"As visibly demonstrated"? That's really begging the question.
I did not say I thought it was unfair that unions get to spend their money on elections. I said the short money cycle of government->union->politicians leads to the appearance of impropriety or corruption. As Ben Franklin said, "When the people find that they can vote themselves money, that will herald the end of the republic." Heck, even FDR opposed unions for government employees because of the unique impact and priorities that apply.
When other corporations can push government to give them more money in exchange for campaign contributions, I consider that corrupt also. Some of the banks that got TARP money probably fall into that category. Most companies, though, are not in a situation where they can cripple government by refusing to do what the government pays them to do. Public-service unions are.
Let me tell you a story about Phil, my wife's godfather. Phil works in the refrigerated section of a grocery store, and has for decades. He gloats about the things he can get away with as a union member -- things like collecting dead rodents from traps and sliding them under the door of a conference room where his coworkers are being trained. That is the kind of repulsive behavior that unions enable. Do a web search for "rubber rooms" for teachers to find public-service equivalents. Perhaps you think that teachers who have molested their students or who simply cannot teach deserve to draw a paycheck for years?
Kind of giving away the game on a few fronts, aren't you?
The usual liberal theory is that collective bargaining is required in order to help employees get a fair outcome from an employer whose interests are tilted strongly against the employees' interests. If the state doesn't have that kind of goal, why do employees need collective bargaining agents to represent them?
Part and parcel of government recognition for unions is that the employer (in this case the government) has to automatically deduct union dues from every employee (except for those who go to the trouble to opt out and stay out against considerable pressure to join; they get to exclude some irrelevantly and dishonestly small part that is theoretically what the union spends on political advocacy). This means that government is taking tax dollars and sending them directly to unions, who send some of it back to their political favorites as campaign contributions. That sounds like a recipe for corruption, or the appearance of corruption, to me.
Private employers have a profit motive that often puts their interests -- at least as regards salary, working conditions, and the like -- in opposition to their employees' interests. What is the equivalent motive for government? Why does the state so badly want what is bad for its employees?
Do you have some tool that will distinguish between the piracy/cheating and homebrew accurately and automatically? Do you know how to make one? Even assuming you and/or Sony know how to make such a tool, does it make economic sense for them, or is it better to save that engineering effort and use a simpler system?
People running homebrew software on that kind of system will never be a big market, and those users tend to be bad for the hardware vendor because they usually don't buy enough software to make up for the loss-leading hardware sale. It doesn't take a rocket scientist to come to the conclusion that it's better to treat everyone running Sony-unapproved software the same way.
Normal consumers -- probably even the hypothetical reasonable person -- would not expect to run bootloaders, Linux or "Hello World" on a device that is sold as an entertainment device. Especially since the jerks ripped out the "Other OS" functionality, it is not marketed as a general-purpose computing device.
This seems like a reasonable trade-off to me (as long as they're not also suing these users): Running home-brew software voids the warranty, and running modified sofware can get you banned from PSN. If someone wants to use a PS3 for software development and general computing, they probably don't need a PSN account linked to it. It may not be ideal from that consumer's perspective, but it is a lot more palatable than too-skilled people being banned for alleged cheating because the online gaming platform is open to all.
Until someone comes up with the perfect hypervisor -- if such a thing is technologically practical in this kind of system -- Sony cannot hope for an impermeable wall between authorized software and unauthorized software. If they choose to limit online-gaming access for the (relatively few) people who run unauthorized software in order to minimize cheating that detracts from the vast majority of users, that should be their call.
Making the algorithms more complicated does not help much; faster silicon gets cheap too quickly. The only way to really make it harder to break a leaked password file is to increase the search space. This means not re-using passwords, and having important passwords be strong.
I was shocked that, according to the page linked in http://it.slashdot.org/comments.pl?sid=1987632&cid=35149998, a standard pwgen password -- typically 6 phonemes out of a set of 40, with one or two capitalized, and a digit inserted somewhere -- could be brute-forced in about 450 seconds on the fastest GPU.
(My math: 40 ** 6 * 6 * 6 * 7 options, for six phonemes, six options for each of the capitalizations assuming they aren't at the same place, and seven options for where to put the digit. That is just over a trillion combinations, versus 2.3 billion SHA-1 calculations per second for a single card, and ignores that pwgen reduces its key space by trying to make the result sort of pronounceable.)
Increasing the pwgen output length to ten characters -- which means ~8 phonemes -- increases the worst-case search time to 19 days, which is still not that great; on average, it will take half that long to find a matching password. Perhaps I should switch to 12-character passwords, which should keep me safe for more than a century of today's hardware. If Moore's Law holds up for the next 15 years, though, that 12-character password could be brute-forced in 20 days again.
You would get basically the same result, with less chance of compromising the hash function, by prepending or appending some unique-per-server string to the input.
The operations in each round of these hash functions are usually very carefully chosen to resist attack, and fiddling with that mathematical structure is much more likely to make a worse hash function than it is to make an equivalent or stronger one.
Which device will you trust to store that key and implement the private-key side of the authentication? How much do you trust it? Does the same device also generate the key, or do you have to trust some other device for that? (Ask Sony what happens if you are not sufficiently careful about how you generate private keys...:)
REAL security pros use multi-factor authentication by storing their master password list in an encrypted file on their rooted/custom-firmware mobile phones. The file is encrypted using a master pass-phrase (factor 1) and the phone will only unlock with a biometric ID (factor 2) and you need the phone to get at the password (factor 3). Bruce Schneier has written all about it!
(It is rather important that your wireless service provider not have administrative access to the device, which is where the custom firmware comes in. And yes, I know having the cell phone doesn't really count in the traditional sense of multi-factor security; the whole thing is a little bit tongue-in-cheek. Most people just need to be harder to attack than their neighbor; relatively few people need to be extremely resistant to attacks, although they are more common in/.'s readership than in the general public.)
If they are independent ports with the same MAC address, either the hardware vendor or the device writer screwed up, because there's no sensible way to put them on the same Ethernet segment. (I assume you do not mean a hub on a card, with one port going to the host, which I have seen advertised in some places. If you don't think a big vendor can screw up that badly, let me tell you about the major Unix workstation vendor who delivered ~30 computers to the university I attended where every single workstation's Ethernet interface was programmed with the same MAC address.)
One configuration I use at work uses an Intel multiport Ethernet adapter, and each of its ports has a unique MAC address. As a result, it Just Worked with udev.
Debian (and its derivatives, including Ubuntu) have been taking a less disruptive approach to this for years now by assigning persistent ethN device names based on MAC addresses. For example, if the system has no device names assigned and sees 01:23:45:67:89:ab as the first Ethernet device's address, that becomes eth0 from that point forward. The next Ethernet device that gets enumerated is going to be eth1, and so forth. This means it handles the USB device case in the way most users would expect.
I suppose there is some advantage to using geographic addresses for people with lots of multi-NIC machines to build, and for people who need to hot-swap cards for reliability reasons. I suspect that Debian's udev-based approach could handle the latter either now or with minor tweaks, though.
If you read a little more closely, you might have noticed that "Hitler killed a lot of Jews" was in response to "Jews have had problems with their neighbors for 3700 years" -- it was challenging the strong element of one-sided blame in the latter.
If the critics of Israel being asshats spent a little more time criticizing Israel's neighbors when the neighbors were being asshats, instead of coming across as stereotypical haters (technically, anti-Semitism isn't quite accurate here), then perhaps both Israel and its neighbors would have a better sense of when their behavior was outrageous.
Google gets GPL-, BSD- and Apache-licensed code all the time. If you meant to ask whether Google will get device driver code that falls under those licenses for the various cores and system-on-chip platforms that are out there, the answer is that Google doesn't need that. Google needs an API like OpenGL ES for Android to use. The component vendors typically make sure that OpenGL ES drivers for Linux exist in distributable form.
Cell phones are not known for having many kinds of graphic cards available. Heck, they're not even known for using many kinds of discrete graphics chips. I will even go so far as to say that they draw from a rather narrow set of embedded graphics cores.
PowerVR is pretty much the market leader, ARM is playing catch-up with Mali, and then you get the long tail. GPU core and SoC vendors know how to work together to deliver usable libraries for chip buyers -- witness the OpenGL ES acceleration that is available for the Texas Instruments OMAP series of processors (BeagleBoard, etc.).
It should not be that hard for Google to get decent acceleration that works on a large fraction of modern phones, while falling back to software rendering for older phones.
If Wikileaks focused attention on the cases that its defenders like to cite, I would probably support them. However, they mostly show signs of throwing the baby out with the bathwater. I think you are the one attempting to justify your preference for the wikileaks system by ignoring the costs of large-scale leaks.
Speaking of growing bodies of research, I hear that there is one into "tinfoil hat syndrome" -- including its guise of claiming that the mainstream media systematically downplay the significance of _______.
The government in general doesn't care to keep such things secret. It is mostly just that nobody asked. What the government cares about is vigilante disclosure of controlled-access information.
I am all in favor of rules that mean the government should be less active in a lot of areas, and that it should be more transparent in the rest of what it does, but those rules need to be known in advance. Without clear rules, concerns about disclosure and retroactive blame will impair communication, aggregation and analysis by making them less honest and up-front. Leaks to the public should be reserved for gross negligence and abuse, not for observations like a tinpot dictator running around with hot nurses. The problem with Wikileaks is that it refuses to make that distinction.
The fact that your employer can read your email does not mean that every shareholder (or taxpayer) who has an ownership interest in your employer can read your email.
Something like 95% of these diplomatic emails were not classified as secret -- I remember seeing articles saying that only 9,000 of the 250,000 were marked SECRET. Some of that 95% would be discoverable under FOIA, although I am sure you (as a government contractor) are aware that FOIA allows for many other reasons to refuse or limit public disclosure.
Those with security clearances -- or who work closely enough with people who have them -- cannot necessarily read coverage of the documents. The national security information is what is classified, regardless of the labeling. Accurate labels just make it easier to establish who knew what when.
Regardless of my personal reasons for not reading too much about Wikileaks, your point would only stand if the general news media (whose headlines I do read, along with some of their articles) were part of a gigantic conspiracy to hide a mass of shocking, surprising and/or crime-revealing bits in the data. Except for something about surveilling UN diplomats (out of ~2000? documents released so far) -- which I would call "approximately nothing" on account of being 0.05% of the document count -- they have not reported on things that are clearly out of the ordinary.
Do you allege such a conspiracy, or at the least gross incompetence by the major news companies?
The fact that you confuse "not[] looking at the details" with "stay[ing] uninformed" reflects more on me than you. Also, are you seriously arguing that the way to make Spanish politicians more accountable to the Spanish people is by making the US government more transparent? That suggests to me that there are more significant problems than the US government keeping secrets.
As for the 1% that have been released so far: If I were Wikileaks, I would start by publishing the most significant bits, rather than randomly selecting parts. That is why I tend to think they have already shared the things they think are the most important or most revealing.
As for my transparency examples: I cannot tell if the IRS is doing things right unless I see the information being examined. Trials here are public record, but many (most?) civil cases have sealed exhibits and sometimes many sealed proceedings -- for examples, see the SCOX vs IBM copyright case in Utah.
My example about contract transparency ties in with the limits on a transparent government -- that much transparency would select for people (both in office and as career bureaucrats) who care very little about public opinion once they get a job. The potential size of government would probably shrink enormously. On the other hand, the people in office might say "hey, if we have nothing to hide, why should you?" and infringe on citizens' privacy on that basis.
The line between citizens' private data and sensitive government data is not nearly so bright, either in fact or in rationale, as most of Wikileaks' defenders seem to think.
Yeah, so elect some people who care about improved accountability. Accountability for civil servants runs up through their branch to elected officials. You cannot really improve their behavior by leaking such a large mix of mostly unsurprising information with a few nuggets of useful data; it hurts too many people who were doing an acceptable job, and triggers "us versus them" reactions where -- as happened here -- the heat is about the leak rather than what was leaked. As a result, the government has been working to mitigate this leak and make future leaks more difficult, rather than to straighten out the things that most of us would rather care about.
The CEO generally has a right to read employees' mailboxes. The guy who holds one of 300 million shares generally does not. Unless I should be calling you Mr. President, you are one of the latter, not the former -- and that is what is different here.
Read my second paragraph. Think through it. You probably take public money in some fashion. Doesn't that make you responsible to the public?
More generally, accountability for what career civil servants do at work goes through their bosses, through elected officials, to the public. It is seldom more direct.
Slashdot Mirror
"As visibly demonstrated"? That's really begging the question.
I did not say I thought it was unfair that unions get to spend their money on elections. I said the short money cycle of government->union->politicians leads to the appearance of impropriety or corruption. As Ben Franklin said, "When the people find that they can vote themselves money, that will herald the end of the republic." Heck, even FDR opposed unions for government employees because of the unique impact and priorities that apply.
When other corporations can push government to give them more money in exchange for campaign contributions, I consider that corrupt also. Some of the banks that got TARP money probably fall into that category. Most companies, though, are not in a situation where they can cripple government by refusing to do what the government pays them to do. Public-service unions are.
Let me tell you a story about Phil, my wife's godfather. Phil works in the refrigerated section of a grocery store, and has for decades. He gloats about the things he can get away with as a union member -- things like collecting dead rodents from traps and sliding them under the door of a conference room where his coworkers are being trained. That is the kind of repulsive behavior that unions enable. Do a web search for "rubber rooms" for teachers to find public-service equivalents. Perhaps you think that teachers who have molested their students or who simply cannot teach deserve to draw a paycheck for years?
Kind of giving away the game on a few fronts, aren't you?
The usual liberal theory is that collective bargaining is required in order to help employees get a fair outcome from an employer whose interests are tilted strongly against the employees' interests. If the state doesn't have that kind of goal, why do employees need collective bargaining agents to represent them?
Part and parcel of government recognition for unions is that the employer (in this case the government) has to automatically deduct union dues from every employee (except for those who go to the trouble to opt out and stay out against considerable pressure to join; they get to exclude some irrelevantly and dishonestly small part that is theoretically what the union spends on political advocacy). This means that government is taking tax dollars and sending them directly to unions, who send some of it back to their political favorites as campaign contributions. That sounds like a recipe for corruption, or the appearance of corruption, to me.
Private employers have a profit motive that often puts their interests -- at least as regards salary, working conditions, and the like -- in opposition to their employees' interests. What is the equivalent motive for government? Why does the state so badly want what is bad for its employees?
Do you have some tool that will distinguish between the piracy/cheating and homebrew accurately and automatically? Do you know how to make one? Even assuming you and/or Sony know how to make such a tool, does it make economic sense for them, or is it better to save that engineering effort and use a simpler system?
People running homebrew software on that kind of system will never be a big market, and those users tend to be bad for the hardware vendor because they usually don't buy enough software to make up for the loss-leading hardware sale. It doesn't take a rocket scientist to come to the conclusion that it's better to treat everyone running Sony-unapproved software the same way.
Normal consumers -- probably even the hypothetical reasonable person -- would not expect to run bootloaders, Linux or "Hello World" on a device that is sold as an entertainment device. Especially since the jerks ripped out the "Other OS" functionality, it is not marketed as a general-purpose computing device.
This seems like a reasonable trade-off to me (as long as they're not also suing these users): Running home-brew software voids the warranty, and running modified sofware can get you banned from PSN. If someone wants to use a PS3 for software development and general computing, they probably don't need a PSN account linked to it. It may not be ideal from that consumer's perspective, but it is a lot more palatable than too-skilled people being banned for alleged cheating because the online gaming platform is open to all.
Until someone comes up with the perfect hypervisor -- if such a thing is technologically practical in this kind of system -- Sony cannot hope for an impermeable wall between authorized software and unauthorized software. If they choose to limit online-gaming access for the (relatively few) people who run unauthorized software in order to minimize cheating that detracts from the vast majority of users, that should be their call.
Making the algorithms more complicated does not help much; faster silicon gets cheap too quickly. The only way to really make it harder to break a leaked password file is to increase the search space. This means not re-using passwords, and having important passwords be strong.
I was shocked that, according to the page linked in http://it.slashdot.org/comments.pl?sid=1987632&cid=35149998, a standard pwgen password -- typically 6 phonemes out of a set of 40, with one or two capitalized, and a digit inserted somewhere -- could be brute-forced in about 450 seconds on the fastest GPU.
(My math: 40 ** 6 * 6 * 6 * 7 options, for six phonemes, six options for each of the capitalizations assuming they aren't at the same place, and seven options for where to put the digit. That is just over a trillion combinations, versus 2.3 billion SHA-1 calculations per second for a single card, and ignores that pwgen reduces its key space by trying to make the result sort of pronounceable.)
Increasing the pwgen output length to ten characters -- which means ~8 phonemes -- increases the worst-case search time to 19 days, which is still not that great; on average, it will take half that long to find a matching password. Perhaps I should switch to 12-character passwords, which should keep me safe for more than a century of today's hardware. If Moore's Law holds up for the next 15 years, though, that 12-character password could be brute-forced in 20 days again.
You would get basically the same result, with less chance of compromising the hash function, by prepending or appending some unique-per-server string to the input.
The operations in each round of these hash functions are usually very carefully chosen to resist attack, and fiddling with that mathematical structure is much more likely to make a worse hash function than it is to make an equivalent or stronger one.
Which device will you trust to store that key and implement the private-key side of the authentication? How much do you trust it? Does the same device also generate the key, or do you have to trust some other device for that? (Ask Sony what happens if you are not sufficiently careful about how you generate private keys... :)
REAL security pros use multi-factor authentication by storing their master password list in an encrypted file on their rooted/custom-firmware mobile phones. The file is encrypted using a master pass-phrase (factor 1) and the phone will only unlock with a biometric ID (factor 2) and you need the phone to get at the password (factor 3). Bruce Schneier has written all about it!
(It is rather important that your wireless service provider not have administrative access to the device, which is where the custom firmware comes in. And yes, I know having the cell phone doesn't really count in the traditional sense of multi-factor security; the whole thing is a little bit tongue-in-cheek. Most people just need to be harder to attack than their neighbor; relatively few people need to be extremely resistant to attacks, although they are more common in /.'s readership than in the general public.)
If they are independent ports with the same MAC address, either the hardware vendor or the device writer screwed up, because there's no sensible way to put them on the same Ethernet segment. (I assume you do not mean a hub on a card, with one port going to the host, which I have seen advertised in some places. If you don't think a big vendor can screw up that badly, let me tell you about the major Unix workstation vendor who delivered ~30 computers to the university I attended where every single workstation's Ethernet interface was programmed with the same MAC address.)
One configuration I use at work uses an Intel multiport Ethernet adapter, and each of its ports has a unique MAC address. As a result, it Just Worked with udev.
Debian (and its derivatives, including Ubuntu) have been taking a less disruptive approach to this for years now by assigning persistent ethN device names based on MAC addresses. For example, if the system has no device names assigned and sees 01:23:45:67:89:ab as the first Ethernet device's address, that becomes eth0 from that point forward. The next Ethernet device that gets enumerated is going to be eth1, and so forth. This means it handles the USB device case in the way most users would expect.
I suppose there is some advantage to using geographic addresses for people with lots of multi-NIC machines to build, and for people who need to hot-swap cards for reliability reasons. I suspect that Debian's udev-based approach could handle the latter either now or with minor tweaks, though.
And I actually thought liberals might have meant all they were saying about "civility".
Nah, not really. I'm not stupid.
If you read a little more closely, you might have noticed that "Hitler killed a lot of Jews" was in response to "Jews have had problems with their neighbors for 3700 years" -- it was challenging the strong element of one-sided blame in the latter.
If the critics of Israel being asshats spent a little more time criticizing Israel's neighbors when the neighbors were being asshats, instead of coming across as stereotypical haters (technically, anti-Semitism isn't quite accurate here), then perhaps both Israel and its neighbors would have a better sense of when their behavior was outrageous.
Good luck with that windmill, Senor Quixote.
Google gets GPL-, BSD- and Apache-licensed code all the time. If you meant to ask whether Google will get device driver code that falls under those licenses for the various cores and system-on-chip platforms that are out there, the answer is that Google doesn't need that. Google needs an API like OpenGL ES for Android to use. The component vendors typically make sure that OpenGL ES drivers for Linux exist in distributable form.
Cell phones are not known for having many kinds of graphic cards available. Heck, they're not even known for using many kinds of discrete graphics chips. I will even go so far as to say that they draw from a rather narrow set of embedded graphics cores.
PowerVR is pretty much the market leader, ARM is playing catch-up with Mali, and then you get the long tail. GPU core and SoC vendors know how to work together to deliver usable libraries for chip buyers -- witness the OpenGL ES acceleration that is available for the Texas Instruments OMAP series of processors (BeagleBoard, etc.).
It should not be that hard for Google to get decent acceleration that works on a large fraction of modern phones, while falling back to software rendering for older phones.
Same to you, buddy, same to you.
If Wikileaks focused attention on the cases that its defenders like to cite, I would probably support them. However, they mostly show signs of throwing the baby out with the bathwater. I think you are the one attempting to justify your preference for the wikileaks system by ignoring the costs of large-scale leaks.
Speaking of growing bodies of research, I hear that there is one into "tinfoil hat syndrome" -- including its guise of claiming that the mainstream media systematically downplay the significance of _______.
The government in general doesn't care to keep such things secret. It is mostly just that nobody asked. What the government cares about is vigilante disclosure of controlled-access information.
I am all in favor of rules that mean the government should be less active in a lot of areas, and that it should be more transparent in the rest of what it does, but those rules need to be known in advance. Without clear rules, concerns about disclosure and retroactive blame will impair communication, aggregation and analysis by making them less honest and up-front. Leaks to the public should be reserved for gross negligence and abuse, not for observations like a tinpot dictator running around with hot nurses. The problem with Wikileaks is that it refuses to make that distinction.
The fact that your employer can read your email does not mean that every shareholder (or taxpayer) who has an ownership interest in your employer can read your email.
Something like 95% of these diplomatic emails were not classified as secret -- I remember seeing articles saying that only 9,000 of the 250,000 were marked SECRET. Some of that 95% would be discoverable under FOIA, although I am sure you (as a government contractor) are aware that FOIA allows for many other reasons to refuse or limit public disclosure.
Those with security clearances -- or who work closely enough with people who have them -- cannot necessarily read coverage of the documents. The national security information is what is classified, regardless of the labeling. Accurate labels just make it easier to establish who knew what when.
Regardless of my personal reasons for not reading too much about Wikileaks, your point would only stand if the general news media (whose headlines I do read, along with some of their articles) were part of a gigantic conspiracy to hide a mass of shocking, surprising and/or crime-revealing bits in the data. Except for something about surveilling UN diplomats (out of ~2000? documents released so far) -- which I would call "approximately nothing" on account of being 0.05% of the document count -- they have not reported on things that are clearly out of the ordinary.
Do you allege such a conspiracy, or at the least gross incompetence by the major news companies?
The fact that you confuse "not[] looking at the details" with "stay[ing] uninformed" reflects more on me than you. Also, are you seriously arguing that the way to make Spanish politicians more accountable to the Spanish people is by making the US government more transparent? That suggests to me that there are more significant problems than the US government keeping secrets.
As for the 1% that have been released so far: If I were Wikileaks, I would start by publishing the most significant bits, rather than randomly selecting parts. That is why I tend to think they have already shared the things they think are the most important or most revealing.
As for my transparency examples: I cannot tell if the IRS is doing things right unless I see the information being examined. Trials here are public record, but many (most?) civil cases have sealed exhibits and sometimes many sealed proceedings -- for examples, see the SCOX vs IBM copyright case in Utah.
My example about contract transparency ties in with the limits on a transparent government -- that much transparency would select for people (both in office and as career bureaucrats) who care very little about public opinion once they get a job. The potential size of government would probably shrink enormously. On the other hand, the people in office might say "hey, if we have nothing to hide, why should you?" and infringe on citizens' privacy on that basis.
The line between citizens' private data and sensitive government data is not nearly so bright, either in fact or in rationale, as most of Wikileaks' defenders seem to think.
Yeah, so elect some people who care about improved accountability. Accountability for civil servants runs up through their branch to elected officials. You cannot really improve their behavior by leaking such a large mix of mostly unsurprising information with a few nuggets of useful data; it hurts too many people who were doing an acceptable job, and triggers "us versus them" reactions where -- as happened here -- the heat is about the leak rather than what was leaked. As a result, the government has been working to mitigate this leak and make future leaks more difficult, rather than to straighten out the things that most of us would rather care about.
The CEO generally has a right to read employees' mailboxes. The guy who holds one of 300 million shares generally does not. Unless I should be calling you Mr. President, you are one of the latter, not the former -- and that is what is different here.
Read my second paragraph. Think through it. You probably take public money in some fashion. Doesn't that make you responsible to the public?
More generally, accountability for what career civil servants do at work goes through their bosses, through elected officials, to the public. It is seldom more direct.