Unfortunately, such a program is indeed a "workalike", but it is not compatible with existing systems. SSL with RSA/RC4 and PGP with RSA/IDEA have large installed bases, and unencumbered software cannot be compatible (until all the patents expire).
RC4, interestingly enough, is essentially a free algorithm; unlike some of the other RC algorithms it is not patented. It was protected as a trade secret for many years, but eventually the source code (maybe reverse engineered from Netscape or something) escaped to Usenet. So you can use RC4, you just can't call it that. Which is why ssh calls it arcfour.
> RSADSI is a big company who depends heavily on the RSA algorithm for their revenue. You can bet that they have scores of lawyers who > will try to intimidate anyone who tries to use the RSA algorithm after expiry.
They have already made some threats about having a trademark on calling the algorithm "RSA," which is of course absurd.
Really, the important patent was the patent on Diffie-Hellman key exchange, since this was the first public key algorithm. Since it has already expired, it's already possible to build totally free SSL/PGP workalikes without any patented code. You just need to add a free symmetric key cryptosystem like Blowfish or triple DES.
PGP (at least in version 2.x) uses RSA only to encode the session key, and then uses IDEA (a symmetric-key algorithm, which is also patented) to encode the message. I don't know when this second patent expires or if it is licensed for free software use.
Declan McCullagh posted a very interesting tidbit from today's news conference. Janet Reno was asked if the government can break 64-bit crypto (which is what's getting most thoroughly decontrolled, and which afaik has never been broken publicly) and she said "We have carefully looked at this and think it's possible." Previously I don't think the government had even ever openly admitted to being able to break 40-bit crypto.
The example of Eyes Wide Shut is bull. Kubrick signed a contract with Warner that he would deliver an R-rated movie. He knew what that meant
No one knows what that means. That's part of the problem. The MPAA operates in secret. They issue contradictory and capricious rulings. There are no guidelines. And for God's sake, Kubrick was dead when they chopped up his movie.
AFAIK, the pre-OSX Mac still runs all code in supervisor mode. Even if this has been fixed, if there is no memory protection, then you can overwrite the kernel, which obviously runs in kernel mode, so the difference is moot. And finally, unless I am mistaken, the most important difference between user and supervisor mode is that the former is subject to memory protection and the latter is not. All of these issues are closely interrelated.
What, theatres don't have the right to determine which movies they want to show?
Yes, actually. It's written into the leases of many theaters that they can't show NC-17 movies. Landlords won't allow it. Also, most movie theaters are owned by big chains, and if they show "The Last Temptation of Christ" in someplace civilized like New York, they will get picketed in Georgia. Since they do business all over the U.S. they have to pander to the religious right.
The example of Kubrick's "Eyes Wide Shut" is a good one. It shows how "voluntary," "industry-driven" rating systems are every bit as dangerous -- and in some cases, even worse in practice than plain old government censorship.
In America, where there is no government censorship, just a "voluntary" industry rating scheme, several minutes of this movie were "voluntarily" digitally altered after Kubrick's death to obtain an R rating.
In England, where there is a government censorship board which can potentially cut any movie, Eyes Wide Shut is opening tonight completely unaltered.
What's the difference? In the case of government censorship, at least the people doing the censorship have some accountability -- they can be voted out of office, and indeed this can be a real danger if they tamper with popular entertainment. By comparison, America's MPAA is a completely shadowy organization which answers to no one and has no accountability whatever. The results are obvious.
Of course, I am infavor of no censorship, private or public. I just want to point out that private ratings boards can be every bit as bad as government censorship.
This is absurd. There's much more to security than whether the system includes a command line. Someone argued that a single-user system is more secure than a multiuser system because it has no root account. That's a complete crock. The MacOS (pre-OS-X) has no memory protection to speak of. So *every* program runs with what amounts to "root" privileges.
If you exploit a buffer overflow in Apache on a multiuser system you end up with access restricted to whatever user the daemon is running as. But if there is a buffer overflow in Webstar or any scripts it calls on the Mac, then exploiting it gives you root-level access to the entire system. Sure, you have to do something more clever than just spawning a/bin/sh, but, hell, if you can run arbitrary code with operator-level access I'm sure you can think of something. One more reason why designing a system for multiuser access from the beginning is simply a Good Thing, whatever the disigenuous claims of MacOS apologists.
Slashdot Mirror
Unfortunately, such a program is indeed a "workalike", but it is not compatible with existing systems. SSL with RSA/RC4 and PGP with RSA/IDEA have large installed bases, and unencumbered software cannot be compatible (until all the patents expire).
RC4, interestingly enough, is essentially a free algorithm; unlike some of the other RC algorithms it is not patented. It was protected as a trade secret for many years, but eventually the source code (maybe reverse engineered from Netscape or something) escaped to Usenet. So you can use RC4, you just can't call it that. Which is why ssh calls it arcfour.
> RSADSI is a big company who depends heavily on the RSA algorithm for their revenue. You can bet that they have scores of lawyers who
> will try to intimidate anyone who tries to use the RSA algorithm after expiry.
They have already made some threats about having a trademark on calling the algorithm "RSA," which is of course absurd.
Really, the important patent was the patent on Diffie-Hellman key exchange, since this was the first public key algorithm. Since it has already expired, it's already possible to build totally free SSL/PGP workalikes without any patented code. You just need to add a free symmetric key cryptosystem like Blowfish or triple DES.
If GPG uses IDEA, then it is only in a plugin. From the homepage:
Supports ElGamal (signature and encryption), DSA, 3DES, Blowfish, Twofish, CAST5, MD5, SHA-1, RIPE-MD-160 and TIGER.
PGP (at least in version 2.x) uses RSA only to encode the session key, and then uses IDEA (a symmetric-key algorithm, which is also patented) to encode the message. I don't know when this second patent expires or if it is licensed for free software use.
Declan McCullagh posted a very interesting tidbit from today's news conference. Janet Reno was asked if the government can break 64-bit crypto (which is what's getting most thoroughly decontrolled, and which afaik has never been broken publicly) and she said "We have carefully looked at this and think it's possible." Previously I don't think the government had even ever openly admitted to being able to break 40-bit crypto.
The example of Eyes Wide Shut is bull. Kubrick signed a contract with Warner that he would deliver an R-rated movie. He knew what that meant
No one knows what that means. That's part of the problem. The MPAA operates in secret. They issue contradictory and capricious rulings. There are no guidelines. And for God's sake, Kubrick was dead when they chopped up his movie.
I also think your use of the term "pandering" is kind of insulting. Some people use their right to picket and to free speach and you disapprove?
Sure. I support their right to picket and engage in free speech. And I support my right to insult them and use the term "pandering" in return.
AFAIK, the pre-OSX Mac still runs all code in supervisor mode. Even if this has been fixed, if there is no memory protection, then you can overwrite the kernel, which obviously runs in kernel mode, so the difference is moot. And finally, unless I am mistaken, the most important difference between user and supervisor mode is that the former is subject to memory protection and the latter is not. All of these issues are closely interrelated.
What, theatres don't have the right to determine which movies they want to show?
Yes, actually. It's written into the leases of many theaters that they can't show NC-17 movies. Landlords won't allow it. Also, most movie theaters are owned by big chains, and if they show "The Last Temptation of Christ" in someplace civilized like New York, they will get picketed in Georgia. Since they do business all over the U.S. they have to pander to the religious right.
The example of Kubrick's "Eyes Wide Shut" is a good one. It shows how "voluntary," "industry-driven" rating systems are every bit as dangerous -- and in some cases, even worse in practice than plain old government censorship.
In America, where there is no government censorship, just a "voluntary" industry rating scheme, several minutes of this movie were "voluntarily" digitally altered after Kubrick's death to obtain an R rating.
In England, where there is a government censorship board which can potentially cut any movie, Eyes Wide Shut is opening tonight completely unaltered.
What's the difference? In the case of government censorship, at least the people doing the censorship have some accountability -- they can be voted out of office, and indeed this can be a real danger if they tamper with popular entertainment. By comparison, America's MPAA is a completely shadowy organization which answers to no one and has no accountability whatever. The results are obvious.
Of course, I am infavor of no censorship, private or public. I just want to point out that private ratings boards can be every bit as bad as government censorship.
This is absurd. There's much more to security than whether the system includes a command line. Someone argued that a single-user system is more secure than a multiuser system because it has no root account. That's a complete crock. The MacOS (pre-OS-X) has no memory protection to speak of. So *every* program runs with what amounts to "root" privileges.
/bin/sh, but, hell, if you can run arbitrary code with operator-level access I'm sure you can think of something. One more reason why designing a system for multiuser access from the beginning is simply a Good Thing, whatever the disigenuous claims of MacOS apologists.
If you exploit a buffer overflow in Apache on a multiuser system you end up with access restricted to whatever user the daemon is running as. But if there is a buffer overflow in Webstar or any scripts it calls on the Mac, then exploiting it gives you root-level access to the entire system. Sure, you have to do something more clever than just spawning a
I thought it was discovered the serial number could be turned back on without a reboot? Does this patch do anything to prevent this?