He didn't need cryptography, he needed a shredder. Once you've read the message and obtained the information, wouldn't it have made sense to destroy the evidence?
Yes. He would have been a lot better off if he employed a One Time Pad which was distributed to all his trusted allies. He would encode his message against a page of OTP and then burn the message and OTP. He should then send the ciphertext and the trusted person who receives it should decode it from his OTP, commit the message to his memory and then burn the ciphertext and the appropriate OTP page. Even if someone recorded the ciphertext in transit, it would be useless without the appropriate OTP. Assuming of course that the OTP's were not made in any deterministic manner.
Of course this puts all of the security into the security of the initial transporting of the OTP's and the storage of the OTP's at each site. Also, there is the problem that if you employ this type of communication between more that two points, you have to somehow get the used OTP pages at ALL locations destroyed or otherwise have seperate OTP's for each combination of possible communications between each point. With a mafia scenario though, with the boss being the hub, the "leaf nodes" need not be able to communicate with each other without going through the boss, since they could keep secrets from him or otherwise manage to accidentally cause a misinterpretation to occur. So really in that situation, I imagine the boss would need multiple seperate OTP's and single copies of each for each of his people he wishes to communicate with.
I'd bet the battery life on this sucks. allegedgly Ogg is not as mathematically efficient (sucks batteries), and on top of this all the groovy ad hoc software power management tricks ipod probably does will get chucked.
The whole point of the ipod is seemless integration. Who needs ogg when you have AAC (with or without DRM).
You don't have to use OGG and in fact, on the iRiver H300 series, battery life is increased. I'm not far off trying it on my H340 (International).
WTF! You mean that all this time, I was fighting with osxvnc for NOTHING?!
Wow! I assumed the same thing. Especially given that the Control Panel for it specifically mentions that it is for use with ARD. I never bothered looking into that control panel because I was not willing to buy ARD, since it seemed expensive to me (I incorrectly thought it was just an Apple remote desktop client/server) and I don't really want to control remote control between my old clamshell iBook and Mac mini.
But this is great! I am typing this from OSX running on my Mac mini, through my Sony VAIO. This is so good for me, because my mini is on my girlfriends desk due to there not being enough room for another monitor and keyboard and my large Sony VAIO on my desk. Now she can use her PC and I can use my VAIO for XP and BSD while retaining the use of my Mac for email, etc from the one machine. Fantastic.
To make a long story short, sice the signals travel through the air, anyone has access to them. With enough will, one can "decode" them; so, basically, wireless networking lacks physical security.
Ahhh. The fact that the unphysical wireless technology broadcasts to anyone within "earshot", brings the security down in some respects to that which you could gain with "physical access". Although I've been well aware of the risks of wireless being sniffed, I've never really thought about it like that before. That's certainly an interesting challenge to some fundamental concepts. Wireless bluring the line between physical and remote.
I, for one, always run my APs open, but make sure all _MY_ traffic is secure. Yes I could add more layers, but, knowing me, that would actually make me less paranoid. This was I make DAMN sure I encrypt everything I push through.
Yes, complacency in network security is pure evil. ; )
"Physical access" is one of the reasons why wireless will never - well, not anytime soon, anyway - be fully secure.
Would you elaborate on that? I'm trying to understand the link between "Physical access" and "wireless".
I'm hoping that setting up an OpenBSD machine (sparc64) to be an AP where only authorized people who log into it through ssh are allowed access through it with authpf and then only IPSEC traffic, might be able to provide decent security.
Yeah, because heatsinks coming unlatched all by themselves and falling off has been shown to be a common occurence.
Years ago I scored myself an Athlon 700 which was thrown out. When I got it home, guess what... heatsink had become unlatched and fell off enough to loose contact with the CPU. I fixed the dodgy latch hooks and it's been great for the past 4 years or so.
The person who threw it out was probably fed up with the few minutes of uptime they could get. ; )
Of course one way hashes are a type of encryption.
Encryption by definition is reversible, a one-way hash function by definition is not. There is an important distinction between encryption and one way hash functions. One way hashes are not a type of encryption. They are sometimes both used to complement each other, but they each play seperate roles.
The goal of encryption is to disguise plaintext within the output ciphertext in such a way that it can later be reversed back to plaintext through the use of the appropriate decrypting function, usually along with a seperate key. The point being that the plaintext is emboddied within the ciphertext in such a way that it can be reversed.
A message digest from a one-way hash does not embody the input message, but rather a signature or fingerprint of the input message. The output cannot be reversed easily and it cannot be reversed with any level of confidence, since there can be an infinite number of collisions of exactly the same message digest for an infinite number of different input messages.
One-way hashes provide an authenticating function, which is sometimes used with, but are distinct from, encryption functions.
Obvious use is to compare hashes to see if my password is correct. It is not decryptable per se
That is not a type of encryption, it is a type of authentication using one-way hashes in a role which is perfect for them.
I would question the quality of a security book which claimed one-way hashes to be a type of encryption.
Under the BSD, they won't pay for the chance of others discovering it (ie: the competitive advantages on MacOSX over its BSD licensed foundation).
I'm not sure what you are getting at. Are you saying that companies would not want to support a BSD licenced project because it allows other companies to discover the fruits of that support? And thus gain for free from the supporting companies investment?
I see it the opposite...
I thought that big businesses would be more likely to support a BSD licenced project, than a GPL'ed one, because, take Sun for example, they can help to keep OpenSSH finances healthy pretty easily, continue to develop their own SunSSH and then just back-port fixes and any new features they like from OpenSSH into their own SunSSH. They would get a solid foundation, continued expertise from the developers of that foundation (directly through peronal updates or indirectly by watching the changes) and not have to give back their own changes to OpenSSH and thus the competition.
Of course, the reality seems to be much more different, with GPL'ed software seemingly getting most support from companies.
I don't know. I just hope OpenBSD and OpenSSH will be around for at least another 10 years.
an update to the iPod nano and 5th generation iPod that allows the user to set the maximum volume level.
I'm glad to see Apple gave people the option. My iRiver H340 firmware had an update which reduced the maximum volume substantially, I believe which was in response to some French law suit about hearing loss and portable music devices. Being Australian, I always flashed mine with the fimware which came with it, the EU firmware.
Gladly, I found that I could just flash my H340 with the Korean firmware and still choose English for my menus, get the other features and fixes in the new firmware update and avoid the huge loss in volume. If this happens to the US model of the H300 series, US customers might not be so lucky, since I believe the US model can only take the US firmware.
Then, please, consider this: currently Sun giving support to the de Raadt team means giving support to HP and IBM, you know, the guys in the "against" phrase.
Don't forget, this is just a small part of the systems which those vendors ship. I fail to see how having a better SSH implimentation is going to give some vendor any worthwhile advantage. I would have thought that the much bigger features like for example the big Sun virtualization stuff and powerful machines are the types of things that give worthwhile competitive advantage over some other competing vendor. A small tool used for textual secure remote access that everyone else has? No, I don't see it.
And while de Raadt is humming, the fact is *today* de Raadt is still coding for free and Sun (and IBM and HP, each one by its side) still can get OpenSSH for free and, what it is much more important, without founding advantages to their respective competitors.
How can you be founding *advantages* to your competitors, when in reality what you are doing is simply keeping the playing field level in that one respect, but also providing your customers indirectly with better features and continued security.
Really. Anyone who's using OpenSSH and *not* OpenBSD doesn't really need Theo's team at all. You have all the code.
And then watch that fork get a bad reputation because of all the new bugs and security issues which crop up because few people have a really good understanding of crypto and security implications. People will ignore the fork. Sun Microsystems know how to code, right? They've got the coders and they've got money to pay them. Yet they have messed up SunSSH, a fork of OpenSSH, royally.
Solution? Just do nothing for now.
Wow, how very enlightening. This is so very pro OSS!
The people who brought us OpenSSH, people who matter, did not "just do nothing". If everyone outside of corporations "just did nothing", then we would all still be using Windows or MacOS 9 (or a lesser OSX).
People who do nothing, don't matter. You, don't matter. So why should anyone listen to such crap that you spew?
Then people wonder why de Raadt behaves the way he does. When I read this post, my first reaction was to send you to hell with enough bad language to put you in a first class seat. Maybe that's why de Raadt gets his stigma, by not taking a pause from his first reaction.
So you want to know that the money you give would go directly to support OpenSSH? According to de Raadt, there are six developers that focus on OpenSSH. These developers also work on other aspects of OpenBSD. What exactly do you want them to do? Divide your money between the six of them according to how many hours each works on OpenSSH? Do you want them to have separate network connections and hardware, and pay for it with your donation? How do you compensate the other OpenBSD developers when their ideas and contributions inevitably end up in the OpenSSH codebase?
The OpenBSD developers are a group of people working together. OpenSSH is the fruit of their work. The way to contribute directly to OpenSSH is to contribute funds to its developers. That's exactly what contributing to OpenBSD does, because the developers of OpenBSD and the developers of OpenSSH are one and the same.
So contrary to your second sentence, you have every interest in supporting OpenBSD. Saying otherwise is a disingenuous and pathetic attempt at justifying your reluctance to reward the people whose work you claim to respect.
It's posts like these which make me realise that scoring between -1 and 5 is not enough. Because a post like this is so much more insightful than most other "Score:5 Insightful" posts that it should be held out on it's own for hitting the mark so very well. I wish I had mod points and could take back everything I've said under this story, just to give this one post one more Insightful point, so that it has a better chance of being noticed and considered.
This is a perfect example of the problem with BSD licencing. Under the various BSD licences, its perfectly OK to take a piece of code and sell it, either modified or exactly as found, without in any way recognising or contrubuting to the project.
Attribution in this case would not help. Everyone knows that OpenSSH is developed by the OpenSSH project and the people who stand to gain the most and be in a position to give back the most for the code that is in SunSSH for example, is Sun themselves. Sun chooses not to. The GPL would not have got the OpenSSH team money out of Sun. All it could get in that case is a guaranteed minimum of recognition in an obscure bit of software which sane people choose to replace with the real thing anyway (OpenSSH proper) and the ability to take back some really crappy code which the OpenSSH team would not want.
The users use the code for free. But apparently just expect without a second thought, that updates to the code in the form of bug fixes and new features, will continue to come, which they also will not have to pay for. The users fail to realise that although the code is free, it did actually cost money to make. If they want that software to be maintained well, they can choose to donate. It's a choice, where the quality of software they choose to use can either be retained or suffer.
The BSD licence is about providing great freedom. The users are free to support that great freedom or let it rot. Considering how great OpenSSH and OpenBSD are, I find it really amazing that users big and small are mostly fine with just sitting on the sidelines and watching the projects suffer, when a lot of people gladly use all that software.
The generosity should not be one-way just because it can be.
The businesses are complying with the conditions of the BSD license. Where's the problem?
The problem, is that people equate the code as released to be free of charge, without considering that the maintenance of that code costs money and the future of that maintenance and thus the future of the quality of that code is not in any way guaranteed. Then some companies stake their reputations partially in that code and then choose not to support it at all, yet the best way to support it turns out to be very cheap? Theo is just as free to ask for financial support, as the users are free to deny him that support. But, Theo and crew are also free to just stop maintaining the code.
People need to realise that although the code is released free and open, the maintenance of that code can stop at any time due to the simple fact that the developers need to eat and also according to the licence they are in no way obliged to continue maintaining the code (warranties disclaimed).
So, with all of that in mind, ultimately the future is in the hands of the users, big and small. They can choose to ignore the problem that the developers of this excellent software need to eat and then suffer the consequences. The problem is not the BSD licence, the project developers or Theo, the problem is the users. Especially the big ones which can easily help and have the most to gain.
What part of the BSD license does Theo not understand? Apple and SCO aren't "freeloaders", they are using the software under the intended license.
What part of the BSD license do YOU not understand? Does the part that disclaims all WARRANTIES confuse you? The CODE is free to use and open. SUPPORT of the code on the other hand is not in any way an obligation on the heads of the OpenSSH or OpenBSD projects. Theo is asking for financial support so that they can continue to support the code. They are NOT asking for money for the code itself. I am seeing this ridiculous "Theo's fault due to BSD licence" attitude around a lot of places at the moment. So very many people don't seem to be able to grasp the huge distinction between the code itself and the support of the code. If the OpenSSH code were instead under the GPL, those corporations would be obliged to fund it's development? No. Sure if it were GPL, then the companies would have to give back changes. However in this case, we can do without them giving back changes, because they SUCK at it. Sun with all their might, can keep their crap additions to OpenSSH in SunSSH.
Furthermore, what makes Theo think that people want to run OpenSSH? At this point, it's as entrenched as Windows--nobody has a choice.
People DO have choices. It's just that OpenSSH seems to be the best option. Regardless of whether it's free or not, open or closed, people are choosing OpenSSH over the other choices for good reason. OpenSSH became dominant long ago and continues to close the gap, also for good reason.
Yet big corporations who SELL it, do not seem to think that they should throw in some small change (for them) and help to maintain it the best way anybody other than the excellent OpenSSH coders can... money. Sure they don't have to, but they also don't have to get new features and quick bug fixes either.
If the big corporates want OpenSSH to remain of a high quality with quick and PROPER fixes, they can choose to help. Or they can choose to just ignore the problem and then deal with the disaster of finding that even though they are Sun, Apple or Cisco, they DON'T have the expertise in house who can maintain OpenSSH as well as the OpenSSH team. They might think they do, but Sun themselves have shown how little they understand the code and security implications, with their SunSSH branch.
No, it's far simpler than that. Apple and SCO *paid for* BSD. BSD was paid for by the taxpayers of California, including corporations like Apple and SCO. Perhaps Theo noticed a "Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved" somewhere in his review of the source code. Perhaps Apple and SCO believe they have contributed more than Theo. Besides cash Apple has also contributed formerly closed source, for example the HFS+ support in Darwin. Self serving, so what, Theo, RMS, and a host of others aren't?
This is about OpenSSH, not BSD the software. OpenSSH does however fall under BSD the licence. There's a huge distinction there. Apple did not pay for OpenSSH, which is the point of contention in that specific jab at Apple. Sun, Apple, Cisco, IBM, Redhat, etc are all happy to use the excellent OpenSSH code, but are not willing to donate a single cent to help keep it maintained and developed by the people who are most qualified to do so? The free software nature of the BSD licence is beside the point too. Sure you can technically take it and do with it what you like for no cost, but if you really actually want to use it for something important to you and your customers, it is in your best interests and that of your customers to help to support OpenSSH financially. Especially when you are charging customers for products which include OpenSSH as a key feature.
IBM has problems with one of their implementations and refuses to fix it for their customers, citing that the responsibility falls on the OpenSSH project. They're happy to sell it, but they're not happy to support it for their customers or even support the people who are willing to maintain it for a pitance.
I would like to add, that if this legislation were being put forward by the Liberal Party (the current party in power) and it were for anything of a rating of X or over, I would be worried. But being put forward by a party trying to get power, with the rating as R to protect children, does not worry me.
BTW, I realise there may not be a rating above X in Australia. When I say over an X rating, I'm refering to the sorts of content which would be illegal or could not fit into any Australian rating category. However some of that I believe should be illegal and should warrant surveilance, such as paedophilia, snuff movies, rape movies and the like.
I view from time to time footage that regular news outlets edit to soften. I prefer to see the full footage because I think it is important to have the impact of a situation felt as much as possible and edited footage can tell lies. I saw footage of US soldiers shooting to pieces a minibus with Iraqi men going to work. Those Iraqi's were possibly driving too fast (spooking the US soldiers?), but can you blame them when people who cooperate with the US get shot at by Iraqi's who don't want to cooperate? Anyway, they shoot the fuck out of this minibus and the Iraqi's who try to run from it to get shelter. Men I might add who could not be seen to be carrying anything larger than perhaps concealed pistols or explosives. While the shooting was still going on, some US soldier could be heard yelling, "cease fire cease fire, they're fucking civilians". Then the minibus was seen to be on fire and the US medics were assisting the wounded Iraqi's. At the end, the camera man zoomed down onto a single pistol near the base of the burning minibus, as if it were good reason to attack them or provide something juicy for later editing? Well, I saw this very footage, but edited on mainstream news in Australia, which I assume the US public also saw. But the story was to the effect of, "minibus of Iraqi insurgents attacked by US, wounded Iraqi's given medical assistance" and all they showed was the aftermath of the burning minibus and the US medics providing assistance to the enemy. What a crock of shit. There was no "they're civilians" or footage showing no aggression towards the US, just the aftermath which implies a firefight from both sides.
When we hear about children dying in Iraq for example, it's just some words and a pool of blood on TV when we hear stories like that over and over. Seeing the images drives home how personal each incident is and I really wonder how much support for the war there would be if the US public for example saw those images on the news. These are examples of something that are perhaps beyond an X rating or can't be rated, but which a person could hardly be accused of being violent for wanting to witness (based on that alone). I feel covering that up on a grand scale is only contributing to that violence.
But certainly some things should be banned, filtered and people who try to get around those laws and filters put under surveilance.
But I'm still not seeing the practical need for the registry.
I agree. As I've said before, I prefer an opt-in filter.
so the only purpose to this new registry is to track citizens who are both adults and have a theoretically higher tendancy to violence. It's not about the children, it's about a perception that R rated material makes people violent.
You don't know that. Keep in mind that this is legislation that would only be put to parliament *IF* the Australian Labour Party gets in. This is just a PR campaign to say to the people, "We care about the children! Vote ALP!". If they get in, they might not even do it. At this stage, the assertation that they will put this up is nothing but a carrot dangling in front of the voters, from the ALP's point of view. Certainly from a typical/. readers point of view, that would be a mouldy, rancid maggot filled carrot. When a party is trying to get into power, they don't tend to try to make themselves look bad. I think the ALP really thinks voters will go for this in the name of protecting children and I believe they really wish to put this forward for the children. I personally feel this is a glaring example of how out of touch the ALP really are, which is sad, because the Liberals are not exactly my cup of tea.
As for bowing down and accepting interrogation by the police, sure it's one thing to answer some questions as a witness, but if you're the guy they think did it you're in for a whole new type of Q&A session.
In Australia, when you are taken to a police station for questioning for something major (like a violent crime), you are typically in a room with 2 police officers, in front of video recording equipment, which records all the questions and answers onto two tapes, from the beginning to the end of the interview. From memory, the tapes are then sleeved and a security sticker is applied to the archive copy which is not touched again until it may be used in court if needed for comparison purposes. There have been cases where police have made a minor mistake with someone who is most certainly guilty, but the case gets thrown out on that technicality. A recent paedophile case comes to mind where police stuffed up the evidence capture from a PC and thus a paedophile walked. They need pretty good evidence against you to get a conviction. If you're innocent, in this day and age of video surveilance, DNA forensics, GSM phone tracking, toll gate RFID tracking, credit and debit card records, phone call records (billing records kept for quite a while), internet records (your flow info may be kept at your ISP for standard billing), etc etc, then it is unlikely you'll be incorrectly found guilty. If you are guilty, those things and many more may go against you, but if you are innocent, they can go a long way to helping you get elliminated as a suspect.
I realise that police officers are not always angels. I know people who have been bashed by police officers, even in police custody at a police station. But... they were ALL guilty and acted like smart arses to the police. I'm not justifying the police actions here, just trying to show that those people were hardly angels themselves and this treatment is much less likely to happen to someone who is polite and cooperates. There will always be exceptions, but even corrupt police will have a difficult time fabricating good evidence against an innocent person and if a police officer feels that he or she needs to do that, then they should be considering the fact that this suspect might not actually be the guilty party.
I feel Australian justice is really soft. People get off on technicalities and those that do go to prison get light terms. I just recently saw someone who was found guilty of pre-meditated murder get just 13 years. Planning over more than a month and attempting on numerous occasions to take a life and then eventually succeeding and all he gets is 13 years? And that is for someone who was proven to be guilty with overwhelming evidence!
I'm sure my boss will be happy to let me have the afternoon off to go to the police station, once I tell him I'm under investigation for murder/rape/$violent_crime.
In Australia, even the prime suspect is considered to be "assisting police with an investigation" for a period of time before allegations or charges are made.
If your boss asks for details, you can simply answer that you have to keep them confidential. You don't have to tell anyone, anything, even the police if you are guilty. Let alone your boss if you are innocent! Your boss does not need to know your dirty disgusting little secret that you enjoy movies like Pulp Fiction.
This issue, as expected, is really being exagerated here.
You have reminded me of FRAM's. Touted in the late 80's to be the future of memory devices. Fast and non-volatile.
But MRAM sounds awesome. Non-volatile, does not degrade when written to, writes are not slower than reads and almost as fast as SRAM!
I had high hopes for FRAM but it didn't seem to come out of the labs. The Wiki for it states how much better FRAM is over Flash, but I've been waiting something like 18 years for FRAM. Hopefully MRAM will be used in a big way.
No... users think that fragmentation is the problem, but really it's their choice of file system that is the problem. Use a modern file system.
No... I'm not talking about users, I'm talking about some operating systems which take in upon themselves to automatically perform a defrag when it is not needed. XP can be configured to do that, newer versions of OSX (since Panther) do it by default and I believe some filesystems for Unix-like OS' can also move stuff around automatically in the name of optimization. Users are a seperate problem and if they're doing something to the detriment of their data, without any need to do that, then that is their problem. I am specificially speaking about automatic processes which assume head movement issues to make gains in optimization.
I was not refering to users. They will always be a problem.
Most modern operating systems have this already.
Have what? The ability to detect the difference between solid state storage and disk/head based storage and then adjust optimization accordingly?
Slashdot Mirror
He didn't need cryptography, he needed a shredder. Once you've read the message and obtained the information, wouldn't it have made sense to destroy the evidence?
Yes. He would have been a lot better off if he employed a One Time Pad which was distributed to all his trusted allies. He would encode his message against a page of OTP and then burn the message and OTP. He should then send the ciphertext and the trusted person who receives it should decode it from his OTP, commit the message to his memory and then burn the ciphertext and the appropriate OTP page. Even if someone recorded the ciphertext in transit, it would be useless without the appropriate OTP. Assuming of course that the OTP's were not made in any deterministic manner.
Of course this puts all of the security into the security of the initial transporting of the OTP's and the storage of the OTP's at each site. Also, there is the problem that if you employ this type of communication between more that two points, you have to somehow get the used OTP pages at ALL locations destroyed or otherwise have seperate OTP's for each combination of possible communications between each point. With a mafia scenario though, with the boss being the hub, the "leaf nodes" need not be able to communicate with each other without going through the boss, since they could keep secrets from him or otherwise manage to accidentally cause a misinterpretation to occur. So really in that situation, I imagine the boss would need multiple seperate OTP's and single copies of each for each of his people he wishes to communicate with.
Anyone remember what book that might have been?
The book which forgets that handles are often attached to items which would otherwise be difficult to grip?
They don't even know they're stupid.
I know why this guy managed to evade the law for more than 40 years. He was living in the dark ages.
Pretty arrogant.
I'd bet the battery life on this sucks. allegedgly Ogg is not as mathematically efficient (sucks batteries), and on top of this all the groovy ad hoc software power management tricks ipod probably does will get chucked.
The whole point of the ipod is seemless integration. Who needs ogg when you have AAC (with or without DRM).
You don't have to use OGG and in fact, on the iRiver H300 series, battery life is increased. I'm not far off trying it on my H340 (International).
WTF! You mean that all this time, I was fighting with osxvnc for NOTHING?!
Wow! I assumed the same thing. Especially given that the Control Panel for it specifically mentions that it is for use with ARD. I never bothered looking into that control panel because I was not willing to buy ARD, since it seemed expensive to me (I incorrectly thought it was just an Apple remote desktop client/server) and I don't really want to control remote control between my old clamshell iBook and Mac mini.
But this is great! I am typing this from OSX running on my Mac mini, through my Sony VAIO. This is so good for me, because my mini is on my girlfriends desk due to there not being enough room for another monitor and keyboard and my large Sony VAIO on my desk. Now she can use her PC and I can use my VAIO for XP and BSD while retaining the use of my Mac for email, etc from the one machine. Fantastic.
I *really* should look through all the options.
To make a long story short, sice the signals travel through the air, anyone has access to them. With enough will, one can "decode" them; so, basically, wireless networking lacks physical security.
Ahhh. The fact that the unphysical wireless technology broadcasts to anyone within "earshot", brings the security down in some respects to that which you could gain with "physical access". Although I've been well aware of the risks of wireless being sniffed, I've never really thought about it like that before. That's certainly an interesting challenge to some fundamental concepts. Wireless bluring the line between physical and remote.
I, for one, always run my APs open, but make sure all _MY_ traffic is secure. Yes I could add more layers, but, knowing me, that would actually make me less paranoid. This was I make DAMN sure I encrypt everything I push through.
Yes, complacency in network security is pure evil. ; )
"Physical access" is one of the reasons why wireless will never - well, not anytime soon, anyway - be fully secure.
Would you elaborate on that? I'm trying to understand the link between "Physical access" and "wireless".
I'm hoping that setting up an OpenBSD machine (sparc64) to be an AP where only authorized people who log into it through ssh are allowed access through it with authpf and then only IPSEC traffic, might be able to provide decent security.
motherboard makers built in a crude protection system that would shit down the entire system
Are you sure it was motherboard makers and not Microsoft with Windows?
Yeah, because heatsinks coming unlatched all by themselves and falling off has been shown to be a common occurence.
Years ago I scored myself an Athlon 700 which was thrown out. When I got it home, guess what... heatsink had become unlatched and fell off enough to loose contact with the CPU. I fixed the dodgy latch hooks and it's been great for the past 4 years or so.
The person who threw it out was probably fed up with the few minutes of uptime they could get. ; )
Of course one way hashes are a type of encryption.
Encryption by definition is reversible, a one-way hash function by definition is not. There is an important distinction between encryption and one way hash functions. One way hashes are not a type of encryption. They are sometimes both used to complement each other, but they each play seperate roles.
The goal of encryption is to disguise plaintext within the output ciphertext in such a way that it can later be reversed back to plaintext through the use of the appropriate decrypting function, usually along with a seperate key. The point being that the plaintext is emboddied within the ciphertext in such a way that it can be reversed.
A message digest from a one-way hash does not embody the input message, but rather a signature or fingerprint of the input message. The output cannot be reversed easily and it cannot be reversed with any level of confidence, since there can be an infinite number of collisions of exactly the same message digest for an infinite number of different input messages.
One-way hashes provide an authenticating function, which is sometimes used with, but are distinct from, encryption functions.
Obvious use is to compare hashes to see if my password is correct. It is not decryptable per se
That is not a type of encryption, it is a type of authentication using one-way hashes in a role which is perfect for them.
I would question the quality of a security book which claimed one-way hashes to be a type of encryption.
Shyeah, right!
And monkeys might fly out of your butt?
Under the BSD, they won't pay for the chance of others discovering it (ie: the competitive advantages on MacOSX over its BSD licensed foundation).
I'm not sure what you are getting at. Are you saying that companies would not want to support a BSD licenced project because it allows other companies to discover the fruits of that support? And thus gain for free from the supporting companies investment?
I see it the opposite...
I thought that big businesses would be more likely to support a BSD licenced project, than a GPL'ed one, because, take Sun for example, they can help to keep OpenSSH finances healthy pretty easily, continue to develop their own SunSSH and then just back-port fixes and any new features they like from OpenSSH into their own SunSSH. They would get a solid foundation, continued expertise from the developers of that foundation (directly through peronal updates or indirectly by watching the changes) and not have to give back their own changes to OpenSSH and thus the competition.
Of course, the reality seems to be much more different, with GPL'ed software seemingly getting most support from companies.
I don't know. I just hope OpenBSD and OpenSSH will be around for at least another 10 years.
an update to the iPod nano and 5th generation iPod that allows the user to set the maximum volume level.
I'm glad to see Apple gave people the option. My iRiver H340 firmware had an update which reduced the maximum volume substantially, I believe which was in response to some French law suit about hearing loss and portable music devices. Being Australian, I always flashed mine with the fimware which came with it, the EU firmware.
Gladly, I found that I could just flash my H340 with the Korean firmware and still choose English for my menus, get the other features and fixes in the new firmware update and avoid the huge loss in volume. If this happens to the US model of the H300 series, US customers might not be so lucky, since I believe the US model can only take the US firmware.
Then, please, consider this: currently Sun giving support to the de Raadt team means giving support to HP and IBM, you know, the guys in the "against" phrase.
Don't forget, this is just a small part of the systems which those vendors ship. I fail to see how having a better SSH implimentation is going to give some vendor any worthwhile advantage. I would have thought that the much bigger features like for example the big Sun virtualization stuff and powerful machines are the types of things that give worthwhile competitive advantage over some other competing vendor. A small tool used for textual secure remote access that everyone else has? No, I don't see it.
And while de Raadt is humming, the fact is *today* de Raadt is still coding for free and Sun (and IBM and HP, each one by its side) still can get OpenSSH for free and, what it is much more important, without founding advantages to their respective competitors.
How can you be founding *advantages* to your competitors, when in reality what you are doing is simply keeping the playing field level in that one respect, but also providing your customers indirectly with better features and continued security.
Really. Anyone who's using OpenSSH and *not* OpenBSD doesn't really need Theo's team at all. You have all the code.
And then watch that fork get a bad reputation because of all the new bugs and security issues which crop up because few people have a really good understanding of crypto and security implications. People will ignore the fork. Sun Microsystems know how to code, right? They've got the coders and they've got money to pay them. Yet they have messed up SunSSH, a fork of OpenSSH, royally.
Solution? Just do nothing for now.
Wow, how very enlightening. This is so very pro OSS!
The people who brought us OpenSSH, people who matter, did not "just do nothing". If everyone outside of corporations "just did nothing", then we would all still be using Windows or MacOS 9 (or a lesser OSX).
People who do nothing, don't matter. You, don't matter. So why should anyone listen to such crap that you spew?
Then people wonder why de Raadt behaves the way he does. When I read this post, my first reaction was to send you to hell with enough bad language to put you in a first class seat. Maybe that's why de Raadt gets his stigma, by not taking a pause from his first reaction.
So you want to know that the money you give would go directly to support OpenSSH? According to de Raadt, there are six developers that focus on OpenSSH. These developers also work on other aspects of OpenBSD. What exactly do you want them to do? Divide your money between the six of them according to how many hours each works on OpenSSH? Do you want them to have separate network connections and hardware, and pay for it with your donation? How do you compensate the other OpenBSD developers when their ideas and contributions inevitably end up in the OpenSSH codebase?
The OpenBSD developers are a group of people working together. OpenSSH is the fruit of their work. The way to contribute directly to OpenSSH is to contribute funds to its developers. That's exactly what contributing to OpenBSD does, because the developers of OpenBSD and the developers of OpenSSH are one and the same.
So contrary to your second sentence, you have every interest in supporting OpenBSD. Saying otherwise is a disingenuous and pathetic attempt at justifying your reluctance to reward the people whose work you claim to respect.
It's posts like these which make me realise that scoring between -1 and 5 is not enough. Because a post like this is so much more insightful than most other "Score:5 Insightful" posts that it should be held out on it's own for hitting the mark so very well. I wish I had mod points and could take back everything I've said under this story, just to give this one post one more Insightful point, so that it has a better chance of being noticed and considered.
This is a perfect example of the problem with BSD licencing. Under the various BSD licences, its perfectly OK to take a piece of code and sell it, either modified or exactly as found, without in any way recognising or contrubuting to the project.
Attribution in this case would not help. Everyone knows that OpenSSH is developed by the OpenSSH project and the people who stand to gain the most and be in a position to give back the most for the code that is in SunSSH for example, is Sun themselves. Sun chooses not to. The GPL would not have got the OpenSSH team money out of Sun. All it could get in that case is a guaranteed minimum of recognition in an obscure bit of software which sane people choose to replace with the real thing anyway (OpenSSH proper) and the ability to take back some really crappy code which the OpenSSH team would not want.
The users use the code for free. But apparently just expect without a second thought, that updates to the code in the form of bug fixes and new features, will continue to come, which they also will not have to pay for. The users fail to realise that although the code is free, it did actually cost money to make. If they want that software to be maintained well, they can choose to donate. It's a choice, where the quality of software they choose to use can either be retained or suffer.
The BSD licence is about providing great freedom. The users are free to support that great freedom or let it rot. Considering how great OpenSSH and OpenBSD are, I find it really amazing that users big and small are mostly fine with just sitting on the sidelines and watching the projects suffer, when a lot of people gladly use all that software.
The generosity should not be one-way just because it can be.
The businesses are complying with the conditions of the BSD license. Where's the problem?
The problem, is that people equate the code as released to be free of charge, without considering that the maintenance of that code costs money and the future of that maintenance and thus the future of the quality of that code is not in any way guaranteed. Then some companies stake their reputations partially in that code and then choose not to support it at all, yet the best way to support it turns out to be very cheap? Theo is just as free to ask for financial support, as the users are free to deny him that support. But, Theo and crew are also free to just stop maintaining the code.
People need to realise that although the code is released free and open, the maintenance of that code can stop at any time due to the simple fact that the developers need to eat and also according to the licence they are in no way obliged to continue maintaining the code (warranties disclaimed).
So, with all of that in mind, ultimately the future is in the hands of the users, big and small. They can choose to ignore the problem that the developers of this excellent software need to eat and then suffer the consequences. The problem is not the BSD licence, the project developers or Theo, the problem is the users. Especially the big ones which can easily help and have the most to gain.
What part of the BSD license does Theo not understand? Apple and SCO aren't "freeloaders", they are using the software under the intended license.
What part of the BSD license do YOU not understand? Does the part that disclaims all WARRANTIES confuse you? The CODE is free to use and open. SUPPORT of the code on the other hand is not in any way an obligation on the heads of the OpenSSH or OpenBSD projects. Theo is asking for financial support so that they can continue to support the code. They are NOT asking for money for the code itself. I am seeing this ridiculous "Theo's fault due to BSD licence" attitude around a lot of places at the moment. So very many people don't seem to be able to grasp the huge distinction between the code itself and the support of the code. If the OpenSSH code were instead under the GPL, those corporations would be obliged to fund it's development? No. Sure if it were GPL, then the companies would have to give back changes. However in this case, we can do without them giving back changes, because they SUCK at it. Sun with all their might, can keep their crap additions to OpenSSH in SunSSH.
Furthermore, what makes Theo think that people want to run OpenSSH? At this point, it's as entrenched as Windows--nobody has a choice.
People DO have choices. It's just that OpenSSH seems to be the best option. Regardless of whether it's free or not, open or closed, people are choosing OpenSSH over the other choices for good reason. OpenSSH became dominant long ago and continues to close the gap, also for good reason.
Yet big corporations who SELL it, do not seem to think that they should throw in some small change (for them) and help to maintain it the best way anybody other than the excellent OpenSSH coders can... money. Sure they don't have to, but they also don't have to get new features and quick bug fixes either.
If the big corporates want OpenSSH to remain of a high quality with quick and PROPER fixes, they can choose to help. Or they can choose to just ignore the problem and then deal with the disaster of finding that even though they are Sun, Apple or Cisco, they DON'T have the expertise in house who can maintain OpenSSH as well as the OpenSSH team. They might think they do, but Sun themselves have shown how little they understand the code and security implications, with their SunSSH branch.
No, it's far simpler than that. Apple and SCO *paid for* BSD. BSD was paid for by the taxpayers of California, including corporations like Apple and SCO. Perhaps Theo noticed a "Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved" somewhere in his review of the source code. Perhaps Apple and SCO believe they have contributed more than Theo. Besides cash Apple has also contributed formerly closed source, for example the HFS+ support in Darwin. Self serving, so what, Theo, RMS, and a host of others aren't?
This is about OpenSSH, not BSD the software. OpenSSH does however fall under BSD the licence. There's a huge distinction there. Apple did not pay for OpenSSH, which is the point of contention in that specific jab at Apple. Sun, Apple, Cisco, IBM, Redhat, etc are all happy to use the excellent OpenSSH code, but are not willing to donate a single cent to help keep it maintained and developed by the people who are most qualified to do so? The free software nature of the BSD licence is beside the point too. Sure you can technically take it and do with it what you like for no cost, but if you really actually want to use it for something important to you and your customers, it is in your best interests and that of your customers to help to support OpenSSH financially. Especially when you are charging customers for products which include OpenSSH as a key feature.
IBM has problems with one of their implementations and refuses to fix it for their customers, citing that the responsibility falls on the OpenSSH project. They're happy to sell it, but they're not happy to support it for their customers or even support the people who are willing to maintain it for a pitance.
I would like to add, that if this legislation were being put forward by the Liberal Party (the current party in power) and it were for anything of a rating of X or over, I would be worried. But being put forward by a party trying to get power, with the rating as R to protect children, does not worry me.
BTW, I realise there may not be a rating above X in Australia. When I say over an X rating, I'm refering to the sorts of content which would be illegal or could not fit into any Australian rating category. However some of that I believe should be illegal and should warrant surveilance, such as paedophilia, snuff movies, rape movies and the like.
I view from time to time footage that regular news outlets edit to soften. I prefer to see the full footage because I think it is important to have the impact of a situation felt as much as possible and edited footage can tell lies. I saw footage of US soldiers shooting to pieces a minibus with Iraqi men going to work. Those Iraqi's were possibly driving too fast (spooking the US soldiers?), but can you blame them when people who cooperate with the US get shot at by Iraqi's who don't want to cooperate? Anyway, they shoot the fuck out of this minibus and the Iraqi's who try to run from it to get shelter. Men I might add who could not be seen to be carrying anything larger than perhaps concealed pistols or explosives. While the shooting was still going on, some US soldier could be heard yelling, "cease fire cease fire, they're fucking civilians". Then the minibus was seen to be on fire and the US medics were assisting the wounded Iraqi's. At the end, the camera man zoomed down onto a single pistol near the base of the burning minibus, as if it were good reason to attack them or provide something juicy for later editing? Well, I saw this very footage, but edited on mainstream news in Australia, which I assume the US public also saw. But the story was to the effect of, "minibus of Iraqi insurgents attacked by US, wounded Iraqi's given medical assistance" and all they showed was the aftermath of the burning minibus and the US medics providing assistance to the enemy. What a crock of shit. There was no "they're civilians" or footage showing no aggression towards the US, just the aftermath which implies a firefight from both sides.
When we hear about children dying in Iraq for example, it's just some words and a pool of blood on TV when we hear stories like that over and over. Seeing the images drives home how personal each incident is and I really wonder how much support for the war there would be if the US public for example saw those images on the news. These are examples of something that are perhaps beyond an X rating or can't be rated, but which a person could hardly be accused of being violent for wanting to witness (based on that alone). I feel covering that up on a grand scale is only contributing to that violence.
But certainly some things should be banned, filtered and people who try to get around those laws and filters put under surveilance.
But I'm still not seeing the practical need for the registry.
/. readers point of view, that would be a mouldy, rancid maggot filled carrot. When a party is trying to get into power, they don't tend to try to make themselves look bad. I think the ALP really thinks voters will go for this in the name of protecting children and I believe they really wish to put this forward for the children. I personally feel this is a glaring example of how out of touch the ALP really are, which is sad, because the Liberals are not exactly my cup of tea.
I agree. As I've said before, I prefer an opt-in filter.
so the only purpose to this new registry is to track citizens who are both adults and have a theoretically higher tendancy to violence. It's not about the children, it's about a perception that R rated material makes people violent.
You don't know that. Keep in mind that this is legislation that would only be put to parliament *IF* the Australian Labour Party gets in. This is just a PR campaign to say to the people, "We care about the children! Vote ALP!". If they get in, they might not even do it. At this stage, the assertation that they will put this up is nothing but a carrot dangling in front of the voters, from the ALP's point of view. Certainly from a typical
As for bowing down and accepting interrogation by the police, sure it's one thing to answer some questions as a witness, but if you're the guy they think did it you're in for a whole new type of Q&A session.
In Australia, when you are taken to a police station for questioning for something major (like a violent crime), you are typically in a room with 2 police officers, in front of video recording equipment, which records all the questions and answers onto two tapes, from the beginning to the end of the interview. From memory, the tapes are then sleeved and a security sticker is applied to the archive copy which is not touched again until it may be used in court if needed for comparison purposes. There have been cases where police have made a minor mistake with someone who is most certainly guilty, but the case gets thrown out on that technicality. A recent paedophile case comes to mind where police stuffed up the evidence capture from a PC and thus a paedophile walked. They need pretty good evidence against you to get a conviction. If you're innocent, in this day and age of video surveilance, DNA forensics, GSM phone tracking, toll gate RFID tracking, credit and debit card records, phone call records (billing records kept for quite a while), internet records (your flow info may be kept at your ISP for standard billing), etc etc, then it is unlikely you'll be incorrectly found guilty. If you are guilty, those things and many more may go against you, but if you are innocent, they can go a long way to helping you get elliminated as a suspect.
I realise that police officers are not always angels. I know people who have been bashed by police officers, even in police custody at a police station. But... they were ALL guilty and acted like smart arses to the police. I'm not justifying the police actions here, just trying to show that those people were hardly angels themselves and this treatment is much less likely to happen to someone who is polite and cooperates. There will always be exceptions, but even corrupt police will have a difficult time fabricating good evidence against an innocent person and if a police officer feels that he or she needs to do that, then they should be considering the fact that this suspect might not actually be the guilty party.
I feel Australian justice is really soft. People get off on technicalities and those that do go to prison get light terms. I just recently saw someone who was found guilty of pre-meditated murder get just 13 years. Planning over more than a month and attempting on numerous occasions to take a life and then eventually succeeding and all he gets is 13 years? And that is for someone who was proven to be guilty with overwhelming evidence!
I'm sure my boss will be happy to let me have the afternoon off to go to the police station, once I tell him I'm under investigation for murder/rape/$violent_crime.
In Australia, even the prime suspect is considered to be "assisting police with an investigation" for a period of time before allegations or charges are made.
If your boss asks for details, you can simply answer that you have to keep them confidential. You don't have to tell anyone, anything, even the police if you are guilty. Let alone your boss if you are innocent! Your boss does not need to know your dirty disgusting little secret that you enjoy movies like Pulp Fiction.
This issue, as expected, is really being exagerated here.
To hell with flash, we want MRAM.
You have reminded me of FRAM's. Touted in the late 80's to be the future of memory devices. Fast and non-volatile.
But MRAM sounds awesome. Non-volatile, does not degrade when written to, writes are not slower than reads and almost as fast as SRAM!
I had high hopes for FRAM but it didn't seem to come out of the labs. The Wiki for it states how much better FRAM is over Flash, but I've been waiting something like 18 years for FRAM. Hopefully MRAM will be used in a big way.
No... users think that fragmentation is the problem, but really it's their choice of file system that is the problem. Use a modern file system.
No... I'm not talking about users, I'm talking about some operating systems which take in upon themselves to automatically perform a defrag when it is not needed. XP can be configured to do that, newer versions of OSX (since Panther) do it by default and I believe some filesystems for Unix-like OS' can also move stuff around automatically in the name of optimization. Users are a seperate problem and if they're doing something to the detriment of their data, without any need to do that, then that is their problem. I am specificially speaking about automatic processes which assume head movement issues to make gains in optimization.
I was not refering to users. They will always be a problem.
Most modern operating systems have this already.
Have what? The ability to detect the difference between solid state storage and disk/head based storage and then adjust optimization accordingly?