each piece of equipment, so they could allocate a cost for its use based on how much labor was spent setting it up and maintaining it. Still sounds reasonable, eh?
But where do the maintainence men bill their Eucre time, as they wait for something to break down and result in a fire-department style scramble? Oops!
Well, they had recently fixed this conveyor. So they happened to know its account number. So they used that account number for their downtime.
And everything worked fine for a few months. Until a bean-counter was looking over the records and discovered that this conveyor seemed to need a LOT of repair.
So they tore it out.
It's just impossible to focus on work for 8 hours straight, especially one that requires a lot of concentration, like programming. I've found that when I'm coding a difficult problem, I have to step away from the computer for a while and just sit and think about it.
And back in the days of time-and-motion studies (like the '50s and even before) it was discovered that this applies to ALL office jobs. Executive decision making, typing, filing, adding figures, you name it. If the employee takes several short breaks across the day (like 15 minutes every couple hours, if I recall correctly) the productivity during the rest of the time goes up, and the error rate goes down, to more than compensate - much more. Same applies to people on productions lines, too. (Only there a mistake may mean a man down with an injury rather than just a little rework to do.)
So the "coffee break" was invented. (Turns out a little caffeine increases the effect, too.)
And breakrooms were added to every office suite.
(Similarly, the 40-hour week is a 40-hour week at least partly because productivity drops drastically after 8 hours per day on a 5-day work week.)
Of course many hi-tek managers were promoted from the ranks (or self-promoted by entrepreneurial activity), with only a few hours of management training (if that). So they didn't get an education that included these facts.
Also, the Japanese have always used "comic books" for serious (sometimes mundane) stuff.
In US (and here in UK) comics are regarded as "kids Stuff" irrespective of their content
Nail on the head.
But a graphic novel bears the same relation to a written novel as a stage play to storytelling around the campfire, or as TV to radio. There's no reason it has to be children's entertainment.
And in fact it isn't just for kids - and hasn't been even since its inception. There's lots of find material out there, with a broad subject matter. I won't even begin to try to list it.
And even the "kid stuff" can be very deep. For instance: Barks' Donald Duck / Duckville / Uncle Scrooge / Gladstone Gander / Gyro Gearloose stories are a textbook education on economics (especially capitalism and why/how it works), including its relation to morality, social well-being, crime, cults, decision-making, etc. (I knew one entrepreneur who was quite a fan of it - having gotten much of his early education in economics from it - who called himself a "Barksist". B-) )
I think the problem in the US is that the general public's exposure to comics has been childrens' superhero-fantasy adventure material. So it is viewed as kid stuff and/or lowbrow - a view the media industry encourages, to prevent the loss of eyeball time.
But with the lowering of the standards of television and theater entertainment over the last few years, and the Manga phenomenon coming in from Japan, perhaps there's an opportunity to break that mental barrier on the general public's part. (There's LOTS of graphic material that's higher-brow and more thought-provoking than anything on the tube these days. B-) )
Meanwhile, if you have a friend who may be susceptable to some eye-opening (especially if he's an academic literature type), get him a copy of Scott McCloud's _Understanding Comics_, which is a very readable textbook on the structure, conventions, and operation of comics as a separate literature form.
Well... american comics have had soft pr0n for decades, buxom babes/buff dudes, all in skit-tight uniforms.
US comics have a non-trivial amount of pornographic titles, too. Some of it is high-quality storytelling, as well (i.e. Foglio's XXXenophile).
Perhaps this doesn't get much exposure because, in the US, comics are still (mistakenly) thought of as strictly pre- and early-adolescent entertainment. Thus material with adult content can get a comic store slammed as a corruptor of youth. So stores keep the seamy stuff in a back corner. Thus it gets little exposure, while even adult-level NON-pornographic stories get lumped with the stuff you'd expect to see on a restroom wall.
uhm, netstumbler doesn't crack WEP. Airsnort does.
Oops. My bad.
Pocket-sized, battery-powered Linux box w/20G hard drive, 802.11b port, small screen "console", and a way to attach (at least) an ethernet.
Add a GPS and you've got a warhiking setup.
Add intrusion tools plus automation and you've got an industrial espionage device, too. (Bad guy goes to an interview, hangs out in a waiting room, lobby, or parking lot, or hikes by on the sidewalk, while the pocket-sized box sucks down everything of interest on the internal net, or just sniffs packets for a while. 20G leaves plenty of room for netstumbler to crack the WEP.)
A quick search online found me a 128 meg USB pen drive for 50 bucks, the 32/64 meg ones are half that price.
I'm sorry, but the issue isn't the cost of the drive, the issue is the cost of the medium. (For "pen drives" the equivalent of the floppy "drive" is free - it's the USB port - and the equivalent of the floppy is the "pen drive" itself.)
So you're comparing a pen that costs $25 to a floppy that costs well under $1. Nope - not there yet.
When the PENS are cheaper than the FLOPPIES, and the BIOSes can boot from 'em, and the OSes (ALL of 'em) can treat the pen as a disk, THEN you can start to talk about replacing the floppies.
But they're STILL have a compatability issue with older machines. And you'll STILL have a cost issue buying pens to replace the current floppies.
I'm sorry, Dell. When USB pens are thinner and cheaper than floppies for greater capacity, or writable mini-CDs are cheaper and the drives at least as small and cheap, I'll think of migrating.
But they'll have to be WAY cheaper to make up for the compatability issues during the migration.
And that will be hard - because an external floppy drive is under $50 retail now, the floppies are still way cheaper than a calling-card writable CD (let alone a RAM pen), and the pens are thick while the CD drives are a larger form factor.
You need about a times-ten improvement in price-performance to justify a changeover.
Meanwhile, until all the machines are upgraded, you need the floppy for things like sneakernet and recovery disks. That might be a long time for older machines that are dedicated to some well-debugged application.
The article says it's "powered by InnoMedia's patented audio and video processing technology".
In the same sentence it then says it "allows for worldwide video calls".
Seems to me that's an oxymoron. Worldwide video calls, yes, but only if the other end also has an InnoMedia phone.
Unless they make the "patented a/v technology" available for free to all, you only get to talk to their other customers. Result: Nobody buys it.
Kiss of death.
With your line of logic we should still be using the Bi-plane.
.222 can supply the whole war for several months, which is exactly what happened, JUST as they were going into general service.
One of the things an experienced engineer is better at than a newbie is knowing WHEN to use a well-known, well-debugged solution, and WHEN to go invent a new one.
It is unthinking reinvention that led to abortions like BART, which I could deconstruct at length. Hint: Using aerospace engineers - whose only experience with wheels-on-surface is landing gear - to reinvent the train results in discarding nearly two centuries of well-debugged solutions and gives you a very rough ride. And an expensive one: The only manufacturer of new rolling stock is in France, and charges over 6 million bux for a single car.
Another case is the old AK-47 verses the M16 debate. Yes the M16 shoots straighter, and farther. But the AK-47 can be repaired in the field, has a higher rate of fire, and is dirt cheap to make. Depending on your needs, one works or the other.
If given proper ammunition the M16 does very well in the field and doesn't NEED repair. And the gas system is self-cleaning, so you don't need to take it down and clean it in the field. Just keep reloading and firing.
Unfortunately, immediately after its introduction an admiral decided to have a bunch of going-out-of-date ball powder for naval guns remanufactured into rounds for he M16. Now a single round of a big navy gun uses a LOT more powder than a single round of an M16 - so one lot of power redone as
Given the correct powder the M16's gas system is self-cleaning. But fouling isn't a big problem for a navy biggun, so not leaving a cloud of carbon wasn't high on the design parameters for ship gun powder. So the out-of-spec rounds smoked something fierce, to the point that firing a few boxes totally clogged the gas system, turning the M16 into a single-shot slide-action, typically at some inopportune moment when it was being used heavily.
So the M16 got a rep as a tight-tolerance jam-prone turkey. Once the problem with the out-of-spec powder was discovered (and a few heads quietly rolled) the M16s stopped jamming and no longer needed to be "repaired in the field".
AKs were designed by a (genius) wounded sergant in WWII, to be manufacturable with the level of steelmaking available in Russia while their still-primitive infrastructure was being pounded by the Germans. They are a solid, reliable, full-auto that could be built to tolerances achievable under such adverse conditions, enabling Russia to rearm its soldiers (which were mostly using bolt-actions at the time). The design stayed popular because it could be manufactured by any Soviet client state that was just starting to get steelmaking going. So it became the insurgents' weapon-of-choice.
But don't forget to clean them immediately after use, because much of the cold-war era ammo is corrosive-primed. And a rotted-out AK will die in action quite as effectively as a powder-fouled M16.
What does the National Institutes of Health have to do with this? :_|
NIH = Not Invented Here. (Implication: So let's ignore it and reinvent this wheel our own way. Like maybe without that obnoxious radial symmetry. Besides, a round wheel might violate some patent. So let's have lots of engineer fun and waste lots of money, instead of pulling an existing design off the shelf, filing off a few rough spots so it will fit, and installing it.)
NIH goes along with management that thinks you need young developers who are constantly creating (and will reinvent the bubble sort), rather than experienced developers who already have the answers in the can (and will pull down their copy of Knuth Vol III and pick the right sort for the job.)
Which is not to say that I agree with the poster's conclusion that they may be ignoring fine solutions in order to construct one of their own. Integrating the video and audio server and protocols - rather than grafting audio onto an existing video server (which is in turn grafted onto something originally designed for more static displays) - is the right solution for synchronized video/audio. And the integration may have different problems than gluing the bag onto the side of the kludge.
It's good to see him getting support from the Republicans in the form of McCain.
Who said McCain was a Republican?
Yes, he had the party's nomination. But he tends to bolt the party on votes - to the point that people expected him to switch parties if the Senate came out a tie or near-tie in the last election.
Conservatives have a term for politicians: RINO - for Republican In Name Only. McCain is the current poster-child for the breed.