Hope I'm not replying to a joke here ("all your base")
Is that concept legal? It is an interesting idea, but doesn't some human representing the party of the second part (the company running the site) have to be at least aware of the license? The HTTP protocol is designed to ignore headers it does not recognize, and if you suddenly inject this into the stream nobody on the other end would even be aware of it. At best they might see it in their httpd logs later on. Doesn't sound like license acceptance to me at all.
Blame this response on too many months spent on talk.origins, but..
The flaw in this analogy is that the entire purpose of minor speciation events like Darwin's finches is to reduce the commonality between strains of finch. Thus, the newly derived finch does not compete with the older, successful finches and consequently has a chance at being successful in its own right, by exploiting different resources in the environment.
However, with software - which is what I assume you're talking about - all the "finches" want to exploit the same "resource" of customer dollars. Therefore they are constrained; they simply cannot speciate in certain ways because it would prevent them from getting more of the common resource. For example, if the only edible thing on the island were walnuts, you wouldn't see any finches speciating to have thin, delicate beaks because they would starve.
Likewise there are certain things required by consumers of software that are not negotiable. One of these *appears* to be a well-understood UI theme. Another one *appears* to be certain metaphors like menus, shortcuts, buttons, whatever.
So while the software can certainly innovate in all kinds of crazy, cool ways to improve efficiency behind the scenes - a bit like some finches getting more efficient lungs or hardier stomachs - they can't dramatically change their interfaces to the customer because the customer is not malleable on certain issues.
That is why we are all stuck with the original Mac metaphors after all these years, despite the likelihood that point-and-click is not the best way to get work done. Only with long training and gradual acceptance can users be brought around to think of things in a completely new way.
If their stock doesn't go up (or worse, if it goes down), then working at Microsoft is not really that nifty a job.
I won't disagree with your assessment of the Microsoft compensation model - which is reflected at most companies in the industry BTW - but you are missing the "intangible" pleasure of working for a company that respects its employees, fosters their career growth, and lets them work on extremely cool technology that will be used by millions of people.
Personally, I feel the pinch you are referring to already with the lower stock price, but don't discount the "coolness" factor of working here. The stock would have to drop quite a bit more before I would consider that alone to be a good reason to leave.
Andrea Dworkin describes such a utopian future future of the "androgynous community" where the perceived "deviance" of sexualities disappear and we're all free to become what we already feel we are but repress.
A 10-digit number should be acceptable provided that each new section is a shared area code that can be remembered separately.
If it is simply a long string of evidently random digits, won't the bells run up against the theoretical "average" digit memorization length of 10? If you present a string of digits to a random test subject and ask them to recite those digits, most will falter after the tenth.
For people who change their home addresses and thus their phone numbers frequently, an 11-12 digit number might result is lots of recollection failures. One thing the telco's have not experienced yet is user support for people who have forgotten their home phone numbers!
This solution only encrypts the mail while it is on the wire - the cleartext is stored on Yahoo's servers and is capturable on either client.
Sure, encrypting your transmission en-route is better than sending it in the clear, but given how frequently Yahoo is taken down by skr1pt k1dd13s, I would say the server is the greater vulnerability.
If you are sincerely interested in encryption, only a client-side solution provides adequate protection.
Technology is an handy baton to wave, but I don't think the most severe problems in our electoral system are technological. Even if every voter in this country had a trusted-ASIC smartcard reader and a token shipped to them (which they manifestly don't), you would still have to cope with issues like the inconvenience of registration, human duplicity, and collusion/coercion.
Rather than try to graft cryptography on top of the voting process, I would rather see human reforms. For example:
1) The notion of voter registration is quaintly arranged to make voting more convenient for the government and the parties in power, not more convenient for the voters. Let's figure out a more efficient way to check the validity of a voter's identify at the polls, and scrap the idea of registration before voting day.
2) If campaign money is speech (Buckley vs Valejo!) then my voice is being drowned out by the roar of corporate cash. Let's investigate public financing so that we know in advance who has bought the candidates - us!
3) Just exactly why isn't voting day a national holiday?!?
Technology can help us solve our problems, but it's important to realize that voting in America is defective in ways that go far beyond mere ballot mechanics.
Recently I moved into what you might call a "management" role - a Program Manager at Microsoft. Despite the title, my work lies much closer to the realm of Negotiator than to Boss. A PM has many responsibilities and deadlines, but s/he has no official authority to execute them. If I want something done by a certain date, I need to convince the other teams (dev, test, ops) that my way is the best way. If I can't convince them, which is often the case, then my job is to discover a compromise.
Greenspun has hit the nail on the head about management by consensus. When friends of mine regale me with tales of old-school management I try to show them the superiority of a system where the leaders are the actual workers, and the titular bosses are nothing more than organizers of the group's talent.
In tech it makes sense to follow a more democratic model. If the workers aren't intelligent enough to contribute to design decisions, why were they hired in the first place? And if they are intelligent enough, why squander that ability with petty micromanagement?
The conflict between Oracle and Microsoft on the topic of database performance has been extremely nasty of late. Essentially, Oracle was taken entirely by surprise when some respected tests revealed that SQL2000 on Win2k beats the pants of Sun/Oracle peformance.
The margin by which Oracle is beaten must be pretty humiliating when they are competing for the same account. Oracle and Sun have attempted all sorts of dirty tricks to disqualify the results, and TPC even removed them at one point, but MS has always fixed the technicality and pumped out even higher results at even lower prices.
Hence Oracle's recent market promise that if they can't triple your speed they will give you a million dollars. Some of us inside have joked about setting up a really badass SQL service and getting that million as a stunt:-)
At any rate, I am not surprised that the two companies eventually are coming to slights and legal maneuvering. Oracle knows quite well that they are one of the companies Microsoft has marked as "Make irrelevant in five years" and they really don't want to go the way of Lotus, Corel, etc.
On a somewhat-related note, I recently attended the Verisign security conference in San Jose. While I was there I took in some of the keynotes, and one of them was a pair of FBI agents.
They related some of their experiences tracking "network crime" (mostly pimply 13-year-olds) and talked about their opinion of computer security. During one anecdote, they related that they had seized a CD containing data that had been encrypted.
Now they didn't say exactly what this encryption was, so it might be less interesting than it sounds, but the FBI guys said they were relieved that they managed to convince the cracker to give them the key because "we hate having to ask the NSA to crack encryption." The way they said it, you would think cracking encryption was some kind of beaurocratic hassle rather than a major computation and theoretical feat.
Of course, it might have just been XOR or the key might have been a password. Still, interesting story.
That is true of all the candidates. Even MARS and RSA patents would have to be more-or-less unenforced if selected - go to the AES page and check out the huge red text that says exactly this.
While I agree with the sentiment of the poster, the idea that the slashdot editors should or could rival real, trained journalists is a little far-fetched.
I browse slashdot for the community discussions, and frankly I rarely even read the articles. I'm pretty sure that's true of others, because god knows there's a lot of uniformed posting going on. The pleasure I derive from the site comes from the educational exposure to lots and lots of smart people who are kind of like myself. It's like a window into my own consciousness and motives.
When I want news, I go to CNN. They do a far better job than any other professional outlet and slashdot's "news" stories aren't even comparable. But if I'm interested in invigorating discussion, humorous flames, or trivia, I come here.
Basically,/. and CNN serve totally different needs. I would find it dull otherwise. Let's keep/. diverse and fun as long as possible.
In a development sure to change the way Americans consume healthcare, ProxyMegaloInsuroBanc Incorporated announced today that it will decline to issue or renew health insurance policies to anyone who will ever become ill.
The startling move, made possible by recent advances in genetic testing, sent ProxyMegalo (PMIB) stock soaring in late trading, up 7 and 1/3 over yesterdays high close.
John Chambers, CEO of ProxyMegalo was quick to discount the rash of consumer group protests precipitated by today's decision.
"ProxyMegalo is dedicated to providing assistance to its policy holders in times of need. However, we have a business to run. What kind of profit margin do you think there is in insurance when everyone keeps dying all the time? With GeneticOne we expect our policy turnover to reduce to half or even one third of the current rate".
PMIB announced its intention to insure a small, random percentage of customers whose genetics tests indicate they will become ill. "Due to privacy reasons, this information would not be divulged to the consumer, of course," said Chambers. "After all, what is the point of buying insurance if you already know whether you will be sick?"
So this isn't a "complete embrace of full disclosure" huh? What exactly do you want? Possibly CERT should crack the app or site for you and hand you the root password as proof?
Full disclosure is the right way to go... WHEN handled sensibly. You have no need for a coded exploit - if you can't write it yourself, what chance do you have to understand it? And if you don't understand it, what possible LEGITIMATE use do you have for it?
I am always irritated by people who make flip remarks like "security through obscurity is proven not to work", when the basis for their remarks is that some vendors didn't patch known vulnerabilities in the days when STO was more prevalent. In reality, the aim of information security is NOT to eliminate all security holes. The aim is to prevent legitimate users from service interruptions and abuses. It's not that difficult a distinction, guys. For example, while MS didn't improve LanMan until l0pht released l0phtcrack, neither was anybody cracking it! The theory of some full disclosure zealots is that if all vulnerabilities aren't released and coded up within 24 hours of discovery, some shadowy breed of "super hackers" out there will find it in time and exploit it. Guess what - these super hackers DON'T EXIST. The number of people actually capable of discovering new holes AND who are shady enough to exploit them is so tiny that the odds are high an average user will never be affected by them. Most of these people spend all their time coding up "exploits" for skript kiddies today anyway!
CERT has it right. Disclose the vulnerability to the vendor. Give them A LOT of time to fix it, and a lot of goodwill. Software companies can be slow on their feet - they can't address every problem that crops up in the 12 hours you give them until you announce "they haven't responded". But if the problem is not patched in that liberal amount of time (45 days seems enough to me) THEN feel free to shout from the rooftops and embarrass the suckers.
Keep in mind that your enemies are the skript kiddiez, NOT the corporations or end users. For some reason it is easy to lose sight of that fact in the world of infosec, where everybody believes they are unusually smart and the companies they correspond with unusually stubborn. I know - I work in that field and ego is a dangerous thing. Don't let it blind you to what should be your real goal - helping people improve their lives.
I didn't mean to imply that those algorithms were any the worse for their corporate backing. I only wanted to point out that the selection of Rjindael puts cryptography in the realm where it really belongs: academia and the public domain. Any one of the algorithms would have been a decent choice, but I found it pleasing that the non-corporate offering won out.
You don't have to be nasty about it. "Gratuitous drivel"??? What do you think Slashdot's all about man?
I'm really gratified by these results. Recently I was implementing all the major AES candidates (in C++) in order to find one that might solve a problem I was running up against at work. Of them all, the only one I really could understand was Rjindael (pronounced "Rhine Dale" btw).
For all the respect Schneier gets and deserves, Twofish is a horribly convoluted algorithm. They even had to publish a 200 page book explaining the damn thing, for gods sake, and even then the supposed experts who evaluated it for AES stated that they weren't confident they understood all its ins and outs.
Basically Rjindael is secure for two good reasons. The first is that mere humans like me can understand it, and that sort of simplicity means more probing minds, more redundant testing, and higher confidence of security. Not to mention easier implementation. Secondly, if you increase the number of rounds in Rjindael you can effectively double the security, and even then it is still one of the fastest candidates in software.
Twofish, RC6, Mars, etc were basically all ego-gratification projects intended to maintain corporate visibility in the cryptography market. There really is no better advertisement for your services than saying that you wrote AES. Rjindael on the other hand was an act of love - some hacker in Europe figured he knew crypto as well as all the suits. Looks like he proved it, too.
10. Write a device driver that emulates a soundcard. Dump output to disk. Optional - sending to the real soundcard. Bonus points if you use DirectSound.
This can't be done if the vendors of the soundcards sign their drivers with a universal "secure music" key, and the SDMI music refuses to use anything other than a signed driver. These drivers of course will prohibit simultaneous sound in and out.
9. Attach leads to the DAC of the soundcard, design daughterboard to resequence for raw wave output. Optional: 64MB stick of RAM and a memory overlay for copying back out to the system. Estimated cost to hire an EE to do this: $25k
An impractical idea, but sound card manufacturers could always monitor voltage drop on their boards and shut down if it increased suspiciously. Don't think anyone's seriously going to do this though, not in mass quantities.
8. SoftICE, a pack of mountain dew, and an SDMI decoder.
I hear they obfuscate the object code and include commands to crash browsers, meaning that this is not a skript kiddie task. And what if the obfuscation differs between each copy of the SDMI binary on each users machine? Eventually this becomes a big pain in the ass and not sufficiently general to pirate music.
7. 15 minutes alone with developers of SDMI and a backpack full of bricks.
Yes, I believe there is a backdoor in there somewhere. Probably would work. It's criminal, but hell, they'll be passing laws chopping of the right hands of MP3 traders pretty soon, so where's the risk differential?
6. 45 minutes alone with legislators who signed DMCA into law, backpack full of bricks (note: bricks may be damaged by contact with thick heads of legislators - Aim lower)
Unfortunatley, beaurocrats seem to spawn asexually.
5. Audio cable connected between INPUT and OUTPUT of soundcard.
See above about signed drivers.
4. Hold press conference. Compare SDMI to DivX. Drop plenty of rumors so retail outlets won't carry it without large cash advances.
Yet Another Libertarian Theory That Ignores Simple Reality
Privacilla's primary argument and probably its whole raison d'etre is to argue that privacy is not really a concern when personal information is placed in the hands of businesses, and that only government infringments are dangerous to the public.
This ignores simple reality - I use a simple system of pseudonyms to judge which of my online transactions are leaked for cash, and in all cases so far, a business has been the culprit. Especially major businesses like CNN.com and bn.com, although it sometimes is difficult to decide whether the leak was intentional or an inadvertant loss to some cracker. According to Privacilla, these are the merchants who supposedly will be checked by market forces.
The problem with this fine theory is that the majority of users put no forethought into tagging their transactions and thus they have no means of pegging loss of privacy on any culprit. After all, my name, address, and telephone number are always the same, irrespective of who leaks them.
I simply don't trust market forces or any other "invisible hand" to keep my data private. So far no such thing has worked for me or the majority of people online. Otherwise, why would it be an issue? For a real solution to this problem (albeit an expensive one) consider Zero Knowledge, which offers pseudonyms and dual-anonymizing proxies while on the web.
Please believe me that I do not intend this question as flamebait.
What has the open source community produced, especially recently, that could be patented? That is to say, what original inventions can OSS claim as its own?
The further back one reaches, the more evident the free-software innovations appear to be, but then, the software landscape was fare sparser back then. Currently, all OSS projects I am aware of are copycats of closed projects, and while they are useful they are not original. Can anyone provide me with insight as to what free-software has invented in the last few years?
Thank god for this. With transparent skin I will no longer need to perform surgery upon myself with my kitchen knives to locate and extract the implants and baby aliens implanted in me on my last abduction to the mothership. If this advances to transparency of bone structure, then even exploratory work in my head with a drill may become unecessary!
Perhaps the aliens will no longer resort to anal probes quite so often now that they can see what they need from the outside. You would not even want to see one of their "medical devices". Ouch, and I mean OUCH! Sometimes I think there might be something wrong with those aliens IN THE HEAD!
Slashdot Mirror
Hope I'm not replying to a joke here ("all your base")
Is that concept legal? It is an interesting idea, but doesn't some human representing the party of the second part (the company running the site) have to be at least aware of the license? The HTTP protocol is designed to ignore headers it does not recognize, and if you suddenly inject this into the stream nobody on the other end would even be aware of it. At best they might see it in their httpd logs later on. Doesn't sound like license acceptance to me at all.
-konstant
Yes! We are all individuals! I'm not!
Blame this response on too many months spent on talk.origins, but..
:-)
The flaw in this analogy is that the entire purpose of minor speciation events like Darwin's finches is to reduce the commonality between strains of finch. Thus, the newly derived finch does not compete with the older, successful finches and consequently has a chance at being successful in its own right, by exploiting different resources in the environment.
However, with software - which is what I assume you're talking about - all the "finches" want to exploit the same "resource" of customer dollars. Therefore they are constrained; they simply cannot speciate in certain ways because it would prevent them from getting more of the common resource. For example, if the only edible thing on the island were walnuts, you wouldn't see any finches speciating to have thin, delicate beaks because they would starve.
Likewise there are certain things required by consumers of software that are not negotiable. One of these *appears* to be a well-understood UI theme. Another one *appears* to be certain metaphors like menus, shortcuts, buttons, whatever.
So while the software can certainly innovate in all kinds of crazy, cool ways to improve efficiency behind the scenes - a bit like some finches getting more efficient lungs or hardier stomachs - they can't dramatically change their interfaces to the customer because the customer is not malleable on certain issues.
That is why we are all stuck with the original Mac metaphors after all these years, despite the likelihood that point-and-click is not the best way to get work done. Only with long training and gradual acceptance can users be brought around to think of things in a completely new way.
Funny post though
-konstant
Yes! We are all individuals! I'm not!
If their stock doesn't go up (or worse, if it goes down), then working at Microsoft is not really that nifty a job.
I won't disagree with your assessment of the Microsoft compensation model - which is reflected at most companies in the industry BTW - but you are missing the "intangible" pleasure of working for a company that respects its employees, fosters their career growth, and lets them work on extremely cool technology that will be used by millions of people.
Personally, I feel the pinch you are referring to already with the lower stock price, but don't discount the "coolness" factor of working here. The stock would have to drop quite a bit more before I would consider that alone to be a good reason to leave.
-konstant
Yes! We are all individuals! I'm not!
Well, they could adopt the UNIX mechanism whereby there is no visual cue at all about the possibility that a file is an executable.
"a.out" anyone?
-konstant
Yes! We are all individuals! I'm not!
Andrea Dworkin describes such a utopian future future of the "androgynous community" where the perceived "deviance" of sexualities disappear and we're all free to become what we already feel we are but repress.
Hooray! Now we can get rid of sex forever!
Thank you Andrea Dworkin!
-konstant
Yes! We are all individuals! I'm not!
How did that old ad from Macintosh go? $>CNGRTLNS.MCX!
-konstant
Yes! We are all individuals! I'm not!
A 10-digit number should be acceptable provided that each new section is a shared area code that can be remembered separately.
If it is simply a long string of evidently random digits, won't the bells run up against the theoretical "average" digit memorization length of 10? If you present a string of digits to a random test subject and ask them to recite those digits, most will falter after the tenth.
For people who change their home addresses and thus their phone numbers frequently, an 11-12 digit number might result is lots of recollection failures. One thing the telco's have not experienced yet is user support for people who have forgotten their home phone numbers!
-konstant
Yes! We are all individuals! I'm not!
This solution only encrypts the mail while it is on the wire - the cleartext is stored on Yahoo's servers and is capturable on either client.
Sure, encrypting your transmission en-route is better than sending it in the clear, but given how frequently Yahoo is taken down by skr1pt k1dd13s, I would say the server is the greater vulnerability.
If you are sincerely interested in encryption, only a client-side solution provides adequate protection.
-konstant
Yes! We are all individuals! I'm not!
Technology is an handy baton to wave, but I don't think the most severe problems in our electoral system are technological. Even if every voter in this country had a trusted-ASIC smartcard reader and a token shipped to them (which they manifestly don't), you would still have to cope with issues like the inconvenience of registration, human duplicity, and collusion/coercion.
Rather than try to graft cryptography on top of the voting process, I would rather see human reforms. For example:
1) The notion of voter registration is quaintly arranged to make voting more convenient for the government and the parties in power, not more convenient for the voters. Let's figure out a more efficient way to check the validity of a voter's identify at the polls, and scrap the idea of registration before voting day.
2) If campaign money is speech (Buckley vs Valejo!) then my voice is being drowned out by the roar of corporate cash. Let's investigate public financing so that we know in advance who has bought the candidates - us!
3) Just exactly why isn't voting day a national holiday?!?
Technology can help us solve our problems, but it's important to realize that voting in America is defective in ways that go far beyond mere ballot mechanics.
-konstant
Yes! We are all individuals! I'm not!
Recently I moved into what you might call a "management" role - a Program Manager at Microsoft. Despite the title, my work lies much closer to the realm of Negotiator than to Boss. A PM has many responsibilities and deadlines, but s/he has no official authority to execute them. If I want something done by a certain date, I need to convince the other teams (dev, test, ops) that my way is the best way. If I can't convince them, which is often the case, then my job is to discover a compromise.
Greenspun has hit the nail on the head about management by consensus. When friends of mine regale me with tales of old-school management I try to show them the superiority of a system where the leaders are the actual workers, and the titular bosses are nothing more than organizers of the group's talent.
In tech it makes sense to follow a more democratic model. If the workers aren't intelligent enough to contribute to design decisions, why were they hired in the first place? And if they are intelligent enough, why squander that ability with petty micromanagement?
-konstant
Yes! We are all individuals! I'm not!
SEE...
JonKatz wave his hands in mad synchronization!
HEAR...
the gasp of the crowd as he strokes the egos of twentysomething computer nerds!
GAZE IN DISBELIEF...
as he draws parallels between computer users and GOD HIMSELF!
-konstant
Yes! We are all individuals! I'm not!
The conflict between Oracle and Microsoft on the topic of database performance has been extremely nasty of late. Essentially, Oracle was taken entirely by surprise when some respected tests revealed that SQL2000 on Win2k beats the pants of Sun/Oracle peformance.
:-)
You can see the benchmarks here: TPC tests
The margin by which Oracle is beaten must be pretty humiliating when they are competing for the same account. Oracle and Sun have attempted all sorts of dirty tricks to disqualify the results, and TPC even removed them at one point, but MS has always fixed the technicality and pumped out even higher results at even lower prices.
Hence Oracle's recent market promise that if they can't triple your speed they will give you a million dollars. Some of us inside have joked about setting up a really badass SQL service and getting that million as a stunt
At any rate, I am not surprised that the two companies eventually are coming to slights and legal maneuvering. Oracle knows quite well that they are one of the companies Microsoft has marked as "Make irrelevant in five years" and they really don't want to go the way of Lotus, Corel, etc.
-konstant
Yes! We are all individuals! I'm not!
On a somewhat-related note, I recently attended the Verisign security conference in San Jose. While I was there I took in some of the keynotes, and one of them was a pair of FBI agents.
They related some of their experiences tracking "network crime" (mostly pimply 13-year-olds) and talked about their opinion of computer security. During one anecdote, they related that they had seized a CD containing data that had been encrypted.
Now they didn't say exactly what this encryption was, so it might be less interesting than it sounds, but the FBI guys said they were relieved that they managed to convince the cracker to give them the key because "we hate having to ask the NSA to crack encryption." The way they said it, you would think cracking encryption was some kind of beaurocratic hassle rather than a major computation and theoretical feat.
Of course, it might have just been XOR or the key might have been a password. Still, interesting story.
-konstant
Yes! We are all individuals! I'm not!
That is true of all the candidates. Even MARS and RSA patents would have to be more-or-less unenforced if selected - go to the AES page and check out the huge red text that says exactly this.
AES homepage
Also, Rivest, Shamir, and Adleman *did* invent RSA. I'm not sure what you're implying.
-konstant
Yes! We are all individuals! I'm not!
While I agree with the sentiment of the poster, the idea that the slashdot editors should or could rival real, trained journalists is a little far-fetched.
/. and CNN serve totally different needs. I would find it dull otherwise. Let's keep /. diverse and fun as long as possible.
I browse slashdot for the community discussions, and frankly I rarely even read the articles. I'm pretty sure that's true of others, because god knows there's a lot of uniformed posting going on. The pleasure I derive from the site comes from the educational exposure to lots and lots of smart people who are kind of like myself. It's like a window into my own consciousness and motives.
When I want news, I go to CNN. They do a far better job than any other professional outlet and slashdot's "news" stories aren't even comparable. But if I'm interested in invigorating discussion, humorous flames, or trivia, I come here.
Basically,
-konstant
Yes! We are all individuals! I'm not!
12 Oct 2005 13:08 GMT
(MICHIGAN) Reuters
In a development sure to change the way Americans consume healthcare, ProxyMegaloInsuroBanc Incorporated announced today that it will decline to issue or renew health insurance policies to anyone who will ever become ill.
The startling move, made possible by recent advances in genetic testing, sent ProxyMegalo (PMIB) stock soaring in late trading, up 7 and 1/3 over yesterdays high close.
John Chambers, CEO of ProxyMegalo was quick to discount the rash of consumer group protests precipitated by today's decision.
"ProxyMegalo is dedicated to providing assistance to its policy holders in times of need. However, we have a business to run. What kind of profit margin do you think there is in insurance when everyone keeps dying all the time? With GeneticOne we expect our policy turnover to reduce to half or even one third of the current rate".
PMIB announced its intention to insure a small, random percentage of customers whose genetics tests indicate they will become ill. "Due to privacy reasons, this information would not be divulged to the consumer, of course," said Chambers. "After all, what is the point of buying insurance if you already know whether you will be sick?"
-konstant
Yes! We are all individuals! I'm not!
So, what am I trying to say? With no habitat to go back to, to repopulate, what's the point of bringing them back?
Haven't you ever wanted a second chance after you made an idiotic mistake? This is one way of mankind making good on incredible errors after the fact.
True, mountain gorilla may be on its way out now, but that doesn't mean we won't have a collective change of heart 50 years after they're all gone.
-konstant
Yes! We are all individuals! I'm not!
We have neanderthal DNA extracted form ancient bones. Anybody want to be the mom of a slope-headed baby?
-konstant
Yes! We are all individuals! I'm not!
So this isn't a "complete embrace of full disclosure" huh? What exactly do you want? Possibly CERT should crack the app or site for you and hand you the root password as proof?
Full disclosure is the right way to go... WHEN handled sensibly. You have no need for a coded exploit - if you can't write it yourself, what chance do you have to understand it? And if you don't understand it, what possible LEGITIMATE use do you have for it?
I am always irritated by people who make flip remarks like "security through obscurity is proven not to work", when the basis for their remarks is that some vendors didn't patch known vulnerabilities in the days when STO was more prevalent. In reality, the aim of information security is NOT to eliminate all security holes. The aim is to prevent legitimate users from service interruptions and abuses. It's not that difficult a distinction, guys. For example, while MS didn't improve LanMan until l0pht released l0phtcrack, neither was anybody cracking it! The theory of some full disclosure zealots is that if all vulnerabilities aren't released and coded up within 24 hours of discovery, some shadowy breed of "super hackers" out there will find it in time and exploit it. Guess what - these super hackers DON'T EXIST. The number of people actually capable of discovering new holes AND who are shady enough to exploit them is so tiny that the odds are high an average user will never be affected by them. Most of these people spend all their time coding up "exploits" for skript kiddies today anyway!
CERT has it right. Disclose the vulnerability to the vendor. Give them A LOT of time to fix it, and a lot of goodwill. Software companies can be slow on their feet - they can't address every problem that crops up in the 12 hours you give them until you announce "they haven't responded". But if the problem is not patched in that liberal amount of time (45 days seems enough to me) THEN feel free to shout from the rooftops and embarrass the suckers.
Keep in mind that your enemies are the skript kiddiez, NOT the corporations or end users. For some reason it is easy to lose sight of that fact in the world of infosec, where everybody believes they are unusually smart and the companies they correspond with unusually stubborn. I know - I work in that field and ego is a dangerous thing. Don't let it blind you to what should be your real goal - helping people improve their lives.
-konstant
Yes! We are all individuals! I'm not!
I didn't mean to imply that those algorithms were any the worse for their corporate backing. I only wanted to point out that the selection of Rjindael puts cryptography in the realm where it really belongs: academia and the public domain. Any one of the algorithms would have been a decent choice, but I found it pleasing that the non-corporate offering won out.
You don't have to be nasty about it. "Gratuitous drivel"??? What do you think Slashdot's all about man?
-konstant
Yes! We are all individuals! I'm not!
I'm really gratified by these results. Recently I was implementing all the major AES candidates (in C++) in order to find one that might solve a problem I was running up against at work. Of them all, the only one I really could understand was Rjindael (pronounced "Rhine Dale" btw).
For all the respect Schneier gets and deserves, Twofish is a horribly convoluted algorithm. They even had to publish a 200 page book explaining the damn thing, for gods sake, and even then the supposed experts who evaluated it for AES stated that they weren't confident they understood all its ins and outs.
Basically Rjindael is secure for two good reasons. The first is that mere humans like me can understand it, and that sort of simplicity means more probing minds, more redundant testing, and higher confidence of security. Not to mention easier implementation. Secondly, if you increase the number of rounds in Rjindael you can effectively double the security, and even then it is still one of the fastest candidates in software.
Twofish, RC6, Mars, etc were basically all ego-gratification projects intended to maintain corporate visibility in the cryptography market. There really is no better advertisement for your services than saying that you wrote AES. Rjindael on the other hand was an act of love - some hacker in Europe figured he knew crypto as well as all the suits. Looks like he proved it, too.
-konstant
Yes! We are all individuals! I'm not!
I know this is a joke, but:
10. Write a device driver that emulates a soundcard. Dump output to disk. Optional - sending to the real soundcard. Bonus points if you use DirectSound.
This can't be done if the vendors of the soundcards sign their drivers with a universal "secure music" key, and the SDMI music refuses to use anything other than a signed driver. These drivers of course will prohibit simultaneous sound in and out.
9. Attach leads to the DAC of the soundcard, design daughterboard to resequence for raw wave output. Optional: 64MB stick of RAM and a memory overlay for copying back out to the system. Estimated cost to hire an EE to do this: $25k
An impractical idea, but sound card manufacturers could always monitor voltage drop on their boards and shut down if it increased suspiciously. Don't think anyone's seriously going to do this though, not in mass quantities.
8. SoftICE, a pack of mountain dew, and an SDMI decoder.
I hear they obfuscate the object code and include commands to crash browsers, meaning that this is not a skript kiddie task. And what if the obfuscation differs between each copy of the SDMI binary on each users machine? Eventually this becomes a big pain in the ass and not sufficiently general to pirate music.
7. 15 minutes alone with developers of SDMI and a backpack full of bricks.
Yes, I believe there is a backdoor in there somewhere. Probably would work. It's criminal, but hell, they'll be passing laws chopping of the right hands of MP3 traders pretty soon, so where's the risk differential?
6. 45 minutes alone with legislators who signed DMCA into law, backpack full of bricks (note: bricks may be damaged by contact with thick heads of legislators - Aim lower)
Unfortunatley, beaurocrats seem to spawn asexually.
5. Audio cable connected between INPUT and OUTPUT of soundcard.
See above about signed drivers.
4. Hold press conference. Compare SDMI to DivX. Drop plenty of rumors so retail outlets won't carry it without large cash advances.
Attention The World At Large! Signal11 sez...
-konstant
Yes! We are all individuals! I'm not!
Yet Another Libertarian Theory That Ignores Simple Reality
Privacilla's primary argument and probably its whole raison d'etre is to argue that privacy is not really a concern when personal information is placed in the hands of businesses, and that only government infringments are dangerous to the public.
This ignores simple reality - I use a simple system of pseudonyms to judge which of my online transactions are leaked for cash, and in all cases so far, a business has been the culprit. Especially major businesses like CNN.com and bn.com, although it sometimes is difficult to decide whether the leak was intentional or an inadvertant loss to some cracker. According to Privacilla, these are the merchants who supposedly will be checked by market forces.
The problem with this fine theory is that the majority of users put no forethought into tagging their transactions and thus they have no means of pegging loss of privacy on any culprit. After all, my name, address, and telephone number are always the same, irrespective of who leaks them.
I simply don't trust market forces or any other "invisible hand" to keep my data private. So far no such thing has worked for me or the majority of people online. Otherwise, why would it be an issue? For a real solution to this problem (albeit an expensive one) consider Zero Knowledge, which offers pseudonyms and dual-anonymizing proxies while on the web.
-konstant
Yes! We are all individuals! I'm not!
Please believe me that I do not intend this question as flamebait.
What has the open source community produced, especially recently, that could be patented? That is to say, what original inventions can OSS claim as its own?
The further back one reaches, the more evident the free-software innovations appear to be, but then, the software landscape was fare sparser back then. Currently, all OSS projects I am aware of are copycats of closed projects, and while they are useful they are not original. Can anyone provide me with insight as to what free-software has invented in the last few years?
-konstant
Yes! We are all individuals! I'm not!
Thank god for this. With transparent skin I will no longer need to perform surgery upon myself with my kitchen knives to locate and extract the implants and baby aliens implanted in me on my last abduction to the mothership. If this advances to transparency of bone structure, then even exploratory work in my head with a drill may become unecessary!
Perhaps the aliens will no longer resort to anal probes quite so often now that they can see what they need from the outside. You would not even want to see one of their "medical devices". Ouch, and I mean OUCH! Sometimes I think there might be something wrong with those aliens IN THE HEAD!
-konstant
Yes! We are all individuals! I'm not!